Advanced SQL Injection with SQLol

Report
Advanced SQL Injection with
SQLol
Presented by:
Daniel Crowley
COPYRIGHT TRUSTWAVE 2011
Whom?
Daniel Crowley
Trustwave SpiderLabs
@dan_crowley
[email protected]
COPYRIGHT TRUSTWAVE 2011
What?
SQLol
A configurable SQLi test-bed
A tool for
Research
Education
Testing
http://github.com/SpiderLabs/SQLol
COPYRIGHT TRUSTWAVE 2011
Why?
Existing test-beds are
Inflexible
Simplified
Real-world scenarios are
Varied
Dangerous
COPYRIGHT TRUSTWAVE 2011
Why? Klingon version
Heghlu'meH QaQ jajvam
COPYRIGHT TRUSTWAVE 2011
Why? Shakespearean version
I humbly posit that the current state
(With much respect to work which
does
precede)
Of test-beds made with vulns to
demonstrate
Is lacking some in flexibility.
COPYRIGHT TRUSTWAVE 2011
Why? Shakespearean version
Two options are presented presentday,
As far as when one deals with SQL:
A blind injection (bool or time delay)
And UNION statement hax (oh gee,
how swell…)
COPYRIGHT TRUSTWAVE 2011
Why? Shakespearean version
Imagine we could choose how
queries read
And how our input sanitizes, oh!
How nimble and specific we could be
To recreate our ‘sploit scenarios.
COPYRIGHT TRUSTWAVE 2011
Why? Shakespearean version
And thus is S-Q-L-O-L conceived:
That we can study how to pwn DBs.
COPYRIGHT TRUSTWAVE 2011
Why? tl;dr version
‘Cuz.
COPYRIGHT TRUSTWAVE 2011
Selecting flaw configuration
AIM
Choose type of query
COPYRIGHT TRUSTWAVE 2011
Choose sanitization options
COPYRIGHT TRUSTWAVE 2011
Choose verbosity
COPYRIGHT TRUSTWAVE 2011
Challenges
COPYRIGHT TRUSTWAVE 2011
Manual and automated exploitation
FIRE
Manual
COPYRIGHT TRUSTWAVE 2011
Manual
COPYRIGHT TRUSTWAVE 2011
Automated
COPYRIGHT TRUSTWAVE 2011
HOW ABOUT A
DEMONSTRATION
?
Deploying SQLol
MAKE THE MAGIC HAPPEN
Requirements
Web server of your choice
with PHP
ADODB-supported database
COPYRIGHT TRUSTWAVE 2011
Deployment
Un-tar SQLol inside web root
COPYRIGHT TRUSTWAVE 2011
Deployment
Modify includes/database.config.php
COPYRIGHT TRUSTWAVE 2011
Deployment
Run database reset script
COPYRIGHT TRUSTWAVE 2011
Future features
Custom sanitization routines
Stored procedure injections
Database privilege options
More challenges
COPYRIGHT TRUSTWAVE 2011
Like SQLol?
Try XMLmao!
Possible future test beds?
cryptOMG
rofLDAP (asLDAP)
KTHXbypass
XSSmh
COPYRIGHT TRUSTWAVE 2011
Questions?
[email protected]
Twitter: @dan_crowley
Code:
http://github.com/SpiderLabs/SQLol
http://www.surveymonkey.com/sourceboston12
COPYRIGHT TRUSTWAVE 2011

similar documents