Questions about this topic? Sign up to ask in the talk tab.

Difference between revisions of "Talk:SQL injection"

From NetSec
Jump to: navigation, search
Line 1: Line 1:
*Modern day SQL injection obstacles and countermeasures
+
Modern day SQL injection obstacles and countermeasures
 
*SQL injection/countermeasures
 
*SQL injection/countermeasures
:*Configuration & environment challenges
+
:Configuration & environment challenges
 
:*SQL injection/countermeasures/environment
 
:*SQL injection/countermeasures/environment
::*IDS, IPS, and web application firewalls
+
::IDS, IPS, and web application firewalls
 
::*SQL injection/countermeasures/environment/security systems
 
::*SQL injection/countermeasures/environment/security systems
::*Common web application firewall HTTPD modules
+
::Common web application firewall HTTPD modules
 
::*SQL injection/countermeasures/environment/common web application firewalls
 
::*SQL injection/countermeasures/environment/common web application firewalls
:*Improper sanitizing
+
:Improper sanitizing
 
:*SQL injection/countermeasures/sanitizing
 
:*SQL injection/countermeasures/sanitizing
::*Partial sanitizing
+
::Partial sanitizing
 
::*SQL injection/countermeasures/sanitizing/partial
 
::*SQL injection/countermeasures/sanitizing/partial
::*Deprecated sanitizing
+
::Deprecated sanitizing
 
::*SQL injection/countermeasures/sanitizing/deprecated
 
::*SQL injection/countermeasures/sanitizing/deprecated
*Basic remote tests for SQL injection vulnerabilities
+
Basic remote tests for SQL injection vulnerabilities
 
*SQL injection/testing
 
*SQL injection/testing
:*Injection points
+
:Injection points
 
:*SQL injection/testing/injection locations
 
:*SQL injection/testing/injection locations
:*Input testing
+
:Input testing
 
:*SQL injection/testing/inputs
 
:*SQL injection/testing/inputs
::*Your first where clause injection
+
::Your first where clause injection
 
::*SQL injection/testing/inputs/where clause
 
::*SQL injection/testing/inputs/where clause
:*Reconstructing injected queries
+
:Reconstructing injected queries
 
:*SQL injection/testing/query reconstruction
 
:*SQL injection/testing/query reconstruction
  

Revision as of 02:25, 9 August 2012

Modern day SQL injection obstacles and countermeasures

  • SQL injection/countermeasures
Configuration & environment challenges
  • SQL injection/countermeasures/environment
IDS, IPS, and web application firewalls
  • SQL injection/countermeasures/environment/security systems
Common web application firewall HTTPD modules
  • SQL injection/countermeasures/environment/common web application firewalls
Improper sanitizing
  • SQL injection/countermeasures/sanitizing
Partial sanitizing
  • SQL injection/countermeasures/sanitizing/partial
Deprecated sanitizing
  • SQL injection/countermeasures/sanitizing/deprecated

Basic remote tests for SQL injection vulnerabilities

  • SQL injection/testing
Injection points
  • SQL injection/testing/injection locations
Input testing
  • SQL injection/testing/inputs
Your first where clause injection
  • SQL injection/testing/inputs/where clause
Reconstructing injected queries
  • SQL injection/testing/query reconstruction


5 Bypassing modern SQL injection security measures

   5.1 Basic signature evasion
       5.1.1 Whitespace placement
       5.1.2 Integer and string size delimiters
       5.1.3 Switching up the data types
       5.1.4 Arithmetic tests
       5.1.5 Capitalization
       5.1.6 Extending conditional statements
   5.2 Defeating partial sanitizing
       5.2.1 Quotes
       5.2.2 Whitespace filtering
   5.3 Bypassing XSS filters during SQL injection
       5.3.1 Testing with BETWEEN
       5.3.2 Testing with Regular Expression Operators (REGEXP, ~, and RLIKE)

6 Intermediate SQL injection

   6.1 Automation theory
   6.2 Basic Injection : Union Select
       6.2.1 Determining the number of columns
       6.2.2 Extracting data
   6.3 Intermediate testing: "SELECT" ... LIMIT clause injections
   6.4 Intermediate injection: information retrieval via verbose errors

7 Advanced: manual boolean enumeration

   7.1 Using Ascii codes and the ascii() function for enumeration
       7.1.1 substring()
       7.1.2 Version fingerprinting with ascii-based enumeration
           7.1.2.1 In theory
           7.1.2.2 In Practice
   7.2 Using Regular Expressions for Boolean enumeration
       7.2.1 Getting started with regular expressions
       7.2.2 Version fingerprinting using compatible regular expressions

8 Expert: Timing attacks for automated boolean enumeration

   8.1 MySQL boolean timing attacks
       8.1.1 benchmark() and related issues
       8.1.2 Evasive sleep() based boolean enumeration with regular expressions
           8.1.2.1 Testing for the ability to sleep():
           8.1.2.2 Controlling sleep() for enumeration:
           8.1.2.3 Using sleep() to map a table name with regular expressions
   8.2 PostgreSQL Boolean Timing Attacks
       8.2.1 Testing for access to pg_sleep()
       8.2.2 Using pg_sleep() with alternative comparisons for evasive boolean enumeration

9 Expert: Automated Single-byte exfiltration

   9.1 Timing-based single-byte exfiltration
   9.2 The comparative precomputation attack

10 Further penetration

   10.1 Obtaining direct database access
   10.2 Obtaining filesystem access
   10.3 Obtaining code execution

11 Cheat Sheets

   11.1 Vulnerability testing
       11.1.1 Universal true and false statements
   11.2 MySQL syntax reference
       11.2.1 Mysql versions >= 5 user schema mapping (unprivileged)
       11.2.2 Privileged MySQL (any version) user
   11.3 PostgreSQL syntax reference
       11.3.1 PostgreSQL schema mapping
   11.4 Microsoft SQL syntax reference
       11.4.1 Microsoft SQL schema mapping (unprivileged)
       11.4.2 Privileged microsoft SQL injection

12 Patching SQL Injection Vulnerabilities