Login or register
SecDocs RSS feed

Paper details

Title Manipulating Microsoft SQL Server Using SQL Injection
Type Paper
Tags SQL Server SQL injection
Abstract This paper will not cover basic SQL syntax or SQL Injection. It is assumed that the reader has a strong understanding of these topics already. This paper will focus on advanced techniques that can be used in an attack on a (web) application utilizing Microsoft SQL Server as a backend. These techniques demonstrate how an attacker could use a SQL Injection vulnerability to retrieve the database content from behind a firewall and penetrate the internal network. This paper is meant to educate security professionals of the potential devastating effects SQL Injection could have on an organization. Web applications are becoming more secure because of the growing awareness of attacks such as SQL Injection. However, in large and complex applications, a single oversight can result in the compromise of the entire system. Specifically, many developers and administrators of (web) applications may have a false sense of security because they use stored procedures or mask an error messages returned to the browser. This may lead them to believe that they can not be compromised by this vulnerability. While we discuss Microsoft SQL Server in this paper, this is no way indicative that Microsoft SQL Server is any less secure than other database platforms such as Oracle or IBM DB2. SQL injection is not a defect of Microsoft SQL Server – it is also a problem for every other database vendor as well. Perhaps the biggest issue with Microsoft SQL Server is the flexibility of the system. This flexibility is what allows it to be subverted so far by SQL injection. This paper is meant to show that any time an administrator or developer allows arbitrary SQL to be executed, their system is open to being rooted. It is not meant to show that Microsoft SQL Server is inherently flawed.
Authors Cesar Cerrudo
Submitted April 26, 2008
Rating
Currently 0/5 stars (0 votes).
Correlation
Linked to
Event ---
Resource ---
Download
Source Manipulating_SQL_Server_Using_SQL_Injection.pdf
Size 181.3 KB
MD5 117676aab396ff4ab63c9984983e7145
SHA1 a0b524b598ce408a2a37599763cf87a49d40c853

Comments
No comments.
Add new Only logged in users can comment.


Click here to lend your support to: SecDocs and make a donation at www.pledgie.com !

Top top


Follow us via RSS RSS feed, on twitter Twitter feed or on facebook Facebook page

© 2007-2012 Alessandro `jekil` Tanasi
Serving 5377 documents and 334.2 GB of hacking knowledge, indexed from 1672 authors in 104 security conferences.
To report bugs or suggest features write .