[prev in list] [next in list] [prev in thread] [next in thread] 

List:       full-disclosure
Subject:    Re: [Full-Disclosure] Latest MS SQL Server vulnerabilities revealed.
From:       "Michael -" <michael () nix ! org>
Date:       2003-04-30 20:54:24
[Download RAW message or body]


After reading your papers I must say it was quite interesting and it introduce quite a few new \
ideas. However, most of them (at leat in your paper found at \
http://www.appsecinc.com/presentations/Manipulating_SQL_Server_Using_SQL_Injection.pdf ) base \
themselves on the idea that you can perform an 'insert' with SQL injection. In my experience, \
this is impossible most of the time due to the fact that MSSQL doesnt allow multiple statement \
and that you can only add an union in the middle of an SQL statement that is usualy part of a \
web application. 

Michael 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


[prev in list] [next in list] [prev in thread] [next in thread]