Re: SFX-SQLi: A new SQL injection technique for MSSQL (dumps a table in one request!)

To: Daniel Kachakil <dani@xxxxxxxxxxxx>
Subject: Re: SFX-SQLi: A new SQL injection technique for MSSQL (dumps a table in one request!)
From: Razi Shaban <razishaban@xxxxxxxxx>
Date: Fri, 6 Feb 2009 18:50:25 +0200
Cc: bugtraq@xxxxxxxxxxxxxxxxx
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=dLKU6sr+V4iTGSVDKBdYHQAPJJfwE//Eb8Y2Hz/IGbE=; b=nve1nTipSoKNtdKrYSAjK5nUdlABqMcmH003/hkQzzfggcbODSCJ0r809e5bv5c9GA mJsBAVr0kNrJboBLFxNMMd0LelJzqxIcA/eBsYpnv+USX+2b5PuPpl5hqrF30n2Dtdae JrDknAjXRW+RiGGNWhayoaIN7najiXRtz53Z4=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=ATjA9v8GrnGsuDs6X92nRpwkooJjREA185zUzmGh1jsadfLjzlCL/DOP6sn3pMeMUm QTSNcE9OiZ9hfrDsVI3A9ICFtdehEtkVLXtEVMr3vItKTMZ7AEKtbagfBQuAMhNGx2Hd xPUuxcUwncxJbkqMX1dJszFUp0kFZXFRfFL3k=
In-reply-to: <001b01c98853$ea5630b0$bf029210$@com>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <001b01c98853$ea5630b0$bf029210$@com>

On Fri, Feb 6, 2009 at 2:10 PM, Daniel Kachakil <dani@xxxxxxxxxxxx> wrote:
> Hi,
>
> I am glad to release SFX-SQLi (Select For XML SQL injection), a new SQL
> injection technique which allows to extract the whole information of a
> Microsoft SQL Server 2005/2008 database in an extremely fast and efficient
> way.
>

This isn't new, this is old news. It might be the first paper written
about the topic, but these methods have been used for years.

Follow-Ups:
- Re: SFX-SQLi: A new SQL injection technique for MSSQL (dumps a table in one request!)
  - From: Roman Medina-Heigl Hernandez

References:
- SFX-SQLi: A new SQL injection technique for MSSQL (dumps a table in one request!)
  - From: Daniel Kachakil

Prev by Date: [security bulletin] HPSBUX02408 SSRT080182 rev.1 - HP-UX Running NFS, Local Denial of Service (DoS)
Next by Date: Vulnerable: Ilch CMS
Previous by thread: SFX-SQLi: A new SQL injection technique for MSSQL (dumps a table in one request!)
Next by thread: Re: SFX-SQLi: A new SQL injection technique for MSSQL (dumps a table in one request!)
Index(es):
- Date
- Thread