Automating Boolean SQL Injection and Evading Filters
Sign up for Snyk at https://snyk.co/ippsec 00:00 - Talking about why I like SQL Boolean Injection 01:47 - Opening up the source code to the web app 02:00 - Snyk sponsor segment, talking about how it can find and fix vulnerabilities in your code in real time 04:30 - Demonstrating validating boolean injection with an or statement 07:00 - Showing a small python client I made for this video to play with the SQL Injection, then showing subqueries 09:20 - Showing how to enumerate columns in the database via brute-force guessing because we can't use information_schema 11:25 - Going over the LIMIT statement so we can control which row we are looking at, then showing LIMIT 2 offset 1 is the same as LIMIT 1,1 15:00 - Showing the SUBSTR command so we can guess individual characters in a column/row 17:05 - Talking about converting a string to number in mysql which makes it possible to guess bad characters 21:45 - Start of creating our script, talking about the 3 functions we need, then creating one to dump the number of rows in a column 29:40 - Automating getting the length of a column in our row 32:40 - Automating exfilling the actual data and implementing a binary search/divide and conquer algorithm to speed our request up 46:00 - Debugging our script 47:35 - Found the error, messed up the column name. Showing the algorithm we made to bruteforce characters with the BETWEEN 49:00 - Putting all the functions together to automate dumping all the data 54:50 - Showing SQLMap has troubles with this, especially because the function (GEOGRAPHY_AREA) it uses to fingerprint the app won't work because it contains a bad character (_) 57:10 - Cleaning up and explaining the code a little bit
Sign up for Snyk at https://snyk.co/ippsec 00:00 - Talking about why I like SQL Boolean Injection 01:47 - Opening up the source code to the web app 02:00 - Snyk sponsor segment, talking about how it can find and fix vulnerabilities in your code in real time 04:30 - Demonstrating validating boolean injection with an or statement 07:00 - Showing a small python client I made for this video to play with the SQL Injection, then showing subqueries 09:20 - Showing how to enumerate columns in the database via brute-force guessing because we can't use information_schema 11:25 - Going over the LIMIT statement so we can control which row we are looking at, then showing LIMIT 2 offset 1 is the same as LIMIT 1,1 15:00 - Showing the SUBSTR command so we can guess individual characters in a column/row 17:05 - Talking about converting a string to number in mysql which makes it possible to guess bad characters 21:45 - Start of creating our script, talking about the 3 functions we need, then creating one to dump the number of rows in a column 29:40 - Automating getting the length of a column in our row 32:40 - Automating exfilling the actual data and implementing a binary search/divide and conquer algorithm to speed our request up 46:00 - Debugging our script 47:35 - Found the error, messed up the column name. Showing the algorithm we made to bruteforce characters with the BETWEEN 49:00 - Putting all the functions together to automate dumping all the data 54:50 - Showing SQLMap has troubles with this, especially because the function (GEOGRAPHY_AREA) it uses to fingerprint the app won't work because it contains a bad character (_) 57:10 - Cleaning up and explaining the code a little bit