CONFidence 2009 2.0

My friend Guido Landi and I have been selected as speakers for CONFidence 2009 2.0 conference. We are scheduled to present on November 20.

We will be presenting a slightly updated version of our presentation titled Expanding the Control Over Operating System From the Database. The new abstract is as follows:

Using a database (MySQL, PostgreSQL and Microsoft SQL Server), either via a SQL injection or via direct connection, as a stepping stone to control the underlying operating system can be achieved. There is much to say on operating system control by owning a database server: Windows registry access, anti-forensics technique to establish an out-of-band stealth connection, buffer overflow exploitation with memory protections bypass and custom user-defined function injection. These topics and more will be highlighted during the presentation.

The Conference will take place on November 19 - 20, 2009 at Femina Cinema in Warsaw (Poland), don't miss it if you can!

Expanding the control over the operating system from the database

On Tuesday I came back from Barcelona (Spain) where I gave a talk with my friend Guido Landi at SOURCE Conference 2009, met some very smart people, had good chats, fun times too and ate amazing spanish tapas with tasty local red wine!

Thanks SOURCE Barcelona 2009 team for organizing such a great event and giving me the opportunity to come over!

Our presentation slides are online on Slideshare. You can also read them below.

I also released sqlmap 0.8 release candidate 1 with all of the new features described during my presentation at the Conference. You can also checkout the source code from the sqlmap Subversion repository.

$ svn checkout https://svn.sqlmap.org/sqlmap/trunk/sqlmap/ sqlmap

SOURCE Barcelona 2009

My friend Guido Landi and I have been selected as speakers for SOURCE Barcelona 2009 conference. We are scheduled to present on September 21.

Our presentation is titled Expanding the Control Over Operating System From the Database and the abstract is as follows:

Using a database, either via a SQL injection or via direct connection, as a stepping stone to control the underlying operating system can be achieved. There is much to say on operating system control by owning a database server: Windows registry access, anti-forensics techniques and custom user-defined function injection. These topics and more will be highlighted during the presentation.

The Conference will take place on September 21 - 22, 2009 at Museu Nacional D’art de Catalunya in Barcelona (Spain), don't miss it if you can!

sqlmap 0.7 released

Today I released sqlmap version 0.7.

Along all the takeover features introduced in sqlmap 0.7 release candidate 1, some of the new features include:

• Adapted Metasploit wrapping functions to work with latest 3.3 development version too.
• Adjusted code to make sqlmap 0.7 to work again on Mac OSX too.
• Reset takeover OOB features (if any of --os-pwn, --os-smbrelay or --os-bof is selected) when running under Windows because msfconsole and msfcli are not supported on the native Windows Ruby interpreter. This make sqlmap 0.7 to work again on Windows too.
• Minor improvement so that sqlmap tests also all parameters with no value (eg. par=).
• HTTPS requests over HTTP proxy now work on either Python 2.4, 2.5 and 2.6+.
  

Complete list of changes at http://sqlmap.sourceforge.net/doc/ChangeLog.

If you have any feedback feel free to contribute!

Back from Lisbon, Portugal

Last week-end I was in Lisbon (Portugal) speaking at the 2nd Digital Security Forum.
The Conference was a blast! Very well organized, good location, warm people and some interesting speeches too. I look forward to attend at the next.

Thanks to the guys at PontoSI and other sponsors for organizing such a great event.

As usual, I published the slides on SlideShare.

Digital Security Forum 2009

I have been invited to speak at the 2nd Digital Security Forum in a couple of weeks time.

I will present an updated version of my slides SQL injection: Not Only AND 1=1. The abstract is once again as follows:

The presentation has a quick preamble on SQL injection definition, sqlmap and its key features.

I will then illustrate into details common and uncommon problems and respective solutions with examples that a penetration tester faces when he wants to take advantage of any kind of web application SQL injection flaw on real world web applications, for instance SQL injection in ORDER BY and LIMIT clauses, single entry UNION query SQL injection, specific web application technologies IDS bypasses and more.

The Conference will take place on June 26 - 27, 2009 at Hotel Olissippo Oriente in Lisbon (Portugal).
If you are around, it's an occasion to catch up and share ideas on application security, see you there!

sqlmap in Ubuntu package repository

Ubuntu developer James Westby has been very fast to pick sqlmap up from Debian repository, it is now officially available as a package "for human beings" on Ubuntu Karmic, the next stable release!

PaulDotCom video on sqlmap

During PaulDotCom Security Weekly - Episode 152 on May 14, 2009, John Strand discussed about sqlmap in a video hosted on vimeo.

I think the video is worth watching for someone interested in having a quick overview on very few sqlmap features, but going through the users' manual and the users' mailing list archive offer much more technical insight on the tool and the vulnerability itself.

Follows my comments on the video:

• Minute 0:20 - "[...] one of the reasons why I think it is better than commercial tools it's quite simply because of its flexibility [...]".
  

In practice only the less flexible enumeration option has been demonstrated (--dump-all) rather than focusing on the fact that it has plenty of options to automatically enumerate/dump specific information like for example test if session user is DBA, retrieve only current user password hash, dump only a range of entries from a table or even only some columns, etc. All of these features are illustrated with examples in the sqlmap user's manual.
Also, he is showing sqlmap user's manual from the site (0.7rc1) but during the demonstration he is using sqlmap 0.6.4.

• Minute 7:10 - "[...] there has been a lot of tools that do PHP [...]. This tool also has the capability of doing ASP [...]".
  

SQL injection is not a matter of the web application language. It is a matter of lack of security driven development best practices put in place, lack of proper input sanitization, lack of proper web application firewall and so on. The concept exposed by John here is wrong and can lead the newbie user to not understand the flaw properly.
Also, from his words it seems that a SQL injection tool is more powerful if it "does" more web scripting languages: needless to say that this is totally wrong because as soon as the tool engine is written and working, the SQL injection tool does not care at all what is the language in which the application is written. On the other hand, something that shall be considered when evaluating a SQL injection tool is its support for different back-end DBMS software which implies support for different SQL dialects because the SQL statements depend upon the database software / version / session user privileges. Again, not on the front-end language.

• Minute 7:26 - "[...] a wonderful error [...] tools crash anytime [...]".

If you take a look at the Python traceback, you see why the tool raises the exception. It's because sqlmap saves everything it fetches into the output/ subfolder. John probably run the tool at first place as a privileged user so the output/testasp.acunetix.com/log has been created with 644 privileges, owned by root and since he runs the tool for the second time as normal user (apparently argotek) it's obvious that it "crashes" with a Permission denied exception.

• Minute 7:39 - "[...] going off Microsoft SQL back-ends as well as part of ASP".
  

Good point, but Microsoft SQL Server can be the back-end DBMS also for a front-end application in PHP or any other language that has built-in or external connectors to support connections to such DBMS.

• Minute 7:50 - --sql-shell has been recently fixed. Give it a try to the latest development version from subversion repository. However, good point and well described here.
  

• Minute 8:35 - Thanks for pointing out the user several times to RTFM.

• John only mentioned about the takeover functionality at the beginning of the video while going through the user's manual pages.
  What about a video demonstrating in practice the new features to takeover the underlying file system and operating system from the SQL injection vulnerability? To give you an idea, just grab sqlmap from subversion repository and read more on my presentations' slides, whitepaper and video.
  

EUSecWest 2009

I have been selected as a speaker for EUSecWest 2009! I am scheduled to talk on May 28.

I will be presenting a cut down version of my Black Hat Europe talk due to the shorter time available. However, the most interesting aspects of the research will be covered along with the practical demonstrations with the latest sqlmap development version.

The Conference will take place on May 27 - 28, 2009 at the Sound Club in central London (United Kingdom) and the schedule looks very promising, don't miss it if you can!

Back from OWASP AppSec Europe 2009

Last Wednesday I was in Kraków (Poland) at OWASP AppSec Europe 2009 Conference where I gave a talk, met again some OWASP Italy mates and a few new people too, had good chats and fun times too.

Thanks OWASP Board for organizing the event and giving me the opportunity to come over!

Giorgio Fedon took some pictures during my speech, you can have a look at them on his Facebook photo album. I also mirrored them here.

My presentation slides are available on Slideshare here and on OWASP site here along with all other presentations. The video should also be soon available on the OWASP channel on Blip.TV.