>From: "Kevin Spett" <kspettat_private> >To:<PEN-TESTat_private> >Date: Mon, 19 Nov 2001 17:56:06 -0800 >There's code like this in the web app: >SQL_Query_String = "SELECT somefield FROM Users WHERE Username = '" & >strUserName & "' AND Password = '" & strPassword & "'" >strValue = SQL_Query(SQL_Query_String) .. [snip] Hi I'm a newbie in pen-testing. I read this article and I've found a link too. I've tryed this metod on my website which had a url like this: http://www.thesite.com/login.asp. I've check out the error so I've found how was wrote the field username & password so I've put ' or user like '% etc... and the site answer me with..: Wellcome operator. Ok. But what I don't understand is like taking advantage of this attack for having password or account o sensible information.. Can you give me some other informatin about it? Thanks .::SNHYPER::. Security Team Milano _________________________________________________________________ Scarica GRATUITAMENTE MSN Explorer all'indirizzo http://explorer.msn.it/intl.asp ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Thu Nov 22 2001 - 09:36:32 PST