|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Paul Schmehl (pschmehl_lists
tx.rr.com)
Date: Sat Feb 07 2009 - 22:10:59 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
--On February 7, 2009 10:02:21 AM -0600 Daniel Kachakil
<danikachakil.com> wrote:
>
> I have written a paper describing how the technique works and in which
> fundamentals it is based, and I have also developed a tool which
> implements
> this technique as a proof of concept (with the source code included).
>
> You can get them through this URL:
>
> http://www.kachakil.com/papers/SFX-SQLi-en.htm
Having read your paper, I'm a bit confused about what you think the "new
SQL injection technique" is that you've discovered. I understand you have
determined a way to *extract* data in a more compact and efficient format,
but I didn't see any new *injection* technique. IOW, the FOR XML
construct isn't going to assist you in obtaining the data - only in
obtaining it more efficiently.
Did I miss something?
Paul Schmehl, If it isn't already
obvious, my opinions are my own
and not those of my employer.
******************************************
WARNING: Check the headers before replying
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
- application/pkcs7-signature attachment: stored
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]