Ulises,
Yes, that's actually really interesting for us; but more
specifically to the sqlmap guys. w3af won't reinvent the wheel, sqlmap
is really good at what it does, it's actively developed and supported
by Bernardo Damele and we'll rely on that project for our SQL
injections.
On Fri, Feb 6, 2009 at 3:04 PM, Ulises2k <ulise...@gmail.com> wrote:
> Is Interesentin for w3af. ;)
>
>
>
> --
> Ulises U. Cuñé
> Web: http://www.ulises2k.com.ar
>
>
> ---------- Forwarded message ----------
> From: Daniel Kachakil <d...@kachakil.com>
> Date: Fri, Feb 6, 2009 at 10:10
> Subject: SFX-SQLi: A new SQL injection technique for MSSQL (dumps a table in
> one request!)
> To: bugt...@securityfocus.com
>
>
> Hi,
>
> I am glad to release SFX-SQLi (Select For XML SQL injection), a new SQL
> injection technique which allows to extract the whole information of a
> Microsoft SQL Server 2005/2008 database in an extremely fast and efficient
> way.
>
> This technique is based on the FOR XML clause, which is able to convert the
> content of a table into a single string, so its contents could be appended
> to some field injecting a subquery into a vulnerable input of a web
> application. In most cases, this method can dump all the contents of any
> table using only ONE REQUEST to the web server, without the need of any
> special permission on the DBMS.
>
> I have written a paper describing how the technique works and in which
> fundamentals it is based, and I have also developed a tool which implements
> this technique as a proof of concept (with the source code included).
>
> You can get them through this URL:
>
> http://www.kachakil.com/papers/SFX-SQLi-en.htm
>
> Regards,
> Daniel Kachakil
>
>
>
>
>
>
> ------------------------------------------------------------------------------
> Create and Deploy Rich Internet Apps outside the browser with
> Adobe(R)AIR(TM)
> software. With Adobe AIR, Ajax developers can use existing skills and code
> to
> build responsive, highly engaging applications that combine the power of
> local
> resources and data with the reach of the web. Download the Adobe AIR SDK and
> Ajax docs to start building applications today-http://p.sf.net/sfu/adobe-com
> _______________________________________________
> W3af-develop mailing list
> W3af-develop@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/w3af-develop
>
>
--
Andres Riancho
http://w3af.sourceforge.net/
Web Application Attack and Audit Framework
------------------------------------------------------------------------------
Create and Deploy Rich Internet Apps outside the browser with Adobe(R)AIR(TM)
software. With Adobe AIR, Ajax developers can use existing skills and code to
build responsive, highly engaging applications that combine the power of local
resources and data with the reach of the web. Download the Adobe AIR SDK and
Ajax docs to start building applications today-http://p.sf.net/sfu/adobe-com
_______________________________________________
W3af-develop mailing list
W3af-develop@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-develop
