My presentation is titled Advanced SQL Injection exploitation to operating system full control and the abstract is as follows:
Over ten years have passed since a famous hacker coined the term "SQL injection" and it is still considered one of the major web application threats, affecting over 70% of web application on the Net. A lot has been said on this specific vulnerability, but not all of the aspects and implications have been uncovered, yet.At the moment I am rushing on writing the last pages of the white paper: the deadline is in a few days.
It's time to explore new ways to get complete control over the database management system's underlying operating system through a SQL injection vulnerability in those over-looked and theoretically not exploitable scenarios: From the command execution on MySQL and PostgreSQL to a stored procedure's buffer overflow exploitation on Microsoft SQL Server. These and much more will be unveiled and demonstrated with my own tool's new version that I will release at the Conference.
The research phase is finished with the expected results and the development is at a good point.
The Conference will take place on April 14 - 17, 2009 at Moevenpick Hotel City Centre in Amsterdam (The Netherlands), don't miss it if you can!
UPDATE - April 2009: Pre-conference media coverage:
- Black Hat Europe Researcher Hacks Database Servers - DarkReading. April 1, 2009
- Security Researcher to Unveil Database Server Hack at Black Hat Europe - eWeek. April 2, 2009
- Next-gen SQL injection opens server door - The Register. April 2, 2009
- SQL injection attack leads to command execution - Infosecurity US. April 3, 2009
- Security Expert To Demo SQL Injection At Black Hat - eWeek Europe. April 3, 2009
- SQL injection reloaded: access to the operating system - H-online. April 17, 2009
- SQL-Injection reloaded: Zugriff auf das Betriebssystem - Heise. April 17, 2009 (german)
- Einfallstor SQL-Server - Microsoft. April 22, 2009 (german)
0 comments:
Post a Comment