This technique is based on the FOR XML clause, which is able to convert the content of a table into a single string, so its contents could be appended to some field injecting a subquery into a vulnerable input of a web application.
In addition to a new web application for testing, a new revision of the tool is published with some minor fixes and changes, including new functionality like access to other databases in the same server or support for user defined queries
SFX-SQLi PaperDetailed description of how the technique works and its fundamentals
UPDATE (28/03/2010): In addition to a new web application for testing, a new revision of the tool is published with some minor fixes and changes, including new functionality like access to other databases in the same server or support for user defined queries:
SFX-SQLi Tool (binaries)A tool which automates the process (requires Microsoft .NET Framework 2.0) - v1.1
SFX-SQLi Tool (source code)Source code of the tool (available in VB.NET for Visual Studio 2008) - v1.1WebVulnerableSql (ASP.NET)Vulnerable web application sample for testing (includes executable and source code)Source -
http://www.kachakil.com/papers/sfx-sqli-en.htm
http://forum.intern0t.org/hacking-tools-utilities/2452-sfx-sqli-version-1-1-3-22-a.html
0 comments:
Post a Comment