Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Hacking Databases with SQL Injection
- Introduction to this Workshop
- What Is SQL Injection?
- Purpose
- Acknowledgements
- Configuration & Orientation
- Motivation
- SQL Orientation
- Basic Navigation
- Basic Queries
- Select
- Paging clause: limiting results per query
- The WHERE Clause and Conditional Nuances
- The ORDER BY Clause
- The GROUP BY Clause
- Update
- Delete
- Insert
- Subquery Support
- The Anatomy of an Injection
- How Web Applications Interact with SQL Services
- Problems with SQL-oriented Code
- HTTP Attack Vectors
- GET Variables
- POST Variables
- Request Headers & Cookies
- Example Injection Explained
- Obstacles & Countermeasures
- Environmental Obstacles
- Database Server Configuration
- Webserver & Interpreter Configuration
- Network & Webserver Restrictions
- Inappropriate Sanitizing
- Partially Sanitized Syntax Characters
- Home-brewed Sanitizing Algorithms
- Deprecated Sanitizing Functions & Configurations
- Testing
- Traditional Testing
- Syntax-character Driven Testing Theory
- Determining a Valid Whitespace
- Isolating Stripping
- Testing for Parenthesis
- Mathematical Operator Tests
- Bareword Filters
- Stripping Order
- Remote Type Checking
- Escaping the Escape
- Enumerating Valid Comparison Operators
- Testing with Between ... And ...
- Testing with Regular Expressions
- The Basics Of Regex
- Regex Vulnerability Testing Examples
- Testing with Timing Functions
- Avoiding the Need For Specific Characters
- Whitespace
- Standard quotations/apostrophes
- String concatenation
- Other methods of representing strings
- Tags or greater than/less than
- Equal signs
- Commas
- Parenthesis
- Information Gathering
- Basic Database Context
- Remote Dataserver Version Fingerprinting
- Current Database User
- Current Database Name
- Current Privileges
- Support For Stacked Queries
- Navigating the Unfamiliar Database
- Retrieving a List Of Databases
- Retrieving a List Of Tables and Columns
- In-band Data Retrieval
- Performing In-Band Injections By Appending Data
- Required Conditions
- Determining the Number of Columns
- Truncating the Results Set
- Appending Desired Data
- Other Clause Injections
- Verbose Errors
- Determining If Verbose Errors Are Enabled
- Methods Of Returning Query Results in an Error Message
- Second Order Injection
- Injected Query Output Injections
- Determining the number of columns in the secondary query
- Breaking out of blind
- Stored Data Re-use Injections
- Extracting Data From Out-Of-Band Injections
- Blind Data Retrieval Process
- Row Counting Functions
- Obtaining the Length of a Cell
- Casting, Encoding & Compressing
- Counting in Binary
- Partially Blind Injections
- Boolean Enumeration Using Output Comparison
- The Boolean Enumeration Logarithm
- The Guess-A-Number Algorithm
- Enumeration With Between ... And ...
- Enumeration Through Regular Expressions
- Bitwise Extraction With Comparative Precomputation
- The Comparative Precomputation Algorithm
- Injected Query Discovery
- The Bitwise Extraction Logarithm
- Creating the Subquery
- Bitwise Extraction Procedures
- Completely Blind Injections
- Boolean Enumeration Using Timing Comparison
- Timing Extraction With Sleep Functions
- Patching
- Paramaterized Queries & Configuration
- Example of PHP PDO Parameterized Queries (MySQL) using Named Placeholders
- Example of PHP PDO Parameterized Queries (MySQL) using QuestionMark Placeholders
- Explicit typecasts, encoding, and escaping
- Appendix
- Syntax Reference/Cheat Sheet
- Example extreme edge case script
- SQL Syntax characters
- Potential escape sequences
- Valid whitespace characters
- Conditional operators
- Comparison operators
- Query terminators
- Other useful syntax
- Multi-byte characters ending in escape
- Character set inspection script
- Basic Proof-of-concept Scripts
- Related Tools
- Resources, references, links, et al.
Add Comment
Please, Sign In to add comment