|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Danux (danuxx
gmail.com)
Date: Mon Oct 15 2007 - 19:38:50 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Hi, after testing a PHP-MSSQL app, i am able to insert and update
tables but i can't execute store_procedures, so, i was wondering if
its possible to update a table putting something like: "phpinfo()" or
(passthru("ipconfig")) in order to execute while loading the page?
I mean:
inside the html page the images are taken from database so... in a
black box perspective a think is something like: <img src=$img> and i
know where is the table which reads this image name, then i can update
the table and instead of read something like $img = picture.gif, reads
some thing like "phpinfo();". but as you know this is only a string,
even though if i update the table with: eval("phpinfo();") its also a
string .... so it dont get executed!!
So, i would like you help me, what can i do if i am able to insert,
create and update tables but unable to run store procedures, or bulk
or bcp!!!!!
Thanks!!!
--
Danux, CISSP
Chief Information Security Officer
Macula Security Consulting Group
www.macula-group.com
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!
http://www.cenzic.com/downloads
------------------------------------------------------------------------
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]