« Did the Internet enable a new economy?
DMCA Attacks: NAI Tells Sites To Remove PGP (Updated) »

While looking for examples of SQL Code Injection attacks, I found

While looking for examples of SQL Code Injection attacks, I found a nice concise summary of many typical web application vulnerabilities, including specific product-specific things to look for, e.g.:

MySQL

- Supports ‘INTO OUTFILE’
- Runs often as “root”
- Most modules and libs do not support multiple-statements.

Oracle

- Subselects possible
- UNION possible
- Comes with many stored procedures (utf_file!)
- No multiple-statements

DB2

- Subselects possible
- UNION possible
- Stored procedures
- No multiple-statements

Postgres

- Supports COPY (if superusermode)
- Subselects possible
- UNION possible
- Stored procedures
- Multiple statements are possible!

MS SQL

- Subselects possible
- UNION possible
- Stored procedures
- Multiple statements are possible!
- Many dangerous default stored procedures (xp_cmdshell, sp_adduser)

This entry was posted on Monday, May 20th, 2002 at 4:23 pm and is filed under LINKS, security. You can follow any responses to this entry through the RSS 2.0 feed. You can skip to the end and leave a response. Pinging is currently not allowed.

Leave a Reply