More Advancements in SQL Injection Techniques presented at SEC-T 2009

by Sumit "sid" Siddharth (7safe),

Tags: Security Web Security SQLi

Summary : This talk will cover a variety of exploitation as well as identification techniques. Starting with the very basics the talk will get more and more complex and will discuss exploiting SQL injections which seem to be un-exploitable. Exploitation in scenarios when the web APIs do not allow execution of multiple SQL query in single statement will be discussed. Special emphasis will be paid on Oracle database and how to achieve privilege escalation and OS command execution from web applications will be demonstrated. There will be a tool release (bsqlbf) for advanced SQL Injection exploitation against Oracle. The talk will also show an Oracle SQL Injection worm to prove that worms could target not just MS-SQL but any other database.

Sumit "sid" Siddharth: Principal security consultant