SQL injection exploitation internals

SQL injectionexploitation internals

How do I exploit this webapplication injection point

Intercon III LondonJanuary 9 2009

Bernardo Damele A Gbernardodamelegmailcom

Intercon III London ndash January 9 2009 2

About meBernardo Damele A G

Proud father

Penetration Tester and Security Researcher

Currently working at Portcullis Computer Security Ltd

sqlmap lead developer

SQL what (12) From the OWASP Testing Guide

ldquoSQL injection attacks are a type of injection attack in which SQL commands are injected into data-plane input in order to affect the execution of predefined SQL commandsrdquo

There are plenty of resources on the Net about SQL injection concept it is a high-risk web application security flaw

A long list of resources can be found on my delicious profile httpdeliciouscominquissqlinjection

I keep it updated with stuff I consider valuable

A wise man once told me

ldquoAn image is worth thousands wordsrdquo

SQL what (22)

Source httpxkcdcom327

All right tons of resources and I am still presenting about SQL injection why

Because

New techniques have been released in the last year

Some aspects have been over-looked in the past

It is fun

State of art

Basically the steps to go through are

Detection of a possible SQL injection flaw

SQL query syntax detection

Back-end database management system fingerprint

Depending on the session user privileges back-end DBMS and some possible security settings in place server-side a SQL injection issue leads on the DBMS server to

DBMS data unauthorized access

File system read and write access

Operating system command execution

How does it work

sqlmap is an automatic SQL injection tool

Developed in Python Started on July 2006 initially by Daniele Bellucci then I took over in December 2006

Licensed under the terms of GPLv2

Detects and take advantage of SQL injection vulnerabilities in web applications The user can choose to

Perform an extensive back-end DBMS fingerprint

Enumerate users password hashes privileges databases tables columns and their datatypes

Dump entire or users specified database tables entries

Run custom SQL statements and more

sqlmap

sqlmap key features

Full support for MySQL Oracle PostgreSQL and Microsoft SQL Server back-end DBMS software

Full support for three SQL injection techniques

Inferential blind SQL injection

UNION query SQL injection

Stacked queries (multiple statements) support

Target aquisition from user by parsing WebScarabBurp proxies requests log files by Google dorking

Tests for injection flaws on GET and POST parameters HTTP User-Agent header and Cookie values

sqlmap features (12)

More features

Silent to verbose output messages

Granularity in the users options

Support for concurrent HTTP requests (multi-threading)

Estimated time of arrival

Session save and resume

Options from command line andor configuration file

Integration with Metasploit and w3af

File system read and write access and operating system command execution by providing own queries depending on the session user privileges and back-end DBMS

Real world

Have you ever had a dream Neo that you were so sure was real What if you were unable to wake from

that dream How would you know the difference between the dream world and the real world

Morpheus The Matrix

In the real world web applications are often complex

Usually the page content changes at each refresh

They have inline counters advertisement banner clocks etc

Inferential blind SQL injection algorithm is based on the concept that the HTTP responses differ depending on the SQL query

Dealing with advertisements (13)

Obstacle

If the page content does not depend only on the SQL statement and changes at each refresh then the algorithm may not work

Python library helped to solve this problem for each HTTP response sqlmap calls a function that compares the returned page content with the untouched original page content

Return a measure of the page contents similarity as a float in the range [0 1] with a radio of 3

It works also when the original page is stable but the injected query with a valid condition (True) differs

If the automatic comparison fails the user can provide a string or a regular expression to match on both original and True page contents and to not match on False page contents

In standard SQL language NULL is allowed as a value for a table column field

In the inferential blind SQL injection technique usually a bisection algorithm is used to identify if the ordinal value of the Nth query output character is higher of a certain ASCII table number this causes the page content to be True or False

The SQL statement used by sqlmap depending on the back-end DBMS is similar to

ASCII(SUBSTR((SQL query) Nth SQL query output char 1)) gt Bisection algorithm number

To NULL or not to NULL (14)

Obstacle

On some DBMS the substring function can not be used on NULL

A possible solution for this problem consists in modifying all SQL querys columns explicitly

Casting its output to be a string

Returning value (space) if the casted value is still NULL

Example on MySQL 50 The SQL query to enumerate the column name first entry is

SELECT name FROM testusers LIMIT 0 1

Casted SQL query

SELECT IFNULL(CAST(name AS CHAR(10000)) CHAR(32)) FROM testusers LIMIT 0 1

The inferential blind SQL injected statement will be then

ORD(MID((SELECT IFNULL(CAST(name AS CHAR(10000)) CHAR(32)) FROM testusers LIMIT 0 1) Nth SQL query output character 1)) gt Bisection algorithm number

URL encoded

ORD28MID2828SELECT20IFNULL28CAST28name20AS20CHAR281000029292C20CHAR2832292920FROM20testusers20LIMIT2002C201292C2012C2012929203E2063

You have got an injection point

The injection point is in a SQL statement as follows

SELECT FROM users WHERE id LIKE ((( $_GET[id] ))) LIMIT 0 1

SQL payload (13)

Obstacle

The injection is after a LIKE clause within three parenthesis the statement terminates with a LIMIT clause

SQL payload (23)

In this example the SQL payload that sqlmap identifies is

id=1))) AND (((RaNd LIKE RaNd

In the inferential blind SQL injection algorithm will be

id=1))) AND ORD(MID((SQL query) Nth SQL query output character 1)) gt Bisection algorithm number AND (((RaNd LIKE RaNd

In the UNION query SQL injection technique will be

id=1))) UNION ALL SELECT NULL Concatenated SQL query NULL AND (((RaNd LIKE RaNd

SQL payload (33)

First demo

I did every demo possible to see if the things would do what they were promising they would do

Doug Hall

It is vulnerable to UNION query SQL injection

sqlmap detected it for you by NULL bruteforcing or by ORDER BY clause bruteforcing depending on your options

Bypass columns limitation (14)

Obstacle

The number of columns in the web application SELECT statement is lower than the number of columns of your UNION ALL SELECT statement

A possible solution consists in concatenating your SELECT statement columns in a single output by using the specific DBMS string concatenation operator or function

Example on PostgreSQL 83 to retrieve users privileges

The SQL query to inject is

SELECT usename usecreatedb usesuper usecatupd FROM pg_user

The injection will be

UNION ALL SELECT NULL CHR(83)||CHR(114)||CHR(108)||CHR(71)||CHR(86)||CHR(116)||COALESCE(CAST(usename AS CHARACTER(10000)) CHR(32))||CHR(104)||CHR(100)||CHR(122)||CHR(81)||CHR(121)||CHR(90)||COALESCE(CAST(usecreatedb AS CHARACTER(10000)) CHR(32))||CHR(104)||CHR(100)||CHR(122)||CHR(81)||CHR(121)||CHR(90)||COALESCE(CAST(usesuper AS CHARACTER(10000)) CHR(32))||CHR(104)||CHR(100)||CHR(122)||CHR(81)||CHR(121)||CHR(90)||COALESCE(CAST(usecatupd AS CHARACTER(10000)) CHR(32))||CHR(75)||CHR(121)||CHR(80)||CHR(65)||CHR(68)||CHR(102) NULL FROM pg_usershyshy

Obstacle

You have got an injection point vulnerable to UNION query SQL injection Only the query outputs first entry or a range of entries is displayed in the page content

Going partial UNION (13)

sqlmap automatizes a known technique

Changes the parameter value to its negative value causing the original query to produce no output

Inspects and unpack the provided SQL statement

Calculates its output number of entries

Limits it after the UNION ALL SELECT to return one entry at a time

Repeat the previous action N times where N is equal to the number of entries

Example on MySQL 41 to enumerate list of databases

SELECT db FROM mysqldb

sqlmap identified the injection point as being an non-quoted parameter (integer) in the WHERE clause with the equal operator (simple scenario)

id=shy1 UNION ALL SELECT NULL CONCAT(CHAR(1008471698798)IFNULL(CAST(db AS CHAR(10000)) CHAR(32)) CHAR(65831188187116)) NULL FROM mysqldb LIMIT 0 1 AND 6972=6972

Back-end DBMS fingerprinting is a mandatory step to go through to take full advantage of a SQL injection flaw

There are a few well known techniques and a few over-looked techniques

sqlmap implements up to four techniques three of these are in use by other tools

The user can force the back-end DBMS software value no HTTP requests are sent to identify the software

By default a basic DBMS fingerprint based on one or two techniques is done only two HTTP requests are sent

The user can choose to perform an extensive DBMS fingerprint based on four techniques numerous (30+) HTTP requests are sent

DBMS fingerprint (14)

The techniques implemented to perform an extensive back-end DBMS fingerprint are

Inband error messages

Banner parsing

SQL dialect

Specific functions static output comparison

On a default installation all of them are reliable

On a hardened installation the last two are reliable

Example of basic back-end DBMS fingerprint on PostgreSQL 83

The techniques in use are two

The two SQL queries injected to identify it are

AND integerint=integer

SQL dialect

AND COALESCE(integer NULL)=integer

Specific function static output comparison

Example of extensive back-end DBMS fingerprint on Microsoft SQL Server 2005

The techniques in use are three

The result is

active fingerprint Microsoft SQL Server 2005banner parsing fingerprint Microsoft SQL Server 2005 Service Pack 0 version 9001399html error message fingerprint Microsoft SQL Server

Active fingerprint refers to SQL dialect and specific functions static output comparison

Fingerprinting is a key step in penetration testing

It is not only about back-end DBMS software

There are techniques and tools to fingerprint the web server the web application technology and their underlying system

What about the back-end DBMS underlying system

sqlmap can fingerprint them without making extra requests

Webapplication server and web application technology by parsing the HTTP response headers (Server X-AspNet-Version X-Powered-By etc) ndash known technique

Back-end DBMS operating system by parsing the DBMS banner ndash over-looked technique

More on fingerprint

Second demo

A demo as in demolish or demonstrationCyclops X-Men Evolution

It might comes in handy sometimes to be able to run your own SQL queries mainly for file system read and write access and operating system command execution

The tool inspects the provided statement

If it is a SELECT statement sqlmap uses depending on users options the inferential blind or the UNION query technique to retrieve its output

If it is a data manipulation statement a transaction statement or any other valid SQL statement it uses stacked queries to run it if the web application supports them

Give me a SQL shell

Automation vs granularity (12)sqlmap has been developed to make it simple for a busy penetration tester to detect and exploit SQL injection vulnerabilities in web applications

Providing it with a source of targets it can automatically

Detect all possible SQL injections and confirm them

Identify the SQL query syntax

Fingerprint the back-end DBMS

The user does not have to look on the Net for DBMS specific queries then manually inject them to enumerate users password hashes check if the session user is a DBA enumerate table columns datatype etc

There is an option to dump the whole back-end DBMS

Automation vs granularity (22) The tester is a professional he knows what he does and why

There are options to specify

How to compare True and False HTTP responses

A single or more testable parameters

The SQL payload prefix and postfix

A single or a range of entries to dump from a table

A single or multiple columns to dump from a table

Custom SQL statements to run

Options can be specified from both command line andor configuration file

Options are documented in the users manual with examples

Third demo

I get tons of uninteresting mail and system announcements about babies born etc At least a

demo MIGHT have been interestingRichard Stallman

LimitationsCan sqlmap fail to detect or to exploit a SQL injection vulnerability

Yes in some cases mainly because it does not support

SQL injection on SQL clauses other than WHERE

Time based blind SQL injection technique

but I am working on these and others

Want to contributeI am always looking forward to code contributions

Try it find bugs send feature requests review the code and the documentation contribute on the mailing lists

I can provide you with

Details on code internals

Write access to the Subversion repository

Access to the development platform

A beer if you are in London area

Links and contactsHomepage httpsqlmapsourceforgenet

Documentation

httpsqlmapsourceforgenetdevindexhtml

httpsqlmapsourceforgenetdocREADMEpdf

Mailing lists

httpslistssourceforgenetlistslistinfosqlmap-users

httpslistssourceforgenetlistslistinfosqlmap-devel

Personal contacts

E-mail Jabber bernardodamelegmailcom

Blog httpbernardodameleblogspotcom

References OWASP Testing Guide Open Web Application Security Project

Exploit of a Mom xkcd

Deep Blind SQL Injection Ferruh Mavituna (Portcullis Computer Security Ltd)

Microsoft SQL Server sp_replwritetovarbin limited memory overwrite vulnerability Bernhard Mueller (SEC Consult Vulnerability Lab)

Metasploit Framework H D Moore and the Metasploit development team

w3af Andres Riancho and the w3af development team

Data-mining with SQL Injection and Inference David Litchfield (NGS Software)

Advanced SQL Injection Victor Chapela (Sm4rt Security Services)

Python difflib Python Software Foundation

NULL (SQL) Wikipedia

Agent oriented SQL abuse Fernando Russ and Diego Tiscornia (CORE Security)

Insight on UNION query SQL injection Bernardo Damele A G

DBMS Fingerprint Daniele Bellucci (OWASP Backend Security Project)

Questions

Thanks for your attention

About me

SQL what (12)

SQL what (22)

State of art

How does it work

sqlmap

Real world

SQL payload (13)

SQL payload (23)

SQL payload (33)

First demo

More on fingerprint

Second demo

Give me a SQL shell

Automation vs granularity (12)

Third demo

Limitations

Want to contribute

Links and contacts

References

Questions

About meBernardo Damele A G

Proud father

Penetration Tester and Security Researcher

Currently working at Portcullis Computer Security Ltd

sqlmap lead developer

SQL what (22)

Because

It is fun

State of art

How does it work

sqlmap

sqlmap key features

More features

Real world

Morpheus The Matrix

Obstacle

Casted SQL query

URL encoded

SQL payload (13)

Obstacle

SQL payload (23)

SQL payload (33)

First demo

Doug Hall

Obstacle

Banner parsing

SQL dialect

The result is

More on fingerprint

Second demo

Give me a SQL shell

Third demo

Documentation

Mailing lists

Personal contacts

Questions

About me

SQL what (12)

SQL what (22)

State of art

How does it work

sqlmap

Real world

SQL payload (13)

SQL payload (23)

SQL payload (33)

First demo

More on fingerprint

Second demo

Give me a SQL shell

Third demo

Limitations

Want to contribute

Links and contacts

References

Questions

SQL what (22)

Because

It is fun

State of art

How does it work

sqlmap

sqlmap key features

More features

Real world

Morpheus The Matrix

Obstacle

Casted SQL query

URL encoded

SQL payload (13)

Obstacle

SQL payload (23)

SQL payload (33)

First demo

Doug Hall

Obstacle

Banner parsing

SQL dialect

The result is

More on fingerprint

Second demo

Give me a SQL shell

Third demo

Documentation

Mailing lists

Personal contacts

Questions

About me

SQL what (12)

SQL what (22)

State of art

How does it work

sqlmap

Real world

SQL payload (13)

SQL payload (23)

SQL payload (33)

First demo

More on fingerprint

Second demo

Give me a SQL shell

Third demo

Limitations

Want to contribute

Links and contacts

References

Questions

SQL what (22)

Because

It is fun

State of art

How does it work

sqlmap

sqlmap key features

More features

Real world

Morpheus The Matrix

Obstacle

Casted SQL query

URL encoded

SQL payload (13)

Obstacle

SQL payload (23)

SQL payload (33)

First demo

Doug Hall

Obstacle

Banner parsing

SQL dialect

The result is

More on fingerprint

Second demo

Give me a SQL shell

Third demo

Documentation

Mailing lists

Personal contacts

Questions

About me

SQL what (12)

SQL what (22)

State of art

How does it work

sqlmap

Real world

SQL payload (13)

SQL payload (23)

SQL payload (33)

First demo

More on fingerprint

Second demo

Give me a SQL shell

Third demo

Limitations

Want to contribute

Links and contacts

References

Questions

Because

It is fun

State of art

How does it work

sqlmap

sqlmap key features

More features

Real world

Morpheus The Matrix

Obstacle

Casted SQL query

URL encoded

SQL payload (13)

Obstacle

SQL payload (23)

SQL payload (33)

First demo

Doug Hall

Obstacle

Banner parsing

SQL dialect

The result is

More on fingerprint

Second demo

Give me a SQL shell

Third demo

Documentation

Mailing lists

Personal contacts

Questions

About me

SQL what (12)

SQL what (22)

State of art

How does it work

sqlmap

Real world

SQL payload (13)

SQL payload (23)

SQL payload (33)

First demo

More on fingerprint

Second demo

Give me a SQL shell

Third demo

Limitations

Want to contribute

Links and contacts

References

Questions

How does it work

sqlmap

sqlmap key features

More features

Real world

Morpheus The Matrix

Obstacle

Casted SQL query

URL encoded

SQL payload (13)

Obstacle

SQL payload (23)

SQL payload (33)

First demo

Doug Hall

Obstacle

Banner parsing

SQL dialect

The result is

More on fingerprint

Second demo

Give me a SQL shell

Third demo

Documentation

Mailing lists

Personal contacts

Questions

About me

SQL what (12)

SQL what (22)

State of art

How does it work

sqlmap

Real world

SQL payload (13)

SQL payload (23)

SQL payload (33)

First demo

More on fingerprint

Second demo

Give me a SQL shell

Third demo

Limitations

Want to contribute

Links and contacts

References

Questions

sqlmap

sqlmap key features

More features

Real world

Morpheus The Matrix

Obstacle

Casted SQL query

URL encoded

SQL payload (13)

Obstacle

SQL payload (23)

SQL payload (33)

First demo

Doug Hall

Obstacle

Banner parsing

SQL dialect

The result is

More on fingerprint

Second demo

Give me a SQL shell

Third demo

Documentation

Mailing lists

Personal contacts

Questions

About me

SQL what (12)

SQL what (22)

State of art

How does it work

sqlmap

Real world

SQL payload (13)

SQL payload (23)

SQL payload (33)

First demo

More on fingerprint

Second demo

Give me a SQL shell

Third demo

Limitations

Want to contribute

Links and contacts

References

Questions

sqlmap key features

More features

Real world

Morpheus The Matrix

Obstacle

Casted SQL query

URL encoded

SQL payload (13)

Obstacle

SQL payload (23)

SQL payload (33)

First demo

Doug Hall

Obstacle

Banner parsing

SQL dialect

The result is

More on fingerprint

Second demo

Give me a SQL shell

Third demo

Documentation

Mailing lists

Personal contacts

Questions

About me

SQL what (12)

SQL what (22)

State of art

How does it work

sqlmap

Real world

SQL payload (13)

SQL payload (23)

SQL payload (33)

First demo

More on fingerprint

Second demo

Give me a SQL shell

Third demo

Limitations

Want to contribute

Links and contacts

References

Questions

More features

Real world

Morpheus The Matrix

Obstacle

Casted SQL query

URL encoded

SQL payload (13)

Obstacle

SQL payload (23)

SQL payload (33)

First demo

Doug Hall

Obstacle

Banner parsing

SQL dialect

The result is

More on fingerprint

Second demo

Give me a SQL shell

Third demo

Documentation

Mailing lists

Personal contacts

Questions

About me

SQL what (12)

SQL what (22)

State of art

How does it work

sqlmap

Real world

SQL payload (13)

SQL payload (23)

SQL payload (33)

First demo

More on fingerprint

Second demo

Give me a SQL shell

Third demo

Limitations

Want to contribute

Links and contacts

References

Questions

Real world

Morpheus The Matrix

Obstacle

Casted SQL query

URL encoded

SQL payload (13)

Obstacle

SQL payload (23)

SQL payload (33)

First demo

Doug Hall

Obstacle

Banner parsing

SQL dialect

The result is

More on fingerprint

Second demo

Give me a SQL shell

Third demo

Documentation

Mailing lists

Personal contacts

Questions

About me

SQL what (12)

SQL what (22)

State of art

How does it work

sqlmap

Real world

SQL payload (13)

SQL payload (23)

SQL payload (33)

First demo

More on fingerprint

Second demo

Give me a SQL shell

Third demo

Limitations

Want to contribute

Links and contacts

References

Questions

Obstacle

Casted SQL query

URL encoded

SQL payload (13)

Obstacle

SQL payload (23)

SQL payload (33)

First demo

Doug Hall

Obstacle

Banner parsing

SQL dialect

The result is

More on fingerprint

Second demo

Give me a SQL shell

Third demo

Documentation

Mailing lists

Personal contacts

Questions

About me

SQL what (12)

SQL what (22)

State of art

How does it work

sqlmap

Real world

SQL payload (13)

SQL payload (23)

SQL payload (33)

First demo

More on fingerprint

Second demo

Give me a SQL shell

Third demo

Limitations

Want to contribute

Links and contacts

References

Questions

Obstacle

Casted SQL query

URL encoded

SQL payload (13)

Obstacle

SQL payload (23)

SQL payload (33)

First demo

Doug Hall

Obstacle

Banner parsing

SQL dialect

The result is

More on fingerprint

Second demo

Give me a SQL shell

Third demo

Documentation

Mailing lists

Personal contacts

Questions

About me

SQL what (12)

SQL what (22)

State of art

How does it work

sqlmap

Real world

SQL payload (13)

SQL payload (23)

SQL payload (33)

First demo

More on fingerprint

Second demo

Give me a SQL shell

Third demo

Limitations

Want to contribute

Links and contacts

References

Questions

Obstacle

Casted SQL query

URL encoded

SQL payload (13)

Obstacle

SQL payload (23)

SQL payload (33)

First demo

Doug Hall

Obstacle

Banner parsing

SQL dialect

The result is

More on fingerprint

Second demo

Give me a SQL shell

Third demo

Documentation

Mailing lists

Personal contacts

Questions

About me

SQL what (12)

SQL what (22)

State of art

How does it work

sqlmap

Real world

SQL payload (13)

SQL payload (23)

SQL payload (33)

First demo

More on fingerprint

Second demo

Give me a SQL shell

Third demo

Limitations

Want to contribute

Links and contacts

References

Questions

Obstacle

Casted SQL query

URL encoded

SQL payload (13)

Obstacle

SQL payload (23)

SQL payload (33)

First demo

Doug Hall

Obstacle

Banner parsing

SQL dialect

The result is

More on fingerprint

Second demo

Give me a SQL shell

Third demo

Documentation

Mailing lists

Personal contacts

Questions

About me

SQL what (12)

SQL what (22)

State of art

How does it work

sqlmap

Real world

SQL payload (13)

SQL payload (23)

SQL payload (33)

First demo

More on fingerprint

Second demo

Give me a SQL shell

Third demo

Limitations

Want to contribute

Links and contacts

References

Questions

Obstacle

Casted SQL query

URL encoded

SQL payload (13)

Obstacle

SQL payload (23)

SQL payload (33)

First demo

Doug Hall

Obstacle

Banner parsing

SQL dialect

The result is

More on fingerprint

Second demo

Give me a SQL shell

Third demo

Documentation

Mailing lists

Personal contacts

Questions

About me

SQL what (12)

SQL what (22)

State of art

How does it work

sqlmap

Real world

SQL payload (13)

SQL payload (23)

SQL payload (33)

First demo

More on fingerprint

Second demo

Give me a SQL shell

Third demo

Limitations

Want to contribute

Links and contacts

References

Questions

Casted SQL query

URL encoded

SQL payload (13)

Obstacle

SQL payload (23)

SQL payload (33)

First demo

Doug Hall

Obstacle

Banner parsing

SQL dialect

The result is

More on fingerprint

Second demo

Give me a SQL shell

Third demo

Documentation

Mailing lists

Personal contacts

Questions

About me

SQL what (12)

SQL what (22)

State of art

How does it work

sqlmap

Real world

SQL payload (13)

SQL payload (23)

SQL payload (33)

First demo

More on fingerprint

Second demo

Give me a SQL shell

Third demo

Limitations

Want to contribute

Links and contacts

References

Questions

URL encoded

SQL payload (13)

Obstacle

SQL payload (23)

SQL payload (33)

First demo

Doug Hall

Obstacle

Banner parsing

SQL dialect

The result is

More on fingerprint

Second demo

Give me a SQL shell

Third demo

Documentation

Mailing lists

Personal contacts

Questions

About me

SQL what (12)

SQL what (22)

State of art

How does it work

sqlmap

Real world

SQL payload (13)

SQL payload (23)

SQL payload (33)

First demo

More on fingerprint

Second demo

Give me a SQL shell

Third demo

Limitations

Want to contribute

Links and contacts

References

Questions

SQL payload (13)

Obstacle

SQL payload (23)

SQL payload (33)

First demo

Doug Hall

Obstacle

Banner parsing

SQL dialect

The result is

More on fingerprint

Second demo

Give me a SQL shell

Third demo

Documentation

Mailing lists

Personal contacts

Questions

About me

SQL what (12)

SQL what (22)

State of art

How does it work

sqlmap

Real world

SQL payload (13)

SQL payload (23)

SQL payload (33)

First demo

More on fingerprint

Second demo

Give me a SQL shell

Third demo

Limitations

Want to contribute

Links and contacts

References

Questions

Obstacle

SQL payload (23)

SQL payload (33)

First demo

Doug Hall

Obstacle

Banner parsing

SQL dialect

The result is

More on fingerprint

Second demo

Give me a SQL shell

Third demo

Documentation

Mailing lists

Personal contacts

Questions

About me

SQL what (12)

SQL what (22)

State of art

How does it work

sqlmap

Real world

SQL payload (13)

SQL payload (23)

SQL payload (33)

First demo

More on fingerprint

Second demo

Give me a SQL shell

Third demo

Limitations

Want to contribute

Links and contacts

References

Questions

SQL payload (33)

First demo

Doug Hall

Obstacle

Banner parsing

SQL dialect

The result is

More on fingerprint

Second demo

Give me a SQL shell

Third demo

Documentation

Mailing lists

Personal contacts

Questions

About me

SQL what (12)

SQL what (22)

State of art

How does it work

sqlmap

Real world

SQL payload (13)

SQL payload (23)

SQL payload (33)

First demo

More on fingerprint

Second demo

Give me a SQL shell

Third demo

Limitations

Want to contribute

Links and contacts

References

Questions

First demo

Doug Hall

Obstacle

Banner parsing

SQL dialect

The result is

More on fingerprint

Second demo

Give me a SQL shell

Third demo

Documentation

Mailing lists

Personal contacts

Questions

About me

SQL what (12)

SQL what (22)

State of art

How does it work

sqlmap

Real world

SQL payload (13)

SQL payload (23)

SQL payload (33)

First demo

More on fingerprint

Second demo

Give me a SQL shell

Third demo

Limitations

Want to contribute

Links and contacts

References

Questions

Obstacle

Banner parsing

SQL dialect

The result is

More on fingerprint

Second demo

Give me a SQL shell

Third demo

Documentation

Mailing lists

Personal contacts

Questions

About me

SQL what (12)

SQL what (22)

State of art

How does it work

sqlmap

Real world

SQL payload (13)

SQL payload (23)

SQL payload (33)

First demo

More on fingerprint

Second demo

Give me a SQL shell

Third demo

Limitations

Want to contribute

Links and contacts

References

Questions

Obstacle

Banner parsing

SQL dialect

The result is

More on fingerprint

Second demo

Give me a SQL shell

Third demo

Documentation

Mailing lists

Personal contacts

Questions

About me

SQL what (12)

SQL what (22)

State of art

How does it work

sqlmap

Real world

SQL payload (13)

SQL payload (23)

SQL payload (33)

First demo

More on fingerprint

Second demo

Give me a SQL shell

Third demo

Limitations

Want to contribute

Links and contacts

References

Questions

Obstacle

Banner parsing

SQL dialect

The result is

More on fingerprint

Second demo

Give me a SQL shell

Third demo

Documentation

Mailing lists

Personal contacts

Questions

About me

SQL what (12)

SQL what (22)

State of art

How does it work

sqlmap

Real world

SQL payload (13)

SQL payload (23)

SQL payload (33)

First demo

More on fingerprint

Second demo

Give me a SQL shell

Third demo

Limitations

Want to contribute

Links and contacts

References

Questions

Obstacle

Banner parsing

SQL dialect

The result is

More on fingerprint

Second demo

Give me a SQL shell

Third demo

Documentation

Mailing lists

Personal contacts

Questions

About me

SQL what (12)

SQL what (22)

State of art

How does it work

sqlmap

Real world

SQL payload (13)

SQL payload (23)

SQL payload (33)

First demo

More on fingerprint

Second demo

Give me a SQL shell

Third demo

Limitations

Want to contribute

Links and contacts

References

Questions

Obstacle

Banner parsing

SQL dialect

The result is

More on fingerprint

Second demo

Give me a SQL shell

Third demo

Documentation

Mailing lists

Personal contacts

Questions

About me

SQL what (12)

SQL what (22)

State of art

How does it work

sqlmap

Real world

SQL payload (13)

SQL payload (23)

SQL payload (33)

First demo

More on fingerprint

Second demo

Give me a SQL shell

Third demo

Limitations

Want to contribute

Links and contacts

References

Questions

Banner parsing

SQL dialect

The result is

More on fingerprint

Second demo

Give me a SQL shell

Third demo

Documentation

Mailing lists

Personal contacts

Questions

About me

SQL what (12)

SQL what (22)

State of art

How does it work

sqlmap

Real world

SQL payload (13)

SQL payload (23)

SQL payload (33)

First demo

More on fingerprint

Second demo

Give me a SQL shell

Third demo

Limitations

Want to contribute

Links and contacts

References

Questions

Banner parsing

SQL dialect

The result is

More on fingerprint

Second demo

Give me a SQL shell

Third demo

Documentation

Mailing lists

Personal contacts

Questions

About me

SQL what (12)

SQL what (22)

State of art

How does it work

sqlmap

Real world

SQL payload (13)

SQL payload (23)

SQL payload (33)

First demo

More on fingerprint

Second demo

Give me a SQL shell

Third demo

Limitations

Want to contribute

Links and contacts

References

Questions

Banner parsing

SQL dialect

The result is

More on fingerprint

Second demo

Give me a SQL shell

Third demo

Documentation

Mailing lists

Personal contacts

Questions

About me

SQL what (12)

SQL what (22)

State of art

How does it work

sqlmap

Real world

SQL payload (13)

SQL payload (23)

SQL payload (33)

First demo

More on fingerprint

Second demo

Give me a SQL shell

Third demo

Limitations

Want to contribute

Links and contacts

References

Questions

Banner parsing

SQL dialect

The result is

More on fingerprint

Second demo

Give me a SQL shell

Third demo

Documentation

Mailing lists

Personal contacts

Questions

About me

SQL what (12)

SQL what (22)

State of art

How does it work

sqlmap

Real world

SQL payload (13)

SQL payload (23)

SQL payload (33)

First demo

More on fingerprint

Second demo

Give me a SQL shell

Third demo

Limitations

Want to contribute

Links and contacts

References

Questions

SQL dialect

The result is

More on fingerprint

Second demo

Give me a SQL shell

Third demo

Documentation

Mailing lists

Personal contacts

Questions

About me

SQL what (12)

SQL what (22)

State of art

How does it work

sqlmap

Real world

SQL payload (13)

SQL payload (23)

SQL payload (33)

First demo

More on fingerprint

Second demo

Give me a SQL shell

Third demo

Limitations

Want to contribute

Links and contacts

References

Questions

The result is

More on fingerprint

Second demo

Give me a SQL shell

Third demo

Documentation

Mailing lists

Personal contacts

Questions

About me

SQL what (12)

SQL what (22)

State of art

How does it work

sqlmap

Real world

SQL payload (13)

SQL payload (23)

SQL payload (33)

First demo

More on fingerprint

Second demo

Give me a SQL shell

Third demo

Limitations

Want to contribute

Links and contacts

References

Questions

More on fingerprint

Second demo

Give me a SQL shell

Third demo

Documentation

Mailing lists

Personal contacts

Questions

About me

SQL what (12)

SQL what (22)

State of art

How does it work

sqlmap

Real world

SQL payload (13)

SQL payload (23)

SQL payload (33)

First demo

More on fingerprint

Second demo

Give me a SQL shell

Third demo

Limitations

Want to contribute

Links and contacts

References

Questions

Second demo

Give me a SQL shell

Third demo

Documentation

Mailing lists

Personal contacts

Questions

About me

SQL what (12)

SQL what (22)

State of art

How does it work

sqlmap

Real world

SQL payload (13)

SQL payload (23)

SQL payload (33)

First demo

More on fingerprint

Second demo

Give me a SQL shell

Third demo

Limitations

Want to contribute

Links and contacts

References

Questions

Give me a SQL shell

Third demo

Documentation

Mailing lists

Personal contacts

Questions

About me

SQL what (12)

SQL what (22)

State of art

How does it work

sqlmap

Real world

SQL payload (13)

SQL payload (23)

SQL payload (33)

First demo

More on fingerprint

Second demo

Give me a SQL shell

Third demo

Limitations

Want to contribute

Links and contacts

References

Questions

Third demo

Documentation

Mailing lists

Personal contacts

Questions

About me

SQL what (12)

SQL what (22)

State of art

How does it work

sqlmap

Real world

SQL payload (13)

SQL payload (23)

SQL payload (33)

First demo

More on fingerprint

Second demo

Give me a SQL shell

Third demo

Limitations

Want to contribute

Links and contacts

References

Questions

Third demo

Documentation

Mailing lists

Personal contacts

Questions

About me

SQL what (12)

SQL what (22)

State of art

How does it work

sqlmap

Real world

SQL payload (13)

SQL payload (23)

SQL payload (33)

First demo

More on fingerprint

Second demo

Give me a SQL shell

Third demo

Limitations

Want to contribute

Links and contacts

References

Questions

Third demo

Documentation

Mailing lists

Personal contacts

Questions

About me

SQL what (12)

SQL what (22)

State of art

How does it work

sqlmap

Real world

SQL payload (13)

SQL payload (23)

SQL payload (33)

First demo

More on fingerprint

Second demo

Give me a SQL shell

Third demo

Limitations

Want to contribute

Links and contacts

References

Questions

Documentation

Mailing lists

Personal contacts

Questions

About me

SQL what (12)

SQL what (22)

State of art

How does it work

sqlmap

Real world

SQL payload (13)

SQL payload (23)

SQL payload (33)

First demo

More on fingerprint

Second demo

Give me a SQL shell

Third demo

Limitations

Want to contribute

Links and contacts

References

Questions

Documentation

Mailing lists

Personal contacts

Questions

About me

SQL what (12)

SQL what (22)

State of art

How does it work

sqlmap

Real world

SQL payload (13)

SQL payload (23)

SQL payload (33)

First demo

More on fingerprint

Second demo

Give me a SQL shell

Third demo

Limitations

Want to contribute

Links and contacts

References

Questions

Documentation

Mailing lists

Personal contacts

Questions

About me

SQL what (12)

SQL what (22)

State of art

How does it work

sqlmap

Real world

SQL payload (13)

SQL payload (23)

SQL payload (33)

First demo

More on fingerprint

Second demo

Give me a SQL shell

Third demo

Limitations

Want to contribute

Links and contacts

References

Questions

About me

SQL what (12)

SQL what (22)

State of art

How does it work

sqlmap

Real world

SQL payload (13)

SQL payload (23)

SQL payload (33)

First demo

More on fingerprint

Second demo

Give me a SQL shell

Third demo

Limitations

Want to contribute

Links and contacts

References

Questions

About me

SQL what (12)

SQL what (22)

State of art

How does it work

sqlmap

Real world

SQL payload (13)

SQL payload (23)

SQL payload (33)

First demo

More on fingerprint

Second demo

Give me a SQL shell

Third demo

Limitations

Want to contribute

Links and contacts

References

Questions

Technology

SQL injection exploitation internals