How to lose your database and your job

•

0 likes•161 views

This is a talk geared towards developers who have heard of SQL Injection, but haven’t seen it in action, or are unsure about how to do anything about it. Contains demos of what SQL injection looks like, and why escaping quotes is nowhere near sufficient.

Internet

Text
How to lose your database and your job
Ryan Gooler
http://ayay.co.uk/backgrounds/action_games/hitman/bullet-holes.jpg

Text
http://talesofmyexploits.com/posts/talk-how-to-lose-your-database-and-your-job

What is it?
Improperly ﬁltered input
Lets anyone write SQL to query your database
Severely underrated attack
The subject of a lot of boring talks

https://upload.wikimedia.org/wikipedia/commons/7/79/Operation_Upshot-Knothole_-_Badger_001.jpg

http://i.ytimg.com/vi/8GyVx28R9-s/maxresdefault.jpg

The example everyone uses
SELECT * FROM
users
WHERE (
username = ‘$username’ AND
password = ‘$password’
)

What the programmer expects
SELECT * FROM
users
WHERE (
username = ‘admin’ AND
password = ‘p@ssw0rd’
)

What hackers try
SELECT * FROM
users
WHERE (
username = ‘admin’ AND
password = ‘’ OR ‘a’=‘a’
)

But we teach people to write
secure code, right?
http://lmgtfy.com/?q=Login+using+a+MySQL+database

But surely PROFESSIONALS
don’t write that bad of code

Are there different types of SQL Injection vulnerabilities?

http://www.techsupportall.com/wp-content/uploads/2014/01/blue-screen-error.jpg
http://laportadacanada.com/userﬁles/images/editorial(17).jpg
http://images.medicaldaily.com/sites/medicaldaily.com/ﬁles/2014/09/19/blind.jpg

Easy to ﬁnd - just put a ‘ in somewhere
Very common
Usually ﬁltered ineffectively
Only works when you inject BEFORE a where clause
Usually patched quickly
Usually VERY easy to ﬁnd abuse in logs

Usually found the same way Error-based is
Works when you inject AFTER a where clause
Another tool in your toolbox
Depending on the page, may be able to put multiple
injections in one query!

Injection without seeing the output
Works by inferring data, not reading it out
Technically a timing side channel attack
Hard to ﬁnd (for attackers and defenders)
Annoying to exploit
Takes fooooorrrrever
Still works!

https://mortongrovenews.ﬁles.wordpress.com/2015/06/stressandfrustration1.jpg

http://www.wikihow.com/images/9/9c/Tie-a-Noose-Step-10-Version-2.jpg

http://pstrooper.deviantart.com/art/Ancient-Aliens-Guy-HD-Meme-465505021

Lets strip spaces!
$id = escape_spaces(“1/**/OR/**/1=1”);
“SELECT * FROM table WHERE id = $id”;
"SELECT * FROM table WHERE id = 1/**/OR/**/1=1”;
/**/ comment acts like a space

Lets strip out SQL keywords
Don’t check for SELECT, INSERT, UNION, etc.
UN/**/ION works just as well
So does UniOn
And you probably didn’t cover all keywords

Check to see if ‘id’ is a number?
if is_numeric($_POST['id'])
9 union all (SELECT GROUP_CONCAT(schema_name) FROM
information_schema.schemata)
Convert to hex…
0x3920756e696f6e20616c6c202853454c4543542047524f55505f
434f4e43415428736368656d615f6e616d65292046524f4d20696
e666f726d6174696f6e5f736368656d612e736368656d61746129
Thats a number!

Lets escape quotes!
$id = escape_quotes(“1 OR 1=1”);
"SELECT * FROM table WHERE id = $id”;
"SELECT * FROM table WHERE id = 1 OR 1=1”;

SELECT *
FROM users
WHERE id = mysql_real_escape_string(“1 UNION SELECT id,
user_id, content, NULL FROM notes WHERE user_id = 1”);
SELECT *
FROM users
WHERE id =1
UNION
SELECT id, user_id, content, NULL
FROM notes
WHERE user_id = 1

Works ok if you use single quotes around your
variables, though.
$id = escape_quotes(“1’ OR 1=1”);
"SELECT * FROM table WHERE id = ‘$id’”;
"SELECT * FROM table WHERE id = ‘1’ OR 1=1’”;
INVALID SQL QUERY! :D

Cast to int / ﬂoat / whatever
Only works for numbers
SELECT * FROM whatever WHERE id = ‘X’;
Really solid defense when you can use it
Super easy to add in

Prepared Statements
SELECT * FROM users where id=? AND password=?
Can’t choose table name in this way
Some limitations with what prepared statements can do
Still could hit a buffer overﬂow or something
But pretty darn sturdy

Similar to How to lose your database and your job

SQL Injections - 2016 - Huntington Beach

Jeff Prom

PHP Secure Programming

Balavignesh Kasinathan

Sql injection

Nikunj Dhameliya

SQL Injection in action with PHP and MySQL

Pradeep Kumar

The goal of this talk is to educate developers on common security vulnerabilities, how they are exploited, and how to protect against them. We'll explore several of the OWASP Top 10 attack vectors like SQL injection, XSS, CSRF, session hijacking, and insecure direct object references. Each topic will be approached from the perspective of an attacker to see how these vulnerabilities are detected and exploited using several realistic examples. Once we've established an understanding of how these attacks work, we'll look at concrete steps you can take to secure web applications against such vulnerabilities. The knowledge gained from this talk can also be used for participating in "Capture the Flag" security competitions.

Hacking Your Way To Better Security - Dutch PHP Conference 2016

Colin O'Dell

Ppt on sql injection

ashish20012

Sql injection

Mehul Boghra

SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto

Pichaya Morimoto

A Brief Introduction in SQL Injection

Sina Manavi

Chapter 5 - SQL-Injection-NK.pdf

Waad Waad

A Brief Introduction About Sql Injection in PHP and MYSQL

kobaitari

Advanced Topics On Sql Injection Protection

amiable_indian

SQL Injection in PHP

Dave Ross

ORM2Pwn: Exploiting injections in Hibernate ORM

Mikhail Egorov

Sql Injection Myths and Fallacies

Karwin Software Solutions LLC

DEF CON 27 -OMER GULL - select code execution from using sq lite

Felipe Prado

Advanced Sql Injection ENG

Dmitry Evteev

DEFCON 23 - Lance buttars Nemus - sql injection on lamp

Felipe Prado

Greensql2007

Kaustav Sengupta

Code injection and green sql

Kaustav Sengupta

Similar to How to lose your database and your job (20)

SQL Injections - 2016 - Huntington Beach

PHP Secure Programming

Sql injection

SQL Injection in action with PHP and MySQL

Hacking Your Way To Better Security - Dutch PHP Conference 2016

Ppt on sql injection

Sql injection

SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto

A Brief Introduction in SQL Injection

Chapter 5 - SQL-Injection-NK.pdf

A Brief Introduction About Sql Injection in PHP and MYSQL

Advanced Topics On Sql Injection Protection

SQL Injection in PHP

ORM2Pwn: Exploiting injections in Hibernate ORM

Sql Injection Myths and Fallacies

DEF CON 27 -OMER GULL - select code execution from using sq lite

Advanced Sql Injection ENG

DEFCON 23 - Lance buttars Nemus - sql injection on lamp

Greensql2007

Code injection and green sql

Recently uploaded

20240510 QFM016 Irresponsible AI Reading List April 2024.pdf

Matthew Sinclair

Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts. A nutshell review for Hot Call girls in Abu Dhabi. My experience was superb with them this is the only recommended Call girls service in Abu Dhabi with verified Call girls. I am using their services from past 6 months they never ever disappointed me in any way. Let's just say if i asked them to provide me russian Call girls they fulfilled my request or even pakistani Call girls or indian Call girls in Abu Dhabi. They have their owen drivers who brings the Call girls in less time in any area of Abu Dhabi like as well. I'm writing here everything after experience their services in all conditions. So hopefully they will keeps working in the same way and makes more consumers like me. These guys are the best example of work with perfection. Pleased with Abu Dhabi Call girls and highly suggested to every one. Call girls whatsapp numbers in abu dhabi. Rent a girlfriend abu dhabi, stylish call girls abu dhabi any more than she had to. In a way, I guess I was the reason for her being like, Indian call girls abu dhabi, Indian call girl abu dhabi, indian call girls in abu dhabi, indian call girl agency abu dhabi, Pakistan call girls in abu dhabi, Pakistani call girl in abu dhabi, russian call girls in abu dhabi, russian call girl service in abu dhabi, indian call girls numbers abu dhabi, pakistani call girls number abu dhabi, teen call girls in abu dhabi, outcall call girls in abu dhabi Al Zahiyah Abu Dhabi Call Girls, Al Wahda Abu Dhabi Call Girls, Al Khalidiya Abu Dhabi Call Girls, Khalifa City Abu Dhabi Call Girls, Al Reem island Call Girls, Yas Island Call girls, Al lulu Island Call Girls, Nurai Island Call girls, Saadiyat Island Call Girls, Tourist Club Area Call Girls, Al Baraha Call Girls, Al Bateen Call Girls, Al Danah Call Girls, Al Dhafrah Call Girls, Al Falah City Call Girls, Al Ghadeer Call Girls she was, at least partially, and that made me feel even more responsible to help fix it. But I'd be lying if I didn't admit more sordid, and much more interesting, thoughts crept up right alongside that responsibility.

Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts

Monica Sydney

在线制作约克大学毕业证（yu毕业证）在读证明认证可查【Q/微信741003700】原版仿制全套留学文凭材料（毕业证/成绩单（GPA成绩修改）/文凭学历证书/在读证明、毕业完成信、Offer录取通知书)；（真实可查）教育部学历认证、留信网认证、文凭认证、diploma、certificate、Degree、Transcript（实体公司，专业可靠）。 1:1完美还原海外各大学证书上的工艺：水印，阴影底纹，钢印LOGO烫金烫银，LOGO烫金烫银复合重叠。文字图案浮雕、激光镭射、紫外荧光、温感、复印防伪等防伪工艺。材料咨询办理、认证咨询办理请加学历顾问Q/微741003700。留学生归国服务中心面向美国英国澳洲加拿大留学生提供以下服务: 一、办理毕业证成绩单（学校原版1：1高仿真制作）二、留信认证（留学回国人员学历认证，网上存档可查，查到后付款）三、教育部学历认证（中国教育部留服中心存档可查,查到后付款）办理流程 1、收集客户办理信息； 2、客户付定金下单、公司确认到账转制作点做电子版； 3、电子版做好发给客户确认、电子版确认好转成品部做成品； 4、成品做好拍照或者视频确认再付余款； 5、快递给客户（国内顺丰，国外DHL）。本公司诚聘美国、加拿大、英国、新西兰、澳洲、法国、德国、新加坡各地代理人员，如果你有业余时间有兴趣就请联系我们校园代理，报酬丰厚。真诚期待您的加盟。请联系本公司学历认证顾问(QQ：741003700 微信：741003700)欢迎咨询！最专业的学历顾问，最有经验的顶尖OP为广大留学生的归国之路保卫护航！

在线制作约克大学毕业证（yu毕业证）在读证明认证可查

ydyuyu

学校颁发一模一样【微信：95270640 】【(Flinders毕业证书)弗林德斯大学毕业证成绩单】【微信：95270640 】学位证，留信认证（真实可查，永久存档）原件一模一样/offer、外壳等材料/诚信可靠,可直接看成品样本，帮您解决无法毕业带来的各种难题！原版制作，诚信可靠，可直接看成品样本。行业标杆！精益求精，诚心合作，真诚制作！多年品质 ,按需精细制作，24小时接单,全套进口原装设备。十五年致力于帮助留学生解决难题，包您满意。本公司拥有海外各大学样板无数，能完美还原。 1:1完美还原海外各大学毕业材料上的工艺：水印，阴影底纹，钢印LOGO烫金烫银，LOGO烫金烫银复合重叠。文字图案浮雕、激光镭射、紫外荧光、温感、复印防伪等防伪工艺。材料咨询办理、认证咨询办理请加学历顾问微信：95270640 【主营项目】一.毕业证【微信：95270640】成绩单、使馆认证、教育部认证、学生卡等！二.真实使馆公证(即留学回国人员证明,不成功不收费) 三.真实教育部学历学位认证（教育部存档！教育部留服网站永久可查）四.办理各国各大学文凭(一对一专业服务,可全程监控跟踪进度) 如果您处于以下几种情况： ◇在校期间，因各种原因未能顺利毕业……拿不到官方毕业证【微信：95270640】 ◇面对父母的压力，希望尽快拿到； ◇不清楚认证流程以及材料该如何准备； ◇回国时间很长，忘记办理； ◇回国马上就要找工作，办给用人单位看； ◇企事业单位必须要求办理的 ◇需要报考公务员、购买免税车、落转户口 ◇申请留学生创业基金留信网认证的作用: 1:该专业认证可证明留学生真实身份 2:同时对留学生所学专业登记给予评定 3:国家专业人才认证中心颁发入库证书 4:这个认证书并且可以归档倒地方 5:凡事获得留信网入网的信息将会逐步更新到个人身份内，将在公安局网内查询个人身份证信息后，同步读取人才网入库信息 6:个人职称评审加20分 7:个人信誉贷款加10分 8:在国家人才网主办的国家网络招聘大会中纳入资料，供国家高端企业选择人才办理Flinders毕业证书)弗林德斯大学【微信：95270640】外观非常简单，由纸质材料制成，上面印有校徽、校名、毕业生姓名、专业等信息。办理Flinders毕业证书)弗林德斯大学【微信：95270640】格式相对统一，各专业都有相应的模板。通常包括以下部分：校徽：象征着学校的荣誉和传承。校名:学校英文全称授予学位：本部分将注明获得的具体学位名称。毕业生姓名：这是最重要的信息之一，标志着该证书是由特定人员获得的。颁发日期：这是毕业正式生效的时间，也代表着毕业生学业的结束。其他信息：根据不同的专业和学位，可能会有一些特定的信息或章节。办理Flinders毕业证书)弗林德斯大学毕业证价值很高，需要妥善保管。一般来说，应放置在安全、干燥、防潮的地方，避免长时间暴露在阳光下。如需使用，最好使用复印件而不是原件，以免丢失。综上所述，办理Flinders毕业证书)弗林德斯大学毕业证是证明身份和学历的高价值文件。外观简单庄重，格式统一，包括重要的个人信息和发布日期。对持有人来说，妥善保管是非常重要的。

一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样

ayvbos

Russian Escort Abu Dhabi 0503464457 Abu DHabi Escorts. A nutshell review for Hot Call girls in Abu Dhabi. My experience was superb with them this is the only recommended Call girls service in Abu Dhabi with verified Call girls. I am using their services from past 6 months they never ever disappointed me in any way. Let's just say if i asked them to provide me russian Call girls they fulfilled my request or even pakistani Call girls or indian Call girls in Abu Dhabi. They have their owen drivers who brings the Call girls in less time in any area of Abu Dhabi like as well. I'm writing here everything after experience their services in all conditions. So hopefully they will keeps working in the same way and makes more consumers like me. These guys are the best example of work with perfection. Pleased with Abu Dhabi Call girls and highly suggested to every one. Call girls whatsapp numbers in abu dhabi. Rent a girlfriend abu dhabi, stylish call girls abu dhabi any more than she had to. In a way, I guess I was the reason for her being like, Indian call girls abu dhabi, Indian call girl abu dhabi, indian call girls in abu dhabi, indian call girl agency abu dhabi, Pakistan call girls in abu dhabi, Pakistani call girl in abu dhabi, russian call girls in abu dhabi, russian call girl service in abu dhabi, indian call girls numbers abu dhabi, pakistani call girls number abu dhabi, teen call girls in abu dhabi, outcall call girls in abu dhabi Al Zahiyah Abu Dhabi Call Girls, Al Wahda Abu Dhabi Call Girls, Al Khalidiya Abu Dhabi Call Girls, Khalifa City Abu Dhabi Call Girls, Al Reem island Call Girls, Yas Island Call girls, Al lulu Island Call Girls, Nurai Island Call girls, Saadiyat Island Call Girls, Tourist Club Area Call Girls, Al Baraha Call Girls, Al Bateen Call Girls, Al Danah Call Girls, Al Dhafrah Call Girls, Al Falah City Call Girls, Al Ghadeer Call Girls she was, at least partially, and that made me feel even more responsible to help fix it. But I'd be lying if I didn't admit more sordid, and much more interesting, thoughts crept up right alongside that responsibility.

Russian Escort Abu Dhabi 0503464457 Abu DHabi Escorts

Monica Sydney

真实学历认证【q/微1954292140】【康考迪亚大学毕业证成绩单Offer】【q/微1954292140】（留信学历认证永久存档查询）采用学校原版纸张、特殊工艺完全按照原版一比一制作（包括：隐形水印，阴影底纹，钢印LOGO烫金烫银，LOGO烫金烫银复合重叠，文字图案浮雕，激光镭射，紫外荧光，温感，复印防伪）行业标杆！精益求精，诚心合作，真诚制作！多年品质 ,按需精细制作，24小时接单,全套进口原装设备，十五年致力于帮助留学生解决难题，业务范围有加拿大、英国、澳洲、韩国、美国、新加坡，新西兰等学历材料，包您满意。【业务选择办理准则】一、工作未确定，回国需先给父母、亲戚朋友看下文凭的情况，办理一份就读学校的毕业证【q/微1954292140】文凭即可二、回国进私企、外企、自己做生意的情况，这些单位是不查询毕业证真伪的，而且国内没有渠道去查询国外文凭的真假，也不需要提供真实教育部认证。鉴于此，办理一份毕业证【q/微1954292140】即可三、进国企，银行，事业单位，考公务员等等，这些单位是必需要提供真实教育部认证的，办理教育部认证所需资料众多且烦琐，所有材料您都必须提供原件，我们凭借丰富的经验，快捷的绿色通道帮您快速整合材料，让您少走弯路。留信网认证的作用: 1:该专业认证可证明留学生真实身份 2:同时对留学生所学专业登记给予评定 3:国家专业人才认证中心颁发入库证书 4:这个认证书并且可以归档倒地方 5:凡事获得留信网入网的信息将会逐步更新到个人身份内，将在公安局网内查询个人身份证信息后，同步读取人才网入库信息 6:个人职称评审加20分 7:个人信誉贷款加10分 8:在国家人才网主办的国家网络招聘大会中纳入资料，供国家高端企业选择人才 → 【关于价格问题（保证一手价格）我们所定的价格是非常合理的，而且我们现在做得单子大多数都是代理和回头客户介绍的所以一般现在有新的单子我给客户的都是第一手的代理价格，因为我想坦诚对待大家不想跟大家在价格方面浪费时间对于老客户或者被老客户介绍过来的朋友，我们都会适当给一些优惠。选择实体注册公司办理，更放心，更安全！我们的承诺：可来公司面谈，可签订合同，会陪同客户一起到教育部认证窗口递交认证材料，客户在教育部官方认证查询网站查询到认证通过结果后付款，不成功不收费！

一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制

pxcywzqs

原件一模一样【微信：6496090 】【田纳西大学毕业证成绩单】【微信：6496090 】学位证，留信认证（真实可查，永久存档）原件一模一样/offer、雅思、外壳等材料/诚信可靠,可直接看成品样本，帮您解决无法毕业带来的各种难题！外壳，原版制作，诚信可靠，可直接看成品样本。行业标杆！精益求精，诚心合作，真诚制作！多年品质 ,按需精细制作，24小时接单,全套进口原装设备。十五年致力于帮助留学生解决难题，包您满意。本公司拥有海外各大学样板无数，能完美还原。 1:1完美还原海外各大学毕业材料上的工艺：水印，阴影底纹，钢印LOGO烫金烫银，LOGO烫金烫银复合重叠。文字图案浮雕、激光镭射、紫外荧光、温感、复印防伪等防伪工艺。材料咨询办理、认证咨询办理请加学历顾问Q/微6496090 【主营项目】一.毕业证【q微6496090】成绩单、使馆认证、教育部认证、雅思托福成绩单、学生卡等！二.真实使馆公证(即留学回国人员证明,不成功不收费) 三.真实教育部学历学位认证（教育部存档！教育部留服网站永久可查）四.办理各国各大学文凭(一对一专业服务,可全程监控跟踪进度) 如果您处于以下几种情况： ◇在校期间，因各种原因未能顺利毕业……拿不到官方毕业证【q/微6496090】 ◇面对父母的压力，希望尽快拿到； ◇不清楚认证流程以及材料该如何准备； ◇回国时间很长，忘记办理； ◇回国马上就要找工作，办给用人单位看； ◇企事业单位必须要求办理的 ◇需要报考公务员、购买免税车、落转户口 ◇申请留学生创业基金留信网认证的作用: 1:该专业认证可证明留学生真实身份 2:同时对留学生所学专业登记给予评定 3:国家专业人才认证中心颁发入库证书 4:这个认证书并且可以归档倒地方 5:凡事获得留信网入网的信息将会逐步更新到个人身份内，将在公安局网内查询个人身份证信息后，同步读取人才网入库信息 6:个人职称评审加20分 7:个人信誉贷款加10分 8:在国家人才网主办的国家网络招聘大会中纳入资料，供国家高端企业选择人才办理田纳西大学毕业证【微信：6496090 】外观非常简单，由纸质材料制成，上面印有校徽、校名、毕业生姓名、专业等信息。办理田纳西大学毕业证【微信：6496090 】格式相对统一，各专业都有相应的模板。通常包括以下部分：校徽：象征着学校的荣誉和传承。校名:学校英文全称授予学位：本部分将注明获得的具体学位名称。毕业生姓名：这是最重要的信息之一，标志着该证书是由特定人员获得的。颁发日期：这是毕业正式生效的时间，也代表着毕业生学业的结束。其他信息：根据不同的专业和学位，可能会有一些特定的信息或章节。办理田纳西大学毕业证【微信：6496090 】价值很高，需要妥善保管。一般来说，应放置在安全、干燥、防潮的地方，避免长时间暴露在阳光下。如需使用，最好使用复印件而不是原件，以免丢失。综上所述，办理田纳西大学毕业证【微信：6496090 】是证明身份和学历的高价值文件。外观简单庄重，格式统一，包括重要的个人信息和发布日期。对持有人来说，妥善保管是非常重要的。

一比一原版田纳西大学毕业证如何办理

Model Call Girl Services in Delhi reach out to us at 🔝 9953056974🔝✔️✔️ Our agency presents a selection of young, charming call girls available for bookings at Oyo Hotels. Experience high-class escort services at pocket-friendly rates, with our female escorts exuding both beauty and a delightful personality, ready to meet your desires. Whether it's Housewives, College girls, Russian girls, Muslim girls, or any other preference, we offer a diverse range of options to cater to your tastes. We provide both in- call and out-call services for your convenience. Our in-call location in Delhi ensures cleanliness, hygiene, and 100% safety, while our out-call services offer doorstep delivery for added ease. We value your time and money, hence we kindly request pic collectors, time-passers, and bargain hunters to refrain from contacting us. Our services feature various packages at competitive rates: One shot: ₹2000/in-call, ₹5000/out-call Two shots with one girl: ₹3500 /in-call, ₱6000/out-call Body to body massage with sex: ₱3000/in-call Full night for one person: ₱7000/in-call, ₱10000/out-call Full night for more than 1 person : Contact us at 🔝 9953056974🔝. for details Operating 24/7, we serve various locations in Delhi, including Green Park, Lajpat Nagar, Saket, and Hauz Khas near metro stations. For premium call girl services in Delhi 🔝 9953056974🔝. Thank you for considering us

call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7

9953056974 Low Rate Call Girls In Saket, Delhi NCR

Abu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi. A nutshell review for Hot Call girls in Abu Dhabi. My experience was superb with them this is the only recommended Call girls service in Abu Dhabi with verified Call girls. I am using their services from past 6 months they never ever disappointed me in any way. Let's just say if i asked them to provide me russian Call girls they fulfilled my request or even pakistani Call girls or indian Call girls in Abu Dhabi. They have their owen drivers who brings the Call girls in less time in any area of Abu Dhabi like as well. I'm writing here everything after experience their services in all conditions. So hopefully they will keeps working in the same way and makes more consumers like me. These guys are the best example of work with perfection. Pleased with Abu Dhabi Call girls and highly suggested to every one. Call girls whatsapp numbers in abu dhabi. Rent a girlfriend abu dhabi, stylish call girls abu dhabi any more than she had to. In a way, I guess I was the reason for her being like, Indian call girls abu dhabi, Indian call girl abu dhabi, indian call girls in abu dhabi, indian call girl agency abu dhabi, Pakistan call girls in abu dhabi, Pakistani call girl in abu dhabi, russian call girls in abu dhabi, russian call girl service in abu dhabi, indian call girls numbers abu dhabi, pakistani call girls number abu dhabi, teen call girls in abu dhabi, outcall call girls in abu dhabi Al Zahiyah Abu Dhabi Call Girls, Al Wahda Abu Dhabi Call Girls, Al Khalidiya Abu Dhabi Call Girls, Khalifa City Abu Dhabi Call Girls, Al Reem island Call Girls, Yas Island Call girls, Al lulu Island Call Girls, Nurai Island Call girls, Saadiyat Island Call Girls, Tourist Club Area Call Girls, Al Baraha Call Girls, Al Bateen Call Girls, Al Danah Call Girls, Al Dhafrah Call Girls, Al Falah City Call Girls, Al Ghadeer Call Girls she was, at least partially, and that made me feel even more responsible to help fix it. But I'd be lying if I didn't admit more sordid, and much more interesting, thoughts crept up right alongside that responsibility.

Abu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi

Monica Sydney

20240509 QFM015 Engineering Leadership Reading List April 2024.pdf

Matthew Sinclair

Best SEO Services Company in Dallas | Best SEO Agency Dallas

Digicorns Technologies

Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr

HenryBriggs2

哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查【Q/微信741003700】原版仿制全套留学文凭材料（毕业证/成绩单（GPA成绩修改）/文凭学历证书/在读证明、毕业完成信、Offer录取通知书)；（真实可查）教育部学历认证、留信网认证、文凭认证、diploma、certificate、Degree、Transcript（实体公司，专业可靠）。 1:1完美还原海外各大学证书上的工艺：水印，阴影底纹，钢印LOGO烫金烫银，LOGO烫金烫银复合重叠。文字图案浮雕、激光镭射、紫外荧光、温感、复印防伪等防伪工艺。材料咨询办理、认证咨询办理请加学历顾问Q/微741003700。留学生归国服务中心面向美国英国澳洲加拿大留学生提供以下服务: 一、办理毕业证成绩单（学校原版1：1高仿真制作）二、留信认证（留学回国人员学历认证，网上存档可查，查到后付款）三、教育部学历认证（中国教育部留服中心存档可查,查到后付款）办理流程 1、收集客户办理信息； 2、客户付定金下单、公司确认到账转制作点做电子版； 3、电子版做好发给客户确认、电子版确认好转成品部做成品； 4、成品做好拍照或者视频确认再付余款； 5、快递给客户（国内顺丰，国外DHL）。本公司诚聘美国、加拿大、英国、新西兰、澳洲、法国、德国、新加坡各地代理人员，如果你有业余时间有兴趣就请联系我们校园代理，报酬丰厚。真诚期待您的加盟。请联系本公司学历认证顾问(QQ：741003700 微信：741003700)欢迎咨询！最专业的学历顾问，最有经验的顶尖OP为广大留学生的归国之路保卫护航！

哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查

ydyuyu

Ballia Escorts Service Girl ^ 9332606886, WhatsApp Anytime Ballia

meghakumariji156

APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...

APNIC

Real Men Wear Diapers T Shirts sweatshirt

rahman018755

Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charming call girls Booking Now open +91- 9332606886 Pune VIP Call Girls is highly qualified professionals. #S10 They will offer only top quality services and never try to scam or drain you of money; in fact, they strive to give complete satisfaction so that each cent spent was worth its worth. Furthermore, these professionals pride themselves in keeping customer details confidential; any information gleaned will never be shared with any third party.$V15 Two shots with one girl: ₹4500/in-call, ₹7500/out-call Body to body massage with : ₹5500/in-call Full night for one person: ₹7000/in-call, ₹12000/out-call •𝐂𝐨𝐥𝐥𝐞𝐠𝐞 𝐆𝐢𝐫𝐥𝐬 •𝐇𝐨𝐮𝐬𝐞𝐰𝐢𝐯𝐞𝐬 •𝐇𝐢𝐠𝐡 𝐏𝐫𝐨𝐟𝐢𝐥𝐞 𝐆𝐢𝐫𝐥𝐬 •𝐑𝐚𝐦𝐩 𝐌𝐨𝐝𝐞𝐥𝐬 •𝐅𝐨𝐫𝐞𝐢𝐠𝐧𝐞𝐫 𝐆𝐢𝐫𝐥𝐬 𝐎𝐮𝐫 𝐞𝐬𝐜𝐨𝐫𝐭 𝐬𝐞𝐫𝐯𝐢𝐜𝐞𝐬 •𝐇𝐉 (𝐇𝐚𝐧𝐝 𝐉𝐨𝐛) •𝐁𝐉 (𝐁𝐥𝐨𝐰𝐣𝐨𝐛) # Completion # (Oral To Completion) # Special Massage # O-Level (Oral ) # Oral With A Noncondom) # COB (Come On Body) # Extraball (Have Many Times) # All Meetings 100%Safe

Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...

kumargunjan9515

Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models We are available 24*7 Booking Contact Details :- WhatsApp Chat :- +91-7014168258 If you're looking for India Call girls you've come to the right place. You'll find some of the most beautiful call girls in our location with. These ladies have pleasing personalities, hot figures, and a passion for physical pleasure. Call girls in India Lucknow Many men have booked them for their erotic and soul-mixing performances, which are sure to leave you with unforgettable memories. #K09 Escort Service India is available in the city for men and women of all ages. They can satisfy your sexual needs and will make your experience even more enjoyable and memorable. Whether you're looking for a blow-job, stripping, lovemaking, or other dirty acts, you'll be able to find a match for your tastes and budget. These highly trained professionals will help you have an unforgettable night. One Shot — 5000/in call (time 1 hour), 6000/out call Two shot with one girl — 8000/in call (time 2 hour), 10000/out call Body to body massage with sex- 8000/in call (time 1 hour) Full night Service for one person– 12000/in call, 13000/out call (shot limit 3-4 shots) Full night Service for more than 1 person — please contact Us —7014168258 We are available 24*7 all days of the year. Call us — 7014168258 Thank you for Visiting.

Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...

gajnagarg

学校颁发一模一样【微信：95270640 】【(Curtin毕业证书)科廷大学毕业证成绩单】【微信：95270640 】学位证，留信认证（真实可查，永久存档）原件一模一样/offer、外壳等材料/诚信可靠,可直接看成品样本，帮您解决无法毕业带来的各种难题！原版制作，诚信可靠，可直接看成品样本。行业标杆！精益求精，诚心合作，真诚制作！多年品质 ,按需精细制作，24小时接单,全套进口原装设备。十五年致力于帮助留学生解决难题，包您满意。本公司拥有海外各大学样板无数，能完美还原。 1:1完美还原海外各大学毕业材料上的工艺：水印，阴影底纹，钢印LOGO烫金烫银，LOGO烫金烫银复合重叠。文字图案浮雕、激光镭射、紫外荧光、温感、复印防伪等防伪工艺。材料咨询办理、认证咨询办理请加学历顾问微信：95270640 【主营项目】一.毕业证【微信：95270640】成绩单、使馆认证、教育部认证、学生卡等！二.真实使馆公证(即留学回国人员证明,不成功不收费) 三.真实教育部学历学位认证（教育部存档！教育部留服网站永久可查）四.办理各国各大学文凭(一对一专业服务,可全程监控跟踪进度) 如果您处于以下几种情况： ◇在校期间，因各种原因未能顺利毕业……拿不到官方毕业证【微信：95270640】 ◇面对父母的压力，希望尽快拿到； ◇不清楚认证流程以及材料该如何准备； ◇回国时间很长，忘记办理； ◇回国马上就要找工作，办给用人单位看； ◇企事业单位必须要求办理的 ◇需要报考公务员、购买免税车、落转户口 ◇申请留学生创业基金留信网认证的作用: 1:该专业认证可证明留学生真实身份 2:同时对留学生所学专业登记给予评定 3:国家专业人才认证中心颁发入库证书 4:这个认证书并且可以归档倒地方 5:凡事获得留信网入网的信息将会逐步更新到个人身份内，将在公安局网内查询个人身份证信息后，同步读取人才网入库信息 6:个人职称评审加20分 7:个人信誉贷款加10分 8:在国家人才网主办的国家网络招聘大会中纳入资料，供国家高端企业选择人才办理Curtin毕业证书)科廷大学【微信：95270640】外观非常简单，由纸质材料制成，上面印有校徽、校名、毕业生姓名、专业等信息。办理Curtin毕业证书)科廷大学【微信：95270640】格式相对统一，各专业都有相应的模板。通常包括以下部分：校徽：象征着学校的荣誉和传承。校名:学校英文全称授予学位：本部分将注明获得的具体学位名称。毕业生姓名：这是最重要的信息之一，标志着该证书是由特定人员获得的。颁发日期：这是毕业正式生效的时间，也代表着毕业生学业的结束。其他信息：根据不同的专业和学位，可能会有一些特定的信息或章节。办理Curtin毕业证书)科廷大学毕业证价值很高，需要妥善保管。一般来说，应放置在安全、干燥、防潮的地方，避免长时间暴露在阳光下。如需使用，最好使用复印件而不是原件，以免丢失。综上所述，办理Curtin毕业证书)科廷大学毕业证是证明身份和学历的高价值文件。外观简单庄重，格式统一，包括重要的个人信息和发布日期。对持有人来说，妥善保管是非常重要的。

一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样

ayvbos

20240507 QFM013 Machine Intelligence Reading List April 2024.pdf

Matthew Sinclair

Recently uploaded (20)

20240510 QFM016 Irresponsible AI Reading List April 2024.pdf

Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts

在线制作约克大学毕业证（yu毕业证）在读证明认证可查

一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样

Russian Escort Abu Dhabi 0503464457 Abu DHabi Escorts

一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制

一比一原版田纳西大学毕业证如何办理

call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7

Abu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi

20240509 QFM015 Engineering Leadership Reading List April 2024.pdf

Best SEO Services Company in Dallas | Best SEO Agency Dallas

Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr

哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查

Ballia Escorts Service Girl ^ 9332606886, WhatsApp Anytime Ballia

APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...

Real Men Wear Diapers T Shirts sweatshirt

Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...

Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...

一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样

20240507 QFM013 Machine Intelligence Reading List April 2024.pdf

How to lose your database and your job

1. Text How to lose your database and your job Ryan Gooler http://ayay.co.uk/backgrounds/action_games/hitman/bullet-holes.jpg

2. Text http://talesofmyexploits.com/posts/talk-how-to-lose-your-database-and-your-job

3. SQL Injection

4. What is it? Improperly ﬁltered input Lets anyone write SQL to query your database Severely underrated attack The subject of a lot of boring talks

5. https://upload.wikimedia.org/wikipedia/commons/7/79/Operation_Upshot-Knothole_-_Badger_001.jpg

6. http://i.ytimg.com/vi/8GyVx28R9-s/maxresdefault.jpg

7. The example everyone uses SELECT * FROM users WHERE ( username = ‘$username’ AND password = ‘$password’ )

8. What the programmer expects SELECT * FROM users WHERE ( username = ‘admin’ AND password = ‘p@ssw0rd’ )

9. What hackers try SELECT * FROM users WHERE ( username = ‘admin’ AND password = ‘’ OR ‘a’=‘a’ )

10. But we teach people to write secure code, right? http://lmgtfy.com/?q=Login+using+a+MySQL+database

11. But surely PROFESSIONALS don’t write that bad of code

12. Are there different types of SQL Injection vulnerabilities?

13. http://www.techsupportall.com/wp-content/uploads/2014/01/blue-screen-error.jpg http://laportadacanada.com/userﬁles/images/editorial(17).jpg http://images.medicaldaily.com/sites/medicaldaily.com/ﬁles/2014/09/19/blind.jpg

14. Error based SQL Injection

15. Easy to find - just put a ‘ in somewhere Very common Usually filtered ineffectively Only works when you inject BEFORE a where clause Usually patched quickly Usually VERY easy to find abuse in logs

16. DEMO

17. Union based SQL Injection

18. Usually found the same way Error-based is Works when you inject AFTER a where clause Another tool in your toolbox Depending on the page, may be able to put multiple injections in one query!

19. DEMO

20. Blind SQL Injection

21. Injection without seeing the output Works by inferring data, not reading it out Technically a timing side channel attack Hard to ﬁnd (for attackers and defenders) Annoying to exploit Takes fooooorrrrever Still works!

22. DEMO

23. https://mortongrovenews.ﬁles.wordpress.com/2015/06/stressandfrustration1.jpg

24. http://www.wikihow.com/images/9/9c/Tie-a-Noose-Step-10-Version-2.jpg

25. http://pstrooper.deviantart.com/art/Ancient-Aliens-Guy-HD-Meme-465505021

26. Meh Defenses

27. Lets strip spaces! $id = escape_spaces(“1/**/OR/**/1=1”); “SELECT * FROM table WHERE id = $id”; "SELECT * FROM table WHERE id = 1/**/OR/**/1=1”; /**/ comment acts like a space

28. Lets strip out SQL keywords Don’t check for SELECT, INSERT, UNION, etc. UN/**/ION works just as well So does UniOn And you probably didn’t cover all keywords

29. Check to see if ‘id’ is a number? if is_numeric($_POST['id']) 9 union all (SELECT GROUP_CONCAT(schema_name) FROM information_schema.schemata) Convert to hex… 0x3920756e696f6e20616c6c202853454c4543542047524f55505f 434f4e43415428736368656d615f6e616d65292046524f4d20696 e666f726d6174696f6e5f736368656d612e736368656d61746129 Thats a number!

30. Good Defenses

31. Lets escape quotes! $id = escape_quotes(“1 OR 1=1”); "SELECT * FROM table WHERE id = $id”; "SELECT * FROM table WHERE id = 1 OR 1=1”;

32. SELECT * FROM users WHERE id = mysql_real_escape_string(“1 UNION SELECT id, user_id, content, NULL FROM notes WHERE user_id = 1”); SELECT * FROM users WHERE id =1 UNION SELECT id, user_id, content, NULL FROM notes WHERE user_id = 1

33. Works ok if you use single quotes around your variables, though. $id = escape_quotes(“1’ OR 1=1”); "SELECT * FROM table WHERE id = ‘$id’”; "SELECT * FROM table WHERE id = ‘1’ OR 1=1’”; INVALID SQL QUERY! :D

34. Great Defenses

35. Cast to int / ﬂoat / whatever Only works for numbers SELECT * FROM whatever WHERE id = ‘X’; Really solid defense when you can use it Super easy to add in

36. Prepared Statements SELECT * FROM users where id=? AND password=? Can’t choose table name in this way Some limitations with what prepared statements can do Still could hit a buffer overﬂow or something But pretty darn sturdy

37. ?

How to lose your database and your job

Recommended

Recommended

More Related Content

Similar to How to lose your database and your job

Similar to How to lose your database and your job (20)

Recently uploaded

Recently uploaded (20)

How to lose your database and your job