[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SFX-SQLi: A new SQL injection technique for MSSQL (dumps a table in one request!)

Razi Shaban escribió:
>> I am glad to release SFX-SQLi (Select For XML SQL injection), a new SQL
>> injection technique which allows to extract the whole information of a
>> Microsoft SQL Server 2005/2008 database in an extremely fast and efficient
>> way.
> This isn't new, this is old news. It might be the first paper written
> about the topic, but these methods have been used for years.

Please, Razi, could you name any reference? I suppose that if the method is
well-known, as you're suggesting, it shouldn't be difficult at all to find
at least one. I can't believe no tool is implementing such a great idea, if
it is "old news".



PGP Fingerprint:
09BB EFCD 21ED 4E79 25FB  29E1 E47F 8A7D EAD5 6742
[Key ID: 0xEAD56742. Available at KeyServ]