Bernardo Damele Assumpção Guimarães

Advanced SQL injection to operating system full control

Bernardo Damele Assump??o Guimar?es

Black Hat Briefings Europe Amsterdam (NL) ? April 16, 2009

Who I am

Bernardo Damele Assump??o Guimar?es:

? Proud father ? IT security engineer ? sqlmap lead developer ? MySQL UDF repository developer

2

SQL injection definition

? SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order to affect the execution of predefined SQL statements

? It is a common threat in web applications that lack of proper sanitization on usersupplied input used in SQL queries

3

SQL injection techniques

? Boolean based blind SQL injection:

par=1 AND ORD(MID((SQL query), Nth char, 1)) > Bisection num--

? UNION query (inband) SQL injection:

par=1 UNION ALL SELECT query--

? Batched queries SQL injection:

par=1; SQL query;--

4

How far can an attacker go by exploiting a SQL injection?

5

................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download

To fulfill the demand for quickly locating and searching documents.

It is intelligent file search solution for home and business.

Literature Lottery

Related download
Related searches

    ©2024 5y1.org, Inc. All rights reserved.