Questions about this topic? Sign up to ask in the talk tab.

Difference between revisions of "Talk:SQL injection"

From NetSec
Jump to: navigation, search
 
(6 intermediate revisions by one other user not shown)
Line 1: Line 1:
Modern day SQL injection obstacles and countermeasures
+
 
 +
== Modern day SQL injection obstacles and countermeasures==
 
*[[SQL injection/countermeasures]]
 
*[[SQL injection/countermeasures]]
 
:Configuration & environment challenges
 
:Configuration & environment challenges
Line 23: Line 24:
 
:Reconstructing injected queries
 
:Reconstructing injected queries
 
:*[[SQL injection/testing/query reconstruction]]
 
:*[[SQL injection/testing/query reconstruction]]
 
+
Bypassing modern SQL injection security measures
 
+
*[[SQL injection/evasion]]
5 Bypassing modern SQL injection security measures
+
:Basic signature evasion
 
+
:*[[SQL injection/evasion/basic signatures]]
    5.1 Basic signature evasion
+
::Whitespace placement
        5.1.1 Whitespace placement
+
::*[[SQL injection/evasion/basic signatures/whitespaces]]
        5.1.2 Integer and string size delimiters
+
::Integer and string size delimiters
        5.1.3 Switching up the data types
+
::*[[SQL injection/evasion/basic signatures/scalar sizes]]
        5.1.4 Arithmetic tests
+
::Switching up the data types
        5.1.5 Capitalization
+
::*[[SQL injection/evasion/basic signatures/data types]]
        5.1.6 Extending conditional statements
+
::Arithmetic tests
    5.2 Defeating partial sanitizing
+
::*[[SQL injection/evasion/basic signatures/arithmetic tests]]
        5.2.1 Quotes
+
::Capitalization
        5.2.2 Whitespace filtering
+
::*[[SQL injection/evasion/basic signatures/case sensitivity]]
    5.3 Bypassing XSS filters during SQL injection
+
::Extending conditional statements
        5.3.1 Testing with BETWEEN
+
::*[[SQL injection/evasion/basic signatures/conditional statements]]
        5.3.2 Testing with Regular Expression Operators (REGEXP, ~, and RLIKE)
+
:Defeating partial sanitizing
 
+
:* [[SQL injection/evasion/sanitizing]]
6 Intermediate SQL injection
+
::Quotes
 
+
::* [[SQL injection/evasion/sanitizing/quotes]]
 +
::Whitespace filtering
 +
::* [[SQL injection/evasion/sanitizing/whitespace]]
 +
:Bypassing XSS filters during SQL injection
 +
:* [[SQL injection/evasion/xss filters]]
 +
::Testing with BETWEEN
 +
::* [[SQL injection/evasion/xss filters/using between]]
 +
::Testing with Regular Expression Operators (REGEXP, ~, and RLIKE)
 +
::* [[SQL injection/evasion/xss filters/using regular expressions]]
 +
Intermediate SQL injection
 +
* [[SQL injection/intermediate]]
 
     6.1 Automation theory
 
     6.1 Automation theory
 
     6.2 Basic Injection : Union Select
 
     6.2 Basic Injection : Union Select

Latest revision as of 17:46, 19 November 2012

Modern day SQL injection obstacles and countermeasures

Configuration & environment challenges
IDS, IPS, and web application firewalls
Common web application firewall HTTPD modules
Improper sanitizing
Partial sanitizing
Deprecated sanitizing

Basic remote tests for SQL injection vulnerabilities

Injection points
Input testing
Your first where clause injection
Reconstructing injected queries

Bypassing modern SQL injection security measures

Basic signature evasion
Whitespace placement
Integer and string size delimiters
Switching up the data types
Arithmetic tests
Capitalization
Extending conditional statements
Defeating partial sanitizing
Quotes
Whitespace filtering
Bypassing XSS filters during SQL injection
Testing with BETWEEN
Testing with Regular Expression Operators (REGEXP, ~, and RLIKE)

Intermediate SQL injection

   6.1 Automation theory
   6.2 Basic Injection : Union Select
       6.2.1 Determining the number of columns
       6.2.2 Extracting data
   6.3 Intermediate testing: "SELECT" ... LIMIT clause injections
   6.4 Intermediate injection: information retrieval via verbose errors

7 Advanced: manual boolean enumeration

   7.1 Using Ascii codes and the ascii() function for enumeration
       7.1.1 substring()
       7.1.2 Version fingerprinting with ascii-based enumeration
           7.1.2.1 In theory
           7.1.2.2 In Practice
   7.2 Using Regular Expressions for Boolean enumeration
       7.2.1 Getting started with regular expressions
       7.2.2 Version fingerprinting using compatible regular expressions

8 Expert: Timing attacks for automated boolean enumeration

   8.1 MySQL boolean timing attacks
       8.1.1 benchmark() and related issues
       8.1.2 Evasive sleep() based boolean enumeration with regular expressions
           8.1.2.1 Testing for the ability to sleep():
           8.1.2.2 Controlling sleep() for enumeration:
           8.1.2.3 Using sleep() to map a table name with regular expressions
   8.2 PostgreSQL Boolean Timing Attacks
       8.2.1 Testing for access to pg_sleep()
       8.2.2 Using pg_sleep() with alternative comparisons for evasive boolean enumeration

9 Expert: Automated Single-byte exfiltration

   9.1 Timing-based single-byte exfiltration
   9.2 The comparative precomputation attack

10 Further penetration

   10.1 Obtaining direct database access
   10.2 Obtaining filesystem access
   10.3 Obtaining code execution

11 Cheat Sheets

   11.1 Vulnerability testing
       11.1.1 Universal true and false statements
   11.2 MySQL syntax reference
       11.2.1 Mysql versions >= 5 user schema mapping (unprivileged)
       11.2.2 Privileged MySQL (any version) user
   11.3 PostgreSQL syntax reference
       11.3.1 PostgreSQL schema mapping
   11.4 Microsoft SQL syntax reference
       11.4.1 Microsoft SQL schema mapping (unprivileged)
       11.4.2 Privileged microsoft SQL injection

12 Patching SQL Injection Vulnerabilities