This document summarizes sqlmap, an open source penetration testing tool used for detecting and exploiting SQL injection flaws. It discusses sqlmap's features such as supporting large data dumps, storing session data, XML payload and query formats, multithreading, direct database connections, loading requests from files, form and site crawling, authentication, detection of reflection and dynamic content, and fingerprinting of databases and web servers.
These are the slides from a talk "Heuristic methods
used in sqlmap" held at FSec 2013 conference (Croatia / Varazdin 19th September 2013) by Miroslav Stampar
It all starts with the ' (SQL injection from attacker's point of view)Miroslav Stampar
These are the slides from a talk "It all starts with the ' (SQL injection from attacker's point of view)" held at FSec 2011 conference (Croatia / Varazdin 22nd September 2011) by Miroslav Stampar
The presentation highlights techniques to exploit a MySQL, PostgreSQL or Microsoft SQL Server database server in real world: how to abuse databases features to takeover the server as a whole, how to break out of the mere database process, get control of the operating system and escalate process' privileges to SYSTEM and how to make the life of the forensics analyst harder in a post-exploitation investigation.
These slides have been presented at AthCon 2010 conference in Athens on June 3, 2010.
These are the slides from a talk "sqlmap - security development in Python" held at EuroPython 2011 conference (Italy / Florence 19th–26th June 2011) by Miroslav Stampar
Advanced SQL injection to operating system full control (whitepaper)Bernardo Damele A. G.
Over ten years have passed since a famous hacker coined the term "SQL injection" and it is still considered one of the major web application threats, affecting over 70% of web application on the Net. A lot has been said on this specific vulnerability, but not all of the aspects and implications have been uncovered, yet.
It's time to explore new ways to get complete control over the database management system's underlying operating system through a SQL injection vulnerability in those over-looked and theoretically not exploitable scenarios: From the command execution on MySQL and PostgreSQL to a stored procedure's buffer overflow exploitation on Microsoft SQL Server. These and much more will be unveiled and demonstrated with my own tool's new version that I will release at the Conference (http://www.blackhat.com/html/bh-europe-09/bh-eu-09-speakers.html#Damele).
These are the slides from a talk "DNS exfiltration using sqlmap" held at PHDays 2012 conference (Russia / Moscow 30th–31st May 2012) by Miroslav Stampar.
These are the slides from a talk "Heuristic methods
used in sqlmap" held at FSec 2013 conference (Croatia / Varazdin 19th September 2013) by Miroslav Stampar
It all starts with the ' (SQL injection from attacker's point of view)Miroslav Stampar
These are the slides from a talk "It all starts with the ' (SQL injection from attacker's point of view)" held at FSec 2011 conference (Croatia / Varazdin 22nd September 2011) by Miroslav Stampar
The presentation highlights techniques to exploit a MySQL, PostgreSQL or Microsoft SQL Server database server in real world: how to abuse databases features to takeover the server as a whole, how to break out of the mere database process, get control of the operating system and escalate process' privileges to SYSTEM and how to make the life of the forensics analyst harder in a post-exploitation investigation.
These slides have been presented at AthCon 2010 conference in Athens on June 3, 2010.
These are the slides from a talk "sqlmap - security development in Python" held at EuroPython 2011 conference (Italy / Florence 19th–26th June 2011) by Miroslav Stampar
Advanced SQL injection to operating system full control (whitepaper)Bernardo Damele A. G.
Over ten years have passed since a famous hacker coined the term "SQL injection" and it is still considered one of the major web application threats, affecting over 70% of web application on the Net. A lot has been said on this specific vulnerability, but not all of the aspects and implications have been uncovered, yet.
It's time to explore new ways to get complete control over the database management system's underlying operating system through a SQL injection vulnerability in those over-looked and theoretically not exploitable scenarios: From the command execution on MySQL and PostgreSQL to a stored procedure's buffer overflow exploitation on Microsoft SQL Server. These and much more will be unveiled and demonstrated with my own tool's new version that I will release at the Conference (http://www.blackhat.com/html/bh-europe-09/bh-eu-09-speakers.html#Damele).
These are the slides from a talk "DNS exfiltration using sqlmap" held at PHDays 2012 conference (Russia / Moscow 30th–31st May 2012) by Miroslav Stampar.
Advanced SQL injection to operating system full control (slides)Bernardo Damele A. G.
Over ten years have passed since a famous hacker coined the term "SQL injection" and it is still considered one of the major web application threats, affecting over 70% of web application on the Net. A lot has been said on this specific vulnerability, but not all of the aspects and implications have been uncovered, yet.
It's time to explore new ways to get complete control over the database management system's underlying operating system through a SQL injection vulnerability in those over-looked and theoretically not exploitable scenarios: From the command execution on MySQL and PostgreSQL to a stored procedure's buffer overflow exploitation on Microsoft SQL Server. These and much more will be unveiled and demonstrated with my own tool's new version that I will release at the Conference (http://www.blackhat.com/html/bh-europe-09/bh-eu-09-speakers.html#Damele).
These slides have been presented at Black Hat Euroe conference in Amsterdam on April 16, 2009.
Expanding the control over the operating system from the databaseBernardo Damele A. G.
Using a database, either via a SQL injection or via direct connection, as a stepping stone to control the underlying operating system can be achieved.
There is much to say on operating system control by owning a database server: Windows registry access, anti-forensics technique to establish an out-of-band stealth connection, buffer overflow exploitation with memory protections bypass and custom user-defined function injection.
These slides have been presented at SOURCE Conference in Barcelona on September 21, 2009.
The presentation has a quick preamble on SQL injection definition, sqlmap and its key features.
I will then illustrate into details common and uncommon problems and respective solutions with examples that a penetration tester faces when he wants to take advantage of any kind of web application SQL injection flaw on real world web applications, for instance SQL injection in ORDER BY and LIMIT clauses, single entry UNION query SQL injection, specific web application technologies IDS bypasses and more.
These slides have been presented at the 2nd Digital Security Forum in Lisbon on June 27, 2009.
Updated version of http://www.slideshare.net/inquis/sql-injection-not-only-and-11.
SQLMAP is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers.
The slide consists of:
An explanation for SQL injections.
First order and second order SQL injections.
Methods: Normal and Blind SQL injections with examples.
Examples: Injection using true/false, drop table and update table commands.
Prevention using dynamic embedded SQL queries.
Conclusion and References.
Performant Streaming in Production: Preventing Common Pitfalls when Productio...Databricks
Running a stream in a development environment is relatively easy. However, some topics can cause serious issues in production when they are not addressed properly.
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)Marco Balduzzi
While input validation vulnerabilities such as XSS and SQL injection have been intensively studied, a new class of injection vulnerabilities called HTTP Parameter Pollution (HPP) has not received as much attention. HPP attacks consist of injecting encoded query string delimiters into other existing parameters. If a web application does not properly sanitize the user input, a malicious user can compromise the logic of the application to perform either client-side or server-side attacks. One consequence of HPP attacks is that the attacker can potentially override existing hard-coded HTTP parameters to modify the behavior of an application, bypass input validation checkpoints, and access and possibly exploit variables that may be out of direct reach.
In the talk we present the first automated system for the detection of HPP vulnerabilities in real web applications. Our approach consists of injecting fuzzed parameters into the web application and a set of tests and heuristics to determine if the pages that are generated contain HPP vulnerabilities. We used this system to conduct a large-scale experiment by testing more than 5,000 popular websites and discovering unknown HPP flaws in many important and well-known sites such as Microsoft, Google, VMWare, Facebook, Symantec, Paypal and others. These sites have been all informed and many of them have acknowledged or fixed the problems. We will explain in details how to efficiently detect HPP bugs and how to prevent this novel class of injection vulnerabilities in future web applications.
This presentation was given at the November 2012 chapter meeting of the Memphis ISSA. In the presentation, I discuss various methods of exploiting common SQL Injection vulnerabilities, as well as present a specialized technique known as Time-Based Blind SQL Injection. Related to the latter, I give a scenario in which other common forms of SQL Injection would fail to produce results for a penetration tester or attacker, and show how one may overcome this situation by using the specialized technique. The scenario given, along with the sample code, is NOT a contrived example, but instead is closely based on a real-world application that I encountered as part of an assessment.
A live demonstration of the common forms of SQL Injection was also given which utilized the OWASP Broken Web Apps VM, DVWA, Burp Proxy and SQL Power Injector. To demo a real-world time-based blind injection, I created and locally hosted a new application which closely mimicked the real-world application mentioned above.
These are the slides from a guest talk "Hash DoS Attack" held at Faculty of Electrical Engineering and Computing 2014 (Croatia / Zagreb 17th January 2014) by Miroslav Stampar
Advanced SQL injection to operating system full control (slides)Bernardo Damele A. G.
Over ten years have passed since a famous hacker coined the term "SQL injection" and it is still considered one of the major web application threats, affecting over 70% of web application on the Net. A lot has been said on this specific vulnerability, but not all of the aspects and implications have been uncovered, yet.
It's time to explore new ways to get complete control over the database management system's underlying operating system through a SQL injection vulnerability in those over-looked and theoretically not exploitable scenarios: From the command execution on MySQL and PostgreSQL to a stored procedure's buffer overflow exploitation on Microsoft SQL Server. These and much more will be unveiled and demonstrated with my own tool's new version that I will release at the Conference (http://www.blackhat.com/html/bh-europe-09/bh-eu-09-speakers.html#Damele).
These slides have been presented at Black Hat Euroe conference in Amsterdam on April 16, 2009.
Expanding the control over the operating system from the databaseBernardo Damele A. G.
Using a database, either via a SQL injection or via direct connection, as a stepping stone to control the underlying operating system can be achieved.
There is much to say on operating system control by owning a database server: Windows registry access, anti-forensics technique to establish an out-of-band stealth connection, buffer overflow exploitation with memory protections bypass and custom user-defined function injection.
These slides have been presented at SOURCE Conference in Barcelona on September 21, 2009.
The presentation has a quick preamble on SQL injection definition, sqlmap and its key features.
I will then illustrate into details common and uncommon problems and respective solutions with examples that a penetration tester faces when he wants to take advantage of any kind of web application SQL injection flaw on real world web applications, for instance SQL injection in ORDER BY and LIMIT clauses, single entry UNION query SQL injection, specific web application technologies IDS bypasses and more.
These slides have been presented at the 2nd Digital Security Forum in Lisbon on June 27, 2009.
Updated version of http://www.slideshare.net/inquis/sql-injection-not-only-and-11.
SQLMAP is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers.
The slide consists of:
An explanation for SQL injections.
First order and second order SQL injections.
Methods: Normal and Blind SQL injections with examples.
Examples: Injection using true/false, drop table and update table commands.
Prevention using dynamic embedded SQL queries.
Conclusion and References.
Performant Streaming in Production: Preventing Common Pitfalls when Productio...Databricks
Running a stream in a development environment is relatively easy. However, some topics can cause serious issues in production when they are not addressed properly.
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)Marco Balduzzi
While input validation vulnerabilities such as XSS and SQL injection have been intensively studied, a new class of injection vulnerabilities called HTTP Parameter Pollution (HPP) has not received as much attention. HPP attacks consist of injecting encoded query string delimiters into other existing parameters. If a web application does not properly sanitize the user input, a malicious user can compromise the logic of the application to perform either client-side or server-side attacks. One consequence of HPP attacks is that the attacker can potentially override existing hard-coded HTTP parameters to modify the behavior of an application, bypass input validation checkpoints, and access and possibly exploit variables that may be out of direct reach.
In the talk we present the first automated system for the detection of HPP vulnerabilities in real web applications. Our approach consists of injecting fuzzed parameters into the web application and a set of tests and heuristics to determine if the pages that are generated contain HPP vulnerabilities. We used this system to conduct a large-scale experiment by testing more than 5,000 popular websites and discovering unknown HPP flaws in many important and well-known sites such as Microsoft, Google, VMWare, Facebook, Symantec, Paypal and others. These sites have been all informed and many of them have acknowledged or fixed the problems. We will explain in details how to efficiently detect HPP bugs and how to prevent this novel class of injection vulnerabilities in future web applications.
This presentation was given at the November 2012 chapter meeting of the Memphis ISSA. In the presentation, I discuss various methods of exploiting common SQL Injection vulnerabilities, as well as present a specialized technique known as Time-Based Blind SQL Injection. Related to the latter, I give a scenario in which other common forms of SQL Injection would fail to produce results for a penetration tester or attacker, and show how one may overcome this situation by using the specialized technique. The scenario given, along with the sample code, is NOT a contrived example, but instead is closely based on a real-world application that I encountered as part of an assessment.
A live demonstration of the common forms of SQL Injection was also given which utilized the OWASP Broken Web Apps VM, DVWA, Burp Proxy and SQL Power Injector. To demo a real-world time-based blind injection, I created and locally hosted a new application which closely mimicked the real-world application mentioned above.
These are the slides from a guest talk "Hash DoS Attack" held at Faculty of Electrical Engineering and Computing 2014 (Croatia / Zagreb 17th January 2014) by Miroslav Stampar
These are the slides from a guest talk "2014 – Year of Broken Name Generator(s)" held at Faculty of Electrical Engineering and Computing 2015 (Croatia / Zagreb 16th January 2015) by Miroslav Stampar
These are the slides from a talk "Riding the Overflow - Then and Now" held at BalCCon 2014 (Serbia / Novi Sad 06th September 2014) by Miroslav Stampar
p.s. this presentation along with presented buffer overflow examples can be found at: http://www.mediafire.com/download/gjeue4wvw2iccc9/balccon2k14_overflow.7z
These are the slides from a talk "Analysis of mass SQL injection attacks" held at FSec 2012 conference (Croatia / Varazdin 21st September 2012) by Miroslav Stampar
These are the slides from a talk "Spot the Web Vulnerability" held at Hacktivity 2012 conference (Hungary / Budapest 12th–13th October 2012) by Miroslav Stampar.
Presentación de Jaime Nebrera de Eneo Tecnología S.L., durante la XV Jornada de Seguridad TI de Nextel S.A. en la Alhóndiga de Bilbao el jueves 27 de junio de 2013.
Presented by David Smiley, Software Systems Engineer, Lead, MITRE
OpenSextant is an unstructured-text geotagger. A core component of OpenSextant is a general-purpose text tagger that scans a text document for matching multi-word based substrings from a large dictionary. Harnessing the power of Lucene’s state-of-the-art finite state transducer (FST) technology, the text tagger was able to save over 40x the amount of memory estimated for a leading in-memory alternative. Lucene’s FSTs are elusive due to their technical complexity but overcoming the learning curve can pay off handsomely.
Elasticsearch as a search alternative to a relational databaseKristijan Duvnjak
The volume of data that we are working with is growing every day, the size of data is pushing us to find new intelligent solutions for problem’s put in front of us. Elasticsearch server has proved it self as an excellent full text search solution for big volume’s of data.
This presentation explain about "Apache Cassandra's concepts and architecture".
My friends and colleagues said
"This presentation should be release on public space to help many peoples work in IT"
so, I upload this file for everyone love "Technology for the people"
This presentation used for educating the employee of KT last year.
Large Scale Crawling with Apache Nutch and Friendslucenerevolution
Presented by Julien Nioche, Director, DigitalPebble
This session will give an overview of Apache Nutch. I will describe its main components and how it fits with other Apache projects such as Hadoop, SOLR, Tika or HBase. The second part of the presentation will be focused on the latest developments in Nutch, the differences between the 1.x and 2.x branch and what we can expect to see in Nutch in the future. This session will cover many practical aspects and should be a good starting point to crawling on a large scale with Apache Nutch and SOLR.
Large Scale Crawling with Apache Nutch and FriendsJulien Nioche
This session will give an overview of Apache Nutch. I will describe its main components and how it fits with other Apache projects such as Hadoop, SOLR, Tika or HBase. The second part of the presentation will be focused on the latest developments in Nutch, the differences between the 1.x and 2.x branch and what we can expect to see in Nutch in the future. This session will cover many practical aspects and should be a good starting point to crawling on a large scale with Apache Nutch and SOLR.
Ingesting Over Four Million Rows Per Second With QuestDB Timeseries Database ...javier ramirez
How would you build a database to support sustained ingestion of several hundreds of thousands rows per second while running near real-time queries on top?
In this session I will go over some of the technical decisions and trade-offs we applied when building QuestDB, an open source time-series database developed mainly in JAVA, and how we can achieve over four million row writes per second on a single instance without blocking or slowing down the reads. There will be code and demos, of course.
We will also review a history of some of the changes we have gone over the past two years to deal with late and unordered data, non-blocking writes, read-replicas, or faster batch ingestion.
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
1. sqlmap – Under the Hood
Miroslav Štampar
(dev@sqlmap.org)
sqlmap – Under the Hood
Miroslav Štampar
(dev@sqlmap.org)
2. PHDays 2013, Moscow (Russia) May 23, 2013 2
BigArray
Support for huge table dumps (e.g. millions of
rows)
Raw data needs to be held somewhere before
being processed (and eventually stored)
In-memory was a good enough choice until
recent years (user appetites went bigger)
Avoidance of MemoryError
Memory mapping into smaller chunks/pages
(e.g. 4096 entries)
Temporary files are used for storing chunks
O(1) read/write access (page table principle)
3. PHDays 2013, Moscow (Russia) May 23, 2013 3
HashDB
Storage of resumable session data at
centralized place (local SQLite3 database)
Non-ASCII values are automatically
serialized/deserialized (pickle)
INSERT INTO storage VALUES
(LONG(MD5(target_url || key ||
MILESTONE_SALT)[:8]), stored_value)
MILESTONE_SALT is changed whenever there is a
change in HashDB mechanism that is bringing
incompatibility with previous versions
key uniquely describes storage_value for a
given target_url (e.g.: KB_INJECTIONS, SELECT
banner FROM v$version WHERE ROWNUM=1, etc.)
4. PHDays 2013, Moscow (Russia) May 23, 2013 4
Payloads
XML format (xml/payloads.xml)
Tag type <boundary> used for storage of all
possible prefix and suffix formations (<prefix>,
<suffix>) together with context sensitive
information (subtags <level>, <clause>,
<where> and <ptype>)
Tag type <test> used for storage of data
required for successful testing and usage of
each SQL injection payload type (subtags
<title>, <stype>, <level>, <risk>, <clause>,
<where>, <vector>, <request> and <response>)
6. PHDays 2013, Moscow (Russia) May 23, 2013 6
Payloads (3)
<test>
<title>Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING
clause (IN)</title>
<stype>2</stype>
<level>2</level>
<risk>0</risk>
<clause>1</clause>
<where>1</where>
<vector>AND [RANDNUM] IN (('[DELIMITER_START]'+([QUERY])
+'[DELIMITER_STOP]'))</vector>
<request>
<payload>AND [RANDNUM] IN (('[DELIMITER_START]'+(SELECT (CASE WHEN
([RANDNUM]=[RANDNUM]) THEN '1' ELSE '0' END))
+'[DELIMITER_STOP]'))</payload>
</request>
<response>
<grep>[DELIMITER_START](?P<result>.*?)
[DELIMITER_STOP]</grep>
</response>
<details>
<dbms>Microsoft SQL Server</dbms>
<dbms>Sybase</dbms>
<os>Windows</os>
</details>
</test>
7. PHDays 2013, Moscow (Russia) May 23, 2013 7
Queries
XML format (xml/queries.xml)
Tag type <dbms> used for storage of all DBMS
specific SQL formations required for successful
enumeration (subtags <users>, <passwords>,
<dbs>, <tables>, <columns>, <dump_table>, etc.)
and resulting data (pre)processing (subtags
<cast>, <length>, <isnull>, <count>,
<substring>, <concatenate>, etc.)
Each enumeration subtag has an <inband> and
<blind> form used in respective techniques
8. PHDays 2013, Moscow (Russia) May 23, 2013 8
Queries (2)
<dbms value="MySQL">
<cast query="CAST(%s AS CHAR)"/>
<length query="CHAR_LENGTH(%s)"/>
<isnull query="IFNULL(%s,' ')"/>
<delimiter query=","/>
<limit query="LIMIT %d,%d"/>
…
<passwords>
<inband query="SELECT user,password
FROM mysql.user" condition="user"/>
<blind query="SELECT DISTINCT(password)
FROM mysql.user WHERE user='%s' LIMIT %d,1"
count="SELECT COUNT(DISTINCT(password)) FROM
mysql.user WHERE user='%s'"/>
</passwords>
…
9. PHDays 2013, Moscow (Russia) May 23, 2013 9
Multithreading
Multithreading implemented wherever
applicable (option --threads)
Techniques covered: boolean-based blind,
error-based and partial UNION query
Deliberately turned off for techniques: time-
based and stacked (lots of reasons)
Each thread covers a part of value in case of
boolean-based blind
In other techniques, each thread covers one
enumerated entry
Also, implemented for brute force column/table
name search and crawling
10. PHDays 2013, Moscow (Russia) May 23, 2013 10
Direct connection
Direct connection to DBMS (option -d)
python sqlmap.py -d
“mysql://root:password123@192.168.21.129:33
06/testdb”
Support for: Microsoft SQL Server, MySQL,
Oracle, PostgreSQL, SQLite, Microsoft Access,
Firebird, SAP MaxDB, Sybase, IBM DB2
Using of 3rd
party connectors (e.g. python-
pymssql, pymysql, cx_Oracle, python-psycopg2,
etc.)
SQLAlchemy used as an alternative
11. PHDays 2013, Moscow (Russia) May 23, 2013 11
Load request(s) from file
Load HTTP request(s) from a textual file (option
-r)
Supporting RAW request format (any MITM
proxy can be used to catch one)
Particularly usable in requests with large
content body (e.g. POST)
Load and parse log files (option -l)
Supporting Burp and WebScarab log formats
Unlimited number of parsed HTTP requests
(using only unique ones)
12. PHDays 2013, Moscow (Russia) May 23, 2013 12
Content type detection
Automatic detection of (specialized) request
content types
Supporting SOAP, JSON and (generic) XML
For example:
--data="{ "pid": 4412, "id":
1, "action": "do"}"
--data="<request><pid>4412</pid>
<id>1</id><action>do</action></request>"
Appropriate exploitation of parameter values
In case of non-supported format(s), custom
injection mark (*) can be used
13. PHDays 2013, Moscow (Russia) May 23, 2013 13
Site crawling/form searching
Collect usable (on site) target links (option
--crawl)
User defines crawling depth (e.g. 3) limiting
search based on distance from starting page
Optional form searching at visited pages
(switch --forms)
Arbitrary filling of missing form data
Reparation of non-HTML compliant pages for
easier processing
14. PHDays 2013, Moscow (Russia) May 23, 2013 14
Mnemonics
Usage of mnemonics for faster setting up of
sqlmap options and switches (option -z)
Longer (original):
python sqlmap.py --flush-session
--threads=4 --ignore-proxy --batch --banner
-u …
Shorter (using mnemonics):
python sqlmap.py -z
“flu,thre=4,ign,bat,ban” -u …
Highly generic prefix based recognition (e.g. -z
“flu,bat,ban” is interpreted the same as -z
“flush,batc,bann”)
15. PHDays 2013, Moscow (Russia) May 23, 2013 15
Keep-alive
HTTP persistent connection (switch --keep-
alive)
Opposed to new connection for every single
request/response pair
Slightly adapted 3rd
party module keepalive
and adjusted for multi-threading
Connection pool – reusage of existing target
connection(s) where applicable
Reduced network congestion (fewer TCP
connections), reduced latency (no
handshaking), faster enumeration, etc.
16. PHDays 2013, Moscow (Russia) May 23, 2013 16
Tor
Support for The Onion Router (Tor) online
anonymity network (switch --tor)
Concealing identity and network activity
Used against surveillance and (targeted) traffic
sniffing
Configurable Tor proxy type (option --tor-type)
and port number (option --tor-port)
DNS leakage is prevented (no DNS requests
outside of Tor)
Available safety check for proper usage of Tor
(switch --check-tor)
17. PHDays 2013, Moscow (Russia) May 23, 2013 17
Domain name resolution caching
DNS resolution request is done by default for
each HTTP request (from Python HTTP
dedicated modules – e.g. httplib)
Noticeable slowdown in some cases (e.g.
excessive network latency)
Problem noticed and reported by (nagging)
users (looking into Wireshark traffic captures)
Problem patched at the lowest level (method
socket.getaddrinfo(*args, **kwargs) is
encapsulated for caching)
18. PHDays 2013, Moscow (Russia) May 23, 2013 18
Authentication methods
Implemented support for authentication
methods: basic, digest, NTLM and certificate
(options --auth-type, --auth-cred and --auth-
cert)
python sqlmap.py -u
“http://192.168.21.129/vuln.php?id=1”
--auth-type=basic --auth-
cred=”testuser:testpass”
Handling HTTP status code 401 (Unauthorized)
Authorization headers are being cached (where
applicable)
19. PHDays 2013, Moscow (Russia) May 23, 2013 19
Reflection detection and removal
Noisy response resulting from request
reflection
Query results for: 1%20AND%201%3D1
Can cause problems in detection phase
Particularly problematic for boolean-based
blind technique (fuzzy page comparison)
Automatic detection of reflected payload value
and marking with predefined constant value
Query results for: __REFLECTED_VALUE__
20. PHDays 2013, Moscow (Russia) May 23, 2013 20
Dynamicity detection and removal
Noisy response resulting from sporadically
changing content (e.g. ads, banners, etc.)
Can cause problems in both detection and
enumeration phase
Particularly problematic for boolean-based
blind technique
Automatic detection and marking of dynamic
parts (info held in internal knowledge base)
In best case, automatic recognition and usage
of string value appearing only in True
responses (option --string)
21. PHDays 2013, Moscow (Russia) May 23, 2013 21
Content filtering
Occasionally pages are bulked with non-textual
content (CSS styles, comments, JavaScript,
HTML tags, embedded objects, etc.)
Changes regarding boolean-based blind
technique are usually affecting only one small
textual part (e.g. table entry)
Optional filtering of non-textual content (switch
–text-only)
For example: <html>...<td>Tooth
fairy</td>...</html> is filtered to ...Tooth
fairy...
Better detection and less trash(y) results
22. PHDays 2013, Moscow (Russia) May 23, 2013 22
Wizard mode
For beginner users and script kiddies (switch
--wizard)
Questions asked:
Target URL
POST data (if any)
Injection difficulty (Normal/Medium/Hard)
Enumeration (Basic/Intermediate/All)
Infamous for Comodo Brazil breach (March
2011) – attackers posted wizard mode console
output to the Pastebin
23. PHDays 2013, Moscow (Russia) May 23, 2013 23
Level/risk of detection
Number of requests per each parameter in
testing phase can grow from 10 up to 10K
To prevent unnecessary noise and speed up the
testing time, tests are classified by level and
risk
Level (option --level) represents (passing)
possibility/usability of the test case (higher
level means lower possibility)
Risk (option --risk) represents potential
damage that the test case can cause (higher
risk means higher potential damage)
24. PHDays 2013, Moscow (Russia) May 23, 2013 24
Heuristic SQL injection checks
Recognition of the backend DBMS if error
message can be provoked with arbitrary invalid
SQL sequence (e.g. ())'”(''”')
In case that the parameter value is integer and
response for (e.g.) 1 is the same as for (2-1),
there is a good chance that the target is
vulnerable
In case of detected boolean-based blind
technique, DBMS specific queries are used (e.g.
(SELECT 0x616263)=0x616263) to potentially
move focus to a particular DBMS in further
tests
25. PHDays 2013, Moscow (Russia) May 23, 2013 25
Type casting detection
Type casting is an efficient way for dealing with
SQL injection on numeric values
$query = "SELECT * FROM log WHERE id=" .
intval($_GET['id']);
Implemented automatic detection of such
cases
In case that the parameter value is integer and
response for (e.g.) 1 is the same as for 1foobar,
there is a good chance that the target is using
integer casting
User is warned of a potentially “futile” run
26. PHDays 2013, Moscow (Russia) May 23, 2013 26
Fingerprinting
Web server is being fingerprinted by known
HTTP headers, cookie values, etc.
DBMS is being fingerprinted through error
message parsing, banner parsing and tests
with version specific payloads (obtained from
release notes and reference manuals)
For example, cookie value ASP.NET_SessionId is
specific for ASP.NET/IIS/Windows platform,
while TO_SECONDS(950501)>0 check should work
only on MySQL >= 5.5.0
Detailed DBMS version check is done only if
switch -f/--fingerpint is used
27. PHDays 2013, Moscow (Russia) May 23, 2013 27
Suhosin-patch detection
Open source patch for PHP, protecting web
server from “insecure PHP practices”
suhosin.get.max_value_length (default: 512),
suhosin.post.max_value_length, etc.
Causing problems in enumeration phase when
payloads are big (e.g. enumerating column
names)
After the detection phase single payload
(depending on detected techniques) is sent
having size greater than 512 (e.g. 1 AND 6525
= … 6525)
User is warned in case of False response
28. PHDays 2013, Moscow (Russia) May 23, 2013 28
WAF/IDS/IPS detection
Sending one “suspicious” request (in form of
dummy parameter value) and checking for
response change(s) when compared to original
(switch --check-waf)
WAF scripts (switch --identify-waf) do a
through checking, each focusing on
peculiarities of a particular product
For example, WebKnight responds with HTTP
status code 999 on detected suspicious activity
Currently there are 29 WAF scripts (airlock.py,
barracuda.py, bigip.py, etc.)
29. PHDays 2013, Moscow (Russia) May 23, 2013 29
WAF/IDS/IPS bypass
Tamper scripts (option --tamper) do changes on
injected payload before it's being sent
User has to choose appropriate one(s) based
on collected knowledge of target's behavior
and/or detected WAF/IDS/IPS product
If required, a chain of tamper scripts can be
used (e.g. --tamper=”between,
ifnull2ifisnull”)
Currently there are 36 tamper scripts
(apostrophemask.py, apostrophenullencode.py,
appendnullbyte.py, etc.)
30. PHDays 2013, Moscow (Russia) May 23, 2013 30
String value escaping
Each string value inside payload is
automatically escaped (quoteless format)
depending on targeted DBMS
For example: 1 ... AND username=”root”-- is
in case of MySQL escaped to 1 ... AND
username=0x726f6f74--
Avoidance of filter-based escaping functions
(e.g. addslashes)
Adding implicit dependence to targeted DBMS
Payload obfuscation (harder noticeability in
target log files)
31. PHDays 2013, Moscow (Russia) May 23, 2013 31
Evaluation of custom code
Custom Python code can be evaluated before
each request (option --eval)
In such code, each request parameter is
accessible as a local variable
All resulting variable values are included into
the request as new parameter values
--eval="import
hashlib;hash=hashlib.md5(id).hexdigest()"
www.target.com/vuln.php?id=1 AND
1=1&hash=7f134e52836a00e26493e690ed8aa735
32. PHDays 2013, Moscow (Russia) May 23, 2013 32
Fuzzy page comparison
Used (mostly) in boolean-based blind
technique
Gestalt pattern matching (Ratcliff-Obershelp
algorithm)
Supported by standard Python module difflib
Class SequenceMatcher
Method ratio() (or faster quick_ratio())
giving a measure of the sequences’ similarity
as a float in range [0, 1]
True result if ratio() > 0.98 when compared
with original page
33. PHDays 2013, Moscow (Russia) May 23, 2013 33
Definite page comparison
Used mostly in boolean-based blind technique
When fuzzy page comparison fails (e.g. too
much page dynamicity) and user is able to
distinguish True from False responses by
himself (non-n**b)
String to match when result should be
recognized as True (option --string)
Regular expression to match … (option --regex)
Compare HTTP codes (switch --code)
Compare HTML titles (switch --title)
34. PHDays 2013, Moscow (Russia) May 23, 2013 34
Null connection
Sometimes there is no need for retrieval of
whole page content (size can be enough)
Boolean-based blind technique
3 methods: Range, HEAD and “skip-read”
Range: bytes=-1
Content-Range: bytes 4789-4790/4790
HEAD /search.aspx HTTP/1.1
Content-Length: 4790
Both are resulting (if applicable) with either
empty or 1 char long response
Method “skip-read” retrieves only HTTP
headers looking for Content-Length
35. PHDays 2013, Moscow (Russia) May 23, 2013 35
False positive detection
False positives are highly undesirable
Specific for boolean-based blind and time-
based blind techniques
False positive tests are done in cases when
only one of those techniques is detected
Set of trivial mathematical checks performed to
see if target can “respond” correctly
For example:
(123+447)=570
319>(519+110)
(654+267)>854
36. PHDays 2013, Moscow (Russia) May 23, 2013 36
Delay detection
Detection of “artificial” delay
Statistical comparison with normal response
times
Response time must fit under the Gaussian bell
curve to be marked as “normal”
Is <current_response_time> >
avg(<normal_response_times>)
+7*stdev(<normal_response_times>)?
If answer is yes, probability that we are dealing
with “artificial” delay is 99.9999999997440%
Especially useful when heavy queries are used
(not knowing expected delay value)
38. PHDays 2013, Moscow (Russia) May 23, 2013 38
UNION query column #
UNION query requires knowledge of number of
columns (N) for vulnerable SQL statement
Two methods used: ORDER BY and statistical
(same principle as in delay detection)
ORDER BY N+1 should respond noticeably
different (preferably with error message) than
for ORDER BY N (binary searched)
In statistical method responses for candidates
(UNION SELECT NULL, NULL,...) are compared
to original (not injected) response
Right one is the one that seems “not normal”
(having ratio outside the Gaussian bell curve)
39. PHDays 2013, Moscow (Russia) May 23, 2013 39
Output prediction
Inference techniques (boolean-based blind and
time-based blind) require optimization
wherever and whenever possible
In certain cases prediction(s) can be made
Checking if current retrieved entry shares same
prefix with previous retrieved entr(ies)
For example DROP ANY ROLE has same prefix as
DROP ANY RULE (one request per checked
character compared to bit-by-bit retrieval)
Using common output values too (e.g.
information_schema, phpmyadmin, etc.)
40. PHDays 2013, Moscow (Russia) May 23, 2013 40
Brute forcing identifier names
In case of missing schema (e.g. deleted
information_schema) brute force search is
required (e.g. 1=(SELECT 1 FROM users))
Searching for common table names (switch
--common-tables)
Searching for common column names (switch
--common-columns)
Conducted automated search and parsing of
resulting SQL files for chosen Google dorks
(e.g. ext:sql “CREATE TABLE”)
Collected most frequent 3.3K table names and
2.5K column names
41. PHDays 2013, Moscow (Russia) May 23, 2013 41
Pivot dump table
Some DBMSes (e.g. Microsoft SQL Server) don't
have OFFSET/LIMIT query mechanism making
enumeration problematic in non-UNION query
techniques
Column with most DISTINCT values is
automatically chosen as the pivot column
Pivot's first value bigger than previous (e.g.
SELECT MIN(id) WHERE id > ' ') is retrieved
Entries for other columns (e.g. SELECT name
WHERE id=1) are being retrieved using current
pivot value
Iterative process
42. PHDays 2013, Moscow (Russia) May 23, 2013 42
International letters
Добрый день Россия
Page encoding is parsed from Content-Type
HTTP header, Content-Type meta HTML header
or heuristically detected (3rd
party module
chardet)
RAW target response is automatically decoded
to Unicode (using detected page encoding)
In case of inband techniques (UNION query and
error-based) results with international letters
are already supported if decoding went
properly
43. PHDays 2013, Moscow (Russia) May 23, 2013 43
International letters (2)
In case of inference techniques (boolean-based
blind and time-based blind) characters are
being inferred already in their Unicode form
Potential problems occur when stored data
and/or database connector use different (non-
compatible) charset than target's response
In case of unsuccessful decoding of
international letters (e.g. gibberish output)
charset can be enforced (option --charset)
44. PHDays 2013, Moscow (Russia) May 23, 2013 44
Hex encoding retrieved data
All supported DBMSes have capabilities to
encode resulting data to hexadecimal format
(switch --hex)
Most useful in cases when (parts of) results are
potentially lost (e.g. binary data in inband
techniques)
Retrieved data is automatically decoded to its
original (non-hexadecimal) format
Such binary content is checked for known
formats (usign 3rd
party module magic) and (if
recognized) stored to output files
45. PHDays 2013, Moscow (Russia) May 23, 2013 45
Dump format
Dumped table content can be stored in 3
different formats: CSV (default), HTML and
SQLite (option --dump-format)
In CSV format each row is represented by one
line and each column entry is being separated
by a predefined separator character (e.g. ,)
In HTML format dump is stored into a visually
recognizable (browser) table
In SQLite format dump is “replicated” to a
locally stored SQLite3 database giving a
possibility of (among others) running queries
against it
46. PHDays 2013, Moscow (Russia) May 23, 2013 46
Password cracking
Implemented support for detection and
wordlist-based cracking of 14 different
commonly used hash algorithms
MySQL (newer and older), MsSQL (newer and
older), Oracle (newer and older), PostgreSQL,
MD5, SHA1, etc.
Automatic analysis of retrieved passwords (--
passwords) and table dumps (--dump)
(Optional) common suffix forms (1, 123, etc.)
Multiprocessed attack (# of CPUs)
1M MySQL hash guesses in under 10 seconds
on 4 core Intel Xeon W3550 @ 3.07GHz
47. PHDays 2013, Moscow (Russia) May 23, 2013 47
Large dictionary support
Distributed access in multiprocessing
environment
Support for huge dictionaries (chunk read)
Support for dictionary lists
Support for ZIP compressed dictionaries
Included custom built and compressed
dictionary (1.2M entries) based on highly
popular and publicly available dumps, like
RockYou, Gawker, Yahoo, etc.
48. PHDays 2013, Moscow (Russia) May 23, 2013 48
Stagers and backdoors
Stagers are used for uploading arbitrary
(binary) files (e.g. UDF files, backdoors, etc.)
Backdoors are used for OS command execution
(switches --os-cmd and --os-shell)
Prerequisite is that one of known SQL file write
methods can be used (e.g. INTO DUMPFILE, EXEC
xp_cmdshell 'debug.exe < dump.src', etc.)
4 different platforms supported: ASP, ASP.NET,
JSP and PHP
Stored in “cloaked” format (preventing local AV
triggering) inside shell directory
49. PHDays 2013, Moscow (Russia) May 23, 2013 49
Metasploit integration
Automatized creation, upload and run of
Metasploit shellcode payload (switch --os-pwn)
User can choose payload (Meterpreter, shell
or VNC), connection (reverse TCP, reverse HTTP,
etc.) and encoder type (no encoder, Call+4
Dword XOR Encoder, etc.)
shellcodeexec(.exe) is being uploaded along
with (non-compiled) Metasploit shellcode
payload using stager or other means
Metasploit CLI is being run at the host machine
Payload is being executed at the target
machine connecting back to the host machine
50. PHDays 2013, Moscow (Russia) May 23, 2013 50
Second order SQL injection
Occurs when provided user data stored at one
place is being used in vulnerable SQL
statement at the other place
Similar to permanent XSS
User can explicitly set the location where to
look for the response (option --second-order)
Effectively doubling number of required
requests
51. PHDays 2013, Moscow (Russia) May 23, 2013 51
DNS exfiltration
Out-of-band SQL injection technique using DNS
resolution mechanism (option --dns-domain)
Fake DNS server instance is automatically
being made at the host machine
SQL injection payloads being sent are
deliberately provoking DNS resolution
mechanism at the target machine
Provoked DNS requests carry results of a query
Fake DNS server instance intercepts requests
and responds with dummy resolution answers
Requires registration of a nameserver for the
used domain pointing to the host machine
52. PHDays 2013, Moscow (Russia) May 23, 2013 52
Output purging
Output directory can be (optionally) “safely”
removed (switch --purge-output)
Content of all contained files (sessions, logs,
dumps, etc.) is being overwritten with random
data
Files truncated and renamed to random values
(sub)directories renamed to random values
At the end, whole output directory tree is being
removed