THE SQL Server Blog Spot on the Web

Welcome to - The SQL Server blog spot on the web Sign in | |
in Search

Denis Gobo

Testing for SQL Server Vulnerabilities

I found this SQL Server Testing (not unit but vulnerability) page and decided I would post a link to it since it has some useful stuff. The link is below

Here is what is covered. Enjoy (or live in fear over the weekend)

1 Brief Summary
2 Short Description of the Issue
3 Black Box testing and example
3.1 SQL Server Peculiarities
3.2 Example 1: Testing for SQL Injection in a GET request.
3.3 Example 2: Testing for SQL Injection in a GET request (2).
3.4 Example 3: Testing in a POST request
3.5 Example 4: Yet another (useful) GET example
3.6 Example 5: custom xp_cmdshell
3.7 Example 6: Referer / User-Agent
3.8 Example 7: SQL Server as a port scanner
3.9 Example 8: Upload of executables
3.10 Obtain information when it is not displayed (Out of band)
3.11 Blind SQL injection attacks
3.11.1 Trial and error
3.11.2 In case more than one error message is displayed
3.11.3 Timing attacks
3.11.4 Checking for version and vulnerabilities
3.12 Example 9: bruteforce of sysadmin password
4 References 

Published Friday, May 2, 2008 1:27 PM by Denis Gobo
Filed under:



Dr Tree said:

Denis - just as a follow up to your post - here's a thread from Tek-Tips:

May 5, 2008 8:42 AM

Brent Jenkins said:

I have a situation where I must use embedded sql only.

That means NO store procedures, parameterized queries, etc are allowed - period.

In other words, my hands are tied!

Anyhow, I wrote this routine to prevent SQL Injection.

I think this routine is bullet proof.

Can anybody break it?

Function getSafeValue(ByVal userInput As String) As String

 userInput = Trim(userInput)

 userInput = userInput.Replace("'", "''")

 userInput = userInput.Replace("""", "''")

 Return IIf(userInput = "", "NULL", "'" & userInput & "'")

End Function

September 22, 2008 4:53 PM
New Comments to this post are disabled

About Denis Gobo

I was born in Croatia in 1970, when I was one I moved to Amsterdam (and yes Ajax is THE team in Holland) and finally in 1993 I came to the US. I have lived in New York City for a bunch of years and currently live in Princeton, New Jersey with my wife and 3 kids. I work for Dow Jones as a Database architect in the indexes department, one drawback: since our data goes back all the way to May 1896 I cannot use smalldates ;-( I have been working with SQL server since version 6.5 and compared to all the other bloggers here I am a n00b. Some of you might know me from or even from some of the newsgroups where I go by the name Denis the SQL Menace If you are a Tek-Tips user then you might know me by the name SQLDenis, I am one of the guys answering SQL Questions in the SQL Programming forum.

This Blog


Privacy Statement