THE SQL Server Blog Spot on the Web
Welcome to SQLblog.com - The SQL Server blog spot on the web Sign in | Join | Help
in Search
Home Blogs Forums Roller Downloads   Opml View as RSS news feed in XML

Denis Gobo

Testing for SQL Server Vulnerabilities

I found this SQL Server Testing (not unit but vulnerability) page and decided I would post a link to it since it has some useful stuff. The link is below

http://www.owasp.org/index.php/Testing_for_SQL_Server

Here is what is covered. Enjoy (or live in fear over the weekend)


1 Brief Summary
2 Short Description of the Issue
3 Black Box testing and example
3.1 SQL Server Peculiarities
3.2 Example 1: Testing for SQL Injection in a GET request.
3.3 Example 2: Testing for SQL Injection in a GET request (2).
3.4 Example 3: Testing in a POST request
3.5 Example 4: Yet another (useful) GET example
3.6 Example 5: custom xp_cmdshell
3.7 Example 6: Referer / User-Agent
3.8 Example 7: SQL Server as a port scanner
3.9 Example 8: Upload of executables
3.10 Obtain information when it is not displayed (Out of band)
3.11 Blind SQL injection attacks
3.11.1 Trial and error
3.11.2 In case more than one error message is displayed
3.11.3 Timing attacks
3.11.4 Checking for version and vulnerabilities
3.12 Example 9: bruteforce of sysadmin password
4 References 


Share this post: email it! | bookmark it! | digg it! | reddit! | kick it! | live it!
Published Friday, May 02, 2008 1:27 PM by Denis Gobo
Filed under:

Comment Notification

If you would like to receive an email when updates are made to this post, please register here

Subscribe to this post's comments using RSS

Comments

 

Dew Drop - May 3, 2008 | Alvin Ashcraft's Morning Dew said:

PingBack from http://www.alvinashcraft.com/2008/05/03/dew-drop-may-3-2008/

May 3, 2008 12:05 PM
 

Dr Tree said:

Denis - just as a follow up to your post - here's a thread from Tek-Tips: http://www.tek-tips.com/viewthread.cfm?qid=1470917&page=1

May 5, 2008 8:42 AM

Leave a Comment

(required) 
(optional)
(required) 
Submit

About Denis Gobo

I was born in Croatia in 1970, when I was one I moved to Amsterdam (and yes Ajax is THE team in Holland) and finally in 1993 I came to the US. I have lived in New York City for a bunch of years and currently live in Princeton, New Jersey with my wife and 3 kids. I work for Dow Jones as a Database architect in the indexes department, one drawback: since our data goes back all the way to May 1896 I cannot use smalldates ;-( I have been working with SQL server since version 6.5 and compared to all the other bloggers here I am a n00b. Some of you might know me from http://sqlservercode.blogspot.com/ or even from some of the newsgroups where I go by the name Denis the SQL Menace If you are a Tek-Tips user then you might know me by the name SQLDenis, I am one of the guys answering SQL Questions in the SQL Programming forum.

This Blog

Syndication
©2006-2008 SQLblog.comTM
Brought to you by Peter DeBetta & Adam Machanic
Powered by Community Server (Commercial Edition), by Telligent Systems
  Privacy Statement