Questions about this topic? Sign up to ask in the talk tab.
Difference between revisions of "Talk:SQL injection"
From NetSec
(Created page with "{{immediate|purging its '''TMT (TOO MANY TEMPLATES) syndrome'''}}") |
|||
(15 intermediate revisions by one other user not shown) | |||
Line 1: | Line 1: | ||
− | + | ||
+ | == Modern day SQL injection obstacles and countermeasures== | ||
+ | *[[SQL injection/countermeasures]] | ||
+ | :Configuration & environment challenges | ||
+ | :*[[SQL injection/countermeasures/environment]] | ||
+ | ::IDS, IPS, and web application firewalls | ||
+ | ::*[[SQL injection/countermeasures/environment/security systems]] | ||
+ | ::Common web application firewall HTTPD modules | ||
+ | ::*[[SQL injection/countermeasures/environment/common web application firewalls]] | ||
+ | :Improper sanitizing | ||
+ | :*[[SQL injection/countermeasures/sanitizing]] | ||
+ | ::Partial sanitizing | ||
+ | ::*[[SQL injection/countermeasures/sanitizing/partial]] | ||
+ | ::Deprecated sanitizing | ||
+ | ::*[[SQL injection/countermeasures/sanitizing/deprecated]] | ||
+ | Basic remote tests for SQL injection vulnerabilities | ||
+ | *[[SQL injection/testing]] | ||
+ | :Injection points | ||
+ | :*[[SQL injection/testing/injection locations]] | ||
+ | :Input testing | ||
+ | :*[[SQL injection/testing/inputs]] | ||
+ | ::Your first where clause injection | ||
+ | ::*[[SQL injection/testing/inputs/where clause]] | ||
+ | :Reconstructing injected queries | ||
+ | :*[[SQL injection/testing/query reconstruction]] | ||
+ | Bypassing modern SQL injection security measures | ||
+ | *[[SQL injection/evasion]] | ||
+ | :Basic signature evasion | ||
+ | :*[[SQL injection/evasion/basic signatures]] | ||
+ | ::Whitespace placement | ||
+ | ::*[[SQL injection/evasion/basic signatures/whitespaces]] | ||
+ | ::Integer and string size delimiters | ||
+ | ::*[[SQL injection/evasion/basic signatures/scalar sizes]] | ||
+ | ::Switching up the data types | ||
+ | ::*[[SQL injection/evasion/basic signatures/data types]] | ||
+ | ::Arithmetic tests | ||
+ | ::*[[SQL injection/evasion/basic signatures/arithmetic tests]] | ||
+ | ::Capitalization | ||
+ | ::*[[SQL injection/evasion/basic signatures/case sensitivity]] | ||
+ | ::Extending conditional statements | ||
+ | ::*[[SQL injection/evasion/basic signatures/conditional statements]] | ||
+ | :Defeating partial sanitizing | ||
+ | :* [[SQL injection/evasion/sanitizing]] | ||
+ | ::Quotes | ||
+ | ::* [[SQL injection/evasion/sanitizing/quotes]] | ||
+ | ::Whitespace filtering | ||
+ | ::* [[SQL injection/evasion/sanitizing/whitespace]] | ||
+ | :Bypassing XSS filters during SQL injection | ||
+ | :* [[SQL injection/evasion/xss filters]] | ||
+ | ::Testing with BETWEEN | ||
+ | ::* [[SQL injection/evasion/xss filters/using between]] | ||
+ | ::Testing with Regular Expression Operators (REGEXP, ~, and RLIKE) | ||
+ | ::* [[SQL injection/evasion/xss filters/using regular expressions]] | ||
+ | Intermediate SQL injection | ||
+ | * [[SQL injection/intermediate]] | ||
+ | 6.1 Automation theory | ||
+ | 6.2 Basic Injection : Union Select | ||
+ | 6.2.1 Determining the number of columns | ||
+ | 6.2.2 Extracting data | ||
+ | 6.3 Intermediate testing: "SELECT" ... LIMIT clause injections | ||
+ | 6.4 Intermediate injection: information retrieval via verbose errors | ||
+ | |||
+ | 7 Advanced: manual boolean enumeration | ||
+ | |||
+ | 7.1 Using Ascii codes and the ascii() function for enumeration | ||
+ | 7.1.1 substring() | ||
+ | 7.1.2 Version fingerprinting with ascii-based enumeration | ||
+ | 7.1.2.1 In theory | ||
+ | 7.1.2.2 In Practice | ||
+ | 7.2 Using Regular Expressions for Boolean enumeration | ||
+ | 7.2.1 Getting started with regular expressions | ||
+ | 7.2.2 Version fingerprinting using compatible regular expressions | ||
+ | |||
+ | 8 Expert: Timing attacks for automated boolean enumeration | ||
+ | |||
+ | 8.1 MySQL boolean timing attacks | ||
+ | 8.1.1 benchmark() and related issues | ||
+ | 8.1.2 Evasive sleep() based boolean enumeration with regular expressions | ||
+ | 8.1.2.1 Testing for the ability to sleep(): | ||
+ | 8.1.2.2 Controlling sleep() for enumeration: | ||
+ | 8.1.2.3 Using sleep() to map a table name with regular expressions | ||
+ | 8.2 PostgreSQL Boolean Timing Attacks | ||
+ | 8.2.1 Testing for access to pg_sleep() | ||
+ | 8.2.2 Using pg_sleep() with alternative comparisons for evasive boolean enumeration | ||
+ | |||
+ | 9 Expert: Automated Single-byte exfiltration | ||
+ | |||
+ | 9.1 Timing-based single-byte exfiltration | ||
+ | 9.2 The comparative precomputation attack | ||
+ | |||
+ | 10 Further penetration | ||
+ | |||
+ | 10.1 Obtaining direct database access | ||
+ | 10.2 Obtaining filesystem access | ||
+ | 10.3 Obtaining code execution | ||
+ | |||
+ | 11 Cheat Sheets | ||
+ | |||
+ | 11.1 Vulnerability testing | ||
+ | 11.1.1 Universal true and false statements | ||
+ | 11.2 MySQL syntax reference | ||
+ | 11.2.1 Mysql versions >= 5 user schema mapping (unprivileged) | ||
+ | 11.2.2 Privileged MySQL (any version) user | ||
+ | 11.3 PostgreSQL syntax reference | ||
+ | 11.3.1 PostgreSQL schema mapping | ||
+ | 11.4 Microsoft SQL syntax reference | ||
+ | 11.4.1 Microsoft SQL schema mapping (unprivileged) | ||
+ | 11.4.2 Privileged microsoft SQL injection | ||
+ | |||
+ | 12 Patching SQL Injection Vulnerabilities |
Latest revision as of 17:46, 19 November 2012
Modern day SQL injection obstacles and countermeasures
- Configuration & environment challenges
- IDS, IPS, and web application firewalls
- Common web application firewall HTTPD modules
- Improper sanitizing
- Partial sanitizing
- Deprecated sanitizing
Basic remote tests for SQL injection vulnerabilities
- Injection points
- Input testing
- Your first where clause injection
- Reconstructing injected queries
Bypassing modern SQL injection security measures
- Basic signature evasion
- Whitespace placement
- Integer and string size delimiters
- Switching up the data types
- Arithmetic tests
- Capitalization
- Extending conditional statements
- Defeating partial sanitizing
- Quotes
- Whitespace filtering
- Bypassing XSS filters during SQL injection
- Testing with BETWEEN
- Testing with Regular Expression Operators (REGEXP, ~, and RLIKE)
Intermediate SQL injection
6.1 Automation theory 6.2 Basic Injection : Union Select 6.2.1 Determining the number of columns 6.2.2 Extracting data 6.3 Intermediate testing: "SELECT" ... LIMIT clause injections 6.4 Intermediate injection: information retrieval via verbose errors
7 Advanced: manual boolean enumeration
7.1 Using Ascii codes and the ascii() function for enumeration 7.1.1 substring() 7.1.2 Version fingerprinting with ascii-based enumeration 7.1.2.1 In theory 7.1.2.2 In Practice 7.2 Using Regular Expressions for Boolean enumeration 7.2.1 Getting started with regular expressions 7.2.2 Version fingerprinting using compatible regular expressions
8 Expert: Timing attacks for automated boolean enumeration
8.1 MySQL boolean timing attacks 8.1.1 benchmark() and related issues 8.1.2 Evasive sleep() based boolean enumeration with regular expressions 8.1.2.1 Testing for the ability to sleep(): 8.1.2.2 Controlling sleep() for enumeration: 8.1.2.3 Using sleep() to map a table name with regular expressions 8.2 PostgreSQL Boolean Timing Attacks 8.2.1 Testing for access to pg_sleep() 8.2.2 Using pg_sleep() with alternative comparisons for evasive boolean enumeration
9 Expert: Automated Single-byte exfiltration
9.1 Timing-based single-byte exfiltration 9.2 The comparative precomputation attack
10 Further penetration
10.1 Obtaining direct database access 10.2 Obtaining filesystem access 10.3 Obtaining code execution
11 Cheat Sheets
11.1 Vulnerability testing 11.1.1 Universal true and false statements 11.2 MySQL syntax reference 11.2.1 Mysql versions >= 5 user schema mapping (unprivileged) 11.2.2 Privileged MySQL (any version) user 11.3 PostgreSQL syntax reference 11.3.1 PostgreSQL schema mapping 11.4 Microsoft SQL syntax reference 11.4.1 Microsoft SQL schema mapping (unprivileged) 11.4.2 Privileged microsoft SQL injection
12 Patching SQL Injection Vulnerabilities