7/31/2019 BlackHat Europe 09 Damele a G Advanced SQL Injection Whitepaper

1/37

mailto:bernardo.damele@gmail.com

7/31/2019 BlackHat Europe 09 Damele a G Advanced SQL Injection Whitepaper

2/37

7/31/2019 BlackHat Europe 09 Damele a G Advanced SQL Injection Whitepaper

3/37

7/31/2019 BlackHat Europe 09 Damele a G Advanced SQL Injection Whitepaper

4/37

http://www.wiretrip.net/rfp/policy.htmlhttp://www.zscaler.com/http://www.owasp.org/http://www.forristal.com/

7/31/2019 BlackHat Europe 09 Damele a G Advanced SQL Injection Whitepaper

5/37

7/31/2019 BlackHat Europe 09 Damele a G Advanced SQL Injection Whitepaper

6/37

7/31/2019 BlackHat Europe 09 Damele a G Advanced SQL Injection Whitepaper

7/37

7/31/2019 BlackHat Europe 09 Damele a G Advanced SQL Injection Whitepaper

8/37

7/31/2019 BlackHat Europe 09 Damele a G Advanced SQL Injection Whitepaper

9/37

7/31/2019 BlackHat Europe 09 Damele a G Advanced SQL Injection Whitepaper

10/37

7/31/2019 BlackHat Europe 09 Damele a G Advanced SQL Injection Whitepaper

11/37

7/31/2019 BlackHat Europe 09 Damele a G Advanced SQL Injection Whitepaper

12/37

http://www.toolcrypt.org/index.html?dbgtoolhttp://www.toolcrypt.org/

7/31/2019 BlackHat Europe 09 Damele a G Advanced SQL Injection Whitepaper

13/37

7/31/2019 BlackHat Europe 09 Damele a G Advanced SQL Injection Whitepaper

14/37

http://en.wikipedia.org/wiki/User-defined_function

7/31/2019 BlackHat Europe 09 Damele a G Advanced SQL Injection Whitepaper

15/37

http://www.0xdeadbeef.info/

7/31/2019 BlackHat Europe 09 Damele a G Advanced SQL Injection Whitepaper

16/37

http://www.mysqludf.org/

7/31/2019 BlackHat Europe 09 Damele a G Advanced SQL Injection Whitepaper

17/37

7/31/2019 BlackHat Europe 09 Damele a G Advanced SQL Injection Whitepaper

18/37

http://eu.wiley.com/WileyCDA/WileyTitle/productCd-0764578014.htmlhttp://www.davidlitchfield.com/http://daniele.bellucci.googlepages.com/http://www.leidecker.info/

7/31/2019 BlackHat Europe 09 Damele a G Advanced SQL Injection Whitepaper

19/37

http://en.wikipedia.org/wiki/Stored_procedure

7/31/2019 BlackHat Europe 09 Damele a G Advanced SQL Injection Whitepaper

20/37

7/31/2019 BlackHat Europe 09 Damele a G Advanced SQL Injection Whitepaper

21/37

7/31/2019 BlackHat Europe 09 Damele a G Advanced SQL Injection Whitepaper

22/37

7/31/2019 BlackHat Europe 09 Damele a G Advanced SQL Injection Whitepaper

23/37

7/31/2019 BlackHat Europe 09 Damele a G Advanced SQL Injection Whitepaper

24/37

http://www.atlantacon.org/events_2001.htmlhttp://en.wikipedia.org/wiki/Sir_Dystichttp://www.blackhat.com/html/bh-usa-97/speakers.htmlhttp://www.linkedin.com/in/dbrezinski

7/31/2019 BlackHat Europe 09 Damele a G Advanced SQL Injection Whitepaper

25/37

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4037

7/31/2019 BlackHat Europe 09 Damele a G Advanced SQL Injection Whitepaper

26/37

7/31/2019 BlackHat Europe 09 Damele a G Advanced SQL Injection Whitepaper

27/37

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5416http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5416

7/31/2019 BlackHat Europe 09 Damele a G Advanced SQL Injection Whitepaper

28/37

7/31/2019 BlackHat Europe 09 Damele a G Advanced SQL Injection Whitepaper

29/37

7/31/2019 BlackHat Europe 09 Damele a G Advanced SQL Injection Whitepaper

30/37

7/31/2019 BlackHat Europe 09 Damele a G Advanced SQL Injection Whitepaper

31/37

7/31/2019 BlackHat Europe 09 Damele a G Advanced SQL Injection Whitepaper

32/37

http://nomoreroot.blogspot.com/

7/31/2019 BlackHat Europe 09 Damele a G Advanced SQL Injection Whitepaper

33/37

http://www.blackhat.com/html/bh-europe-09/bh-eu-09-main.htmlhttp://sqlninja.sourceforge.net/http://lab.lonerunners.net/http://www.pornosecurity.org/http://sourceforge.net/projects/sqlmap/http://sourceforge.net/projects/sqlmap/

7/31/2019 BlackHat Europe 09 Damele a G Advanced SQL Injection Whitepaper

34/37

http://www.microsoft.com/technet/security/Bulletin/MS08-068.mspxhttp://www.microsoft.com/technet/security/Bulletin/MS08-068.mspxhttp://www.microsoft.com/express/vc/http://technet.microsoft.com/en-us/library/bb491040.aspxhttp://www.nologin.org/Downloads/Papers/meterpreter.pdfhttp://www.0xdeadbeef.info/exploits/raptor_udf2.chttp://labs.mwrinfosecurity.com/files/Publications/mwri_security-implications-of-windows-access-tokens_2008-04-14.pdfhttp://www.xfocus.net/articles/200305/smbrelay.htmlhttp://upx.sourceforge.net/http://www.immunitysec.com/products-canvas.shtmlhttp://blog.metasploit.com/2008/11/ms08-067-metasploit-and-smb-relay.htmlhttp://www.milw0rm.com/exploits/7501http://www.milw0rm.com/exploits/7501http://gcc.gnu.org/http://download.matus.in/doc/Hacking/Navody/NT.AUTHENTIFICATION_WEAKNESS.TXThttp://media.wiley.com/product_ancillary/14/07645780/DOWNLOAD/578014_Code.ziphttp://www.coresecurity.com/content/microsoft-sql-server-spreplwritetovarbin-remote-heap-overflow-exploit-8http://www.coresecurity.com/content/microsoft-sql-server-spreplwritetovarbin-remote-heap-overflow-exploit-8http://www.argeniss.com/research/Churrasco2.ziphttp://www.argeniss.com/research/Churrasco.ziphttp://www.argeniss.com/research/TokenKidnapping.pdfhttps://www.sec-consult.com/files/20081209_mssql-sp_replwritetovarbin_memwrite.txthttps://www.sec-consult.com/files/20081209_mssql-sp_replwritetovarbin_memwrite.txthttps://svn.sqlmap.org/sqlmap/trunk/sqlmap/http://sqlmap.sourceforge.net/http://sqlmap.sourceforge.net/http://bernardodamele.blogspot.com/2009/01/debug-scripts-from-binaries.htmlhttp://www.motobit.com/tips/detpg_cmdshell/http://lab.lonerunners.net/blog/sqli-writing-files-to-disk-under-postgresql

7/31/2019 BlackHat Europe 09 Damele a G Advanced SQL Injection Whitepaper

35/37

http://dev.mysql.com/doc/refman/5.1/en/select.htmlhttp://dev.mysql.com/doc/refman/5.1/en/string-functions.htmlhttp://dev.mysql.com/doc/refman/5.1/en/load-data.htmlhttp://dev.mysql.com/doc/refman/5.1/en/privileges-provided.htmlhttp://dev.mysql.com/doc/refman/5.1/en/string-functions.html#function_load-filehttp://dev.mysql.com/doc/refman/5.1/en/information-functions.html#function_benchmarkhttp://dev.mysql.com/doc/refman/5.1/en/miscellaneous-functions.html#function_sleephttp://dev.mysql.com/doc/refman/5.1/en/adding-udf.htmlhttp://dev.mysql.com/doc/refman/5.1/en/server-system-variables.html#sysvar_plugin_dirhttp://dev.mysql.com/doc/refman/5.1/en/news-5-1-19.htmlhttp://dev.mysql.com/doc/refman/5.0/en/releasenotes-cs-5-0-67.htmlhttp://dev.mysql.com/doc/refman/5.0/en/releasenotes-cs-5-0-67.htmlhttp://dev.mysql.com/doc/refman/5.0/en/create-function-udf.htmlhttp://dev.mysql.com/doc/refman/5.0/en/news-5-0-12.htmlhttp://dev.mysql.com/doc/refman/4.1/en/news-4-1-25.htmlhttp://msdn.microsoft.com/en-us/library/ms175046.aspxhttp://msdn.microsoft.com/en-us/library/ms188365.aspxhttp://msdn.microsoft.com/en-us/library/aa260678(SQL.80).aspxhttp://msdn.microsoft.com/en-us/library/ms175046.aspxhttp://msdn.microsoft.com/en-us/library/ms175046(SQL.90).aspxhttp://msdn.microsoft.com/en-us/library/aa260689(SQL.80).aspxhttp://support.microsoft.com/kb/899298http://support.microsoft.com/kb/899298http://support.microsoft.com/kb/899298http://support.microsoft.com/kb/104829http://support.microsoft.com/kb/875352http://support.microsoft.com/kb/875352http://www.microsoft.com/technet/security/Bulletin/MS09-004.mspxhttp://www.microsoft.com/technet/security/Bulletin/MS09-004.mspx

7/31/2019 BlackHat Europe 09 Damele a G Advanced SQL Injection Whitepaper

36/37

http://metasploit.com/framework/http://rpbouman.blogspot.com/2007/09/creating-mysql-udfs-with-microsoft.htmlhttp://www.phrack.org/issues.html?id=8&issue=54http://www.phrack.org/issues.html?id=8&issue=54http://pgfoundry.org/projects/npgsqlhttp://www.postgresql.org/docs/8.3/static/xfunc-c.htmlhttp://www.postgresql.org/docs/8.3/static/xplang.htmlhttp://www.postgresql.org/docs/8.3/interactive/sql-update.htmlhttp://www.postgresql.org/docs/8.3/interactive/sql-insert.htmlhttp://www.postgresql.org/docs/8.3/interactive/sql-createfunction.htmlhttp://www.postgresql.org/docs/8.3/interactive/catalog-pg-largeobject.htmlhttp://www.postgresql.org/docs/8.3/interactive/lo-funcs.htmlhttp://www.postgresql.org/docs/8.3/interactive/largeobjects.htmlhttp://www.postgresql.org/docs/8.3/interactive/functions-string.htmlhttp://www.postgresql.org/docs/8.3/interactive/sql-copy.htmlhttp://www.postgresql.org/docs/8.3/interactive/functions-srf.htmlhttp://www.postgresql.org/docs/8.3/interactive/functions-datetime.html#FUNCTIONS-DATETIME-DELAYhttp://www.postgresql.org/docs/8.3/interactive/functions-datetime.html#FUNCTIONS-DATETIME-DELAYhttp://www.postgresql.org/docs/8.3/interactive/release-8-2.htmlhttp://www.owasp.org/index.php/OWASP_Backend_Security_Project_Testing_PostgreSQLhttp://www.owasp.org/index.php/Top_10_2007-A2http://www.owasp.org/index.php/Guide_to_SQL_Injectionhttp://www.leidecker.info/projects/pgshell.shtmlhttp://dev.mysql.com/downloads/connector/odbc/5.1.htmlhttp://dev.mysql.com/downloads/connector/net/5.2.htmlhttp://dev.mysql.com/doc/refman/6.0/en/create-function-udf.htmlhttp://dev.mysql.com/doc/refman/5.1/en/create-function-udf.htmlhttp://dev.mysql.com/doc/refman/5.1/en/update.htmlhttp://dev.mysql.com/doc/refman/5.1/en/insert.html

7/31/2019 BlackHat Europe 09 Damele a G Advanced SQL Injection Whitepaper

37/37

http://en.wikipedia.org/wiki/Library_(computing)http://en.wikipedia.org/wiki/Dynamic-link_libraryhttp://www.mysqludf.org/lib_mysqludf_sys/index.phphttp://trac.metasploit.com/browser/framework3/trunk/modules/exploits/multi/handler.rbhttp://trac.metasploit.com/browser/framework3/trunk/modules/exploits/windows/smb/smb_relay.rb