|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Chris Anley (chris
ngssoftware.com)Date: Tue Jun 18 2002 - 13:25:16 CDT
Hi folks,
I've written another SQL injection whitepaper; it can be found at
http://www.ngssoftware.com/papers/more_advanced_sql_injection.pdf
I'm aware that I'm running the risk of becoming a one-topic poster; if
anyone's bored, I apologise. Other stuff is in the pipeline, I promise. :o)
The paper clears up some points I glossed over in the previous paper and
introduces some new techniques, notably the use of time delays as a
communication channel to extract information from the database, and the many
uses of OPENROWSET.
If anyone has other examples of the use of time as a communication channel,
I'd be extremely interested. It seems to me to be a powerful technique,
since defence mechanisms tend to abstract it out.
-chris.
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]