DEFCON 17: Advanced SQL Injection

Sign in or sign up now!
Alert icon
Upgrade to the latest Flash Player for improved playback performance. Upgrade now or more info.
13,080
Loading...
Alert icon
Sign in or sign up now!
Alert icon

Uploaded by on Jan 15, 2011

Speaker: Joseph McCray Founder of Learn Security Online

SQL Injection is a vulnerability that is often missed by web application security scanners, and it's a vulnerability that is often rated as NOT exploitable by security testers when it actually can be exploited.

Advanced SQL Injection is a presentation geared toward showing security professionals advanced exploitation techniques for situations when you must prove to the customer the extent of compromise that is possible.

The key areas are:

•IDS Evasion, Web Application Firewall Bypass
•Privilege Escalation
•Re-Enabling stored procedures
•Obtaining an interactive command-shell
•Data Exfiltration via DNS

For more information visit: http://bit.ly/defcon17_information

To download the video visit: http://bit.ly/defcon17_videos

Category:

Science & Technology

Tags:

License:

Standard YouTube License

Link to this comment:

Share to:

Top Comments

  • @Wolver1nEmkd - so what exactly would be more advanced? I covered Error, Union, Blind, exfil via DNS, dealing with errors, and IDS/WAF evasion. What would be better - stacked queries, magic quotes, UDF, what? PS..Dumbfuck??? really???? - I speak at conferences all over the world. I'd love to see you come to me and call me dumbfuck to my face.

    j0emccray 6 months ago 18

  • Thumbs up for all his years of experience and everything he put into it

    FlentMan 6 months ago 18

see all

All Comments (27)

Sign In or Sign Up now to post a comment!

  • this guy is fucking cool

    guruleinii 2 weeks ago

  • @j0emccray lmao, we all love you bro.

    And you're not here to clean ;D

    VerifyVolatile 2 months ago

  • This guy Joe is so awesome! i've leanred so much!

    tyulik 3 months ago

  • Hats off to Joseph, really enjoyed your presentation. Thanks

    Gridlock73 3 months ago 3

  • @j0emccray Something new maybe; i've had 4 lines of code in a common header file for years that owns every thing you have described. In your defence you really did nail it the coding needs to be stupidly flawed.

    The mention of param injection also makes no sense i mean i would seriously need to dynamicly run over _GET or _POST and just assume everything was valid and import them into my namespace.

    Meh learned nothing.

    FragTheLag 4 months ago

  • @j0emccray You wouldn't want to get in trouble for beating up a twelve year old with a mental capacity of a sink plunger would you Wolve?

    Microblitz 4 months ago

  • great guy for great tuto, good job

    SHARED745 4 months ago

  • "Well now pentesting is different... You can't even walk in a barnes&noble without tripping over a security book"

    I found this funny, since there's an XSS vulnerability on barnes&noble's website. lol

    VerifyVolatile 5 months ago

  • @Wolver1nEmkd he taught you Advanced sick burn lol

    Cacawate 5 months ago

Loading...

Alert icon
0 / 00Unsaved Playlist Return to active list
    1. Your queue is empty. Add videos to your queue using this button:
      or sign in to load a different list.
    Loading...Loading...Saving...
    • Clear all videos from this list
    • Learn more