 We got everybody? All right, let's do this. OK, guys, I'm Joe McCray. If you've never heard of me, you're like the rest of the conference. I'm a network pentester guy. Anybody has ever heard one of those guys? You know, I'm AKA the black guy at security conferences. Yeah, it's me. It's me. There's like three of us. You know, if you're one of them, see, I got them. Yes! See? OK, that's us. That's us. I'm a network pentester. Who is with me that web application security is stupid shit? Yes! That was me for years and years and years and years. I was like cross-site scripting? Who the fuck cares? I get pop-ups when I surf the web all the time. Just one that says XSS. Kind of wasn't scaring me. So I realized that I have been here, God, since like DEF CON 8. So I'm fucking old. Who's with me? Old? Yes. OK, I remember. Let's take me back. My laptop's going to power off, so fuck it. Let's go back. Who remembers back in the good old days when you would tell the customer all you need to do is apply a patch? Who remembers that? And customers would say shit to you like, it might break something. People didn't apply patches. They would go read about the patch to figure out if it was going to break some important shit. That's what I remember. I remember we would use ISS because Nessus was like some rogue open source thing. Does anybody remember that? Back when Nessus was free, who remembers? Nessus used to be free. Yes. So I remember back in the days, we'd break out our Uber tools. We did it something like this. Go with me, guys. Go with me. So you'd port scan the network. You'd run in-map, find a bunch of open ports. You'd banner grab. You'd go, OK, this is what you're running. You'd go out to websites like Rootshell. Does anybody remember Rootshell? Yes. So we'd go out. We'd grab our exploit code. We'd own half the freaking planet. Nobody applied patches back then. So we would go. We would own the whole freaking planet. We'd write a report that just said, you suck. That was it. That was it. You'd tell the customer, you suck. Really, you suck. Apply a patch, dumbass. You suck. And that was it. People would be like, wow, he is bad as hell. This guy is bad. Well, now, pen testing is different. I mean, you can't even walk into Barnes & Noble without tripping over a security book. So everybody's a CISSP. Every customer is a security consultant, trying to tell you how to do the assessment. Come on. Yeah. So we would get paid for telling people that they were dumbasses. Now they think that because they read hacking exposed, they're the pen tester now, but they're still hiring us. So now they've got 50 million other security things for us to go against. Firewalls, antivirus, intrusion detection, intrusion prevention, they've got everything. There's so much stuff for us to go against. The game has changed. It's not port scan. Who doesn't port scan anymore? Who's like, why? Who's with me? OK, I got one man back there. I don't port scan anymore. It's pointless. Why? I go through the web app. So I used to be one of those guys who said this web app stuff is stupid shit. It's dumb. And then I saw SQL Ninja uploading that cat via SQL injection. And bro, it changed my life like Jesus. I was like, that's it. That's what I want to do. So I switched to the web app. I completely changed. I was just like, fuck it. I'm going to go learn this web app shit. So let's walk you through the agenda. Hopefully my laptop will stay on. I always submit a talk called SQL Injection for Mere Mortals where I cover the basics of SQL injection. It never gets accepted. This is like the 15th time I've given this talk. No one ever wants to learn the basics. So I'm not teaching the basics. If you don't know SQL, sucks to be you because I'm not teaching it. If you don't know the basics of SQL injection, again, sucks to be you. I'm not teaching it. So anyone who does know me knows that if you buy me rum and coke, hey, teach whatever the hell you want to know. So get me some rum and coke. I will explain to you any of this shit. By the way, if you guys haven't noticed, I curse. Just I'm black. I'm not here to clean. I'm a security guy. I do curse. Stay with me. All right, guys, we've got three classes of SQL Injection, in-band, out-of-band, inferential. So I'm sure everybody can read the slides. Let's get through this because I'm going to try and move on to the SQL Injection in the real world. So in-band SQL Injection is when you're attacking the site and then you see the error message. So like here, it says, syntax error converting the VARCHAR value of Joe to a column of data type int. So in this case, the error message is right on the screen. You did your attack. It's in-band. You see it right where you did it. Out-of-band is different, different. You maybe get the response back over email, over HTTP, or over DNS. So you do the attack, and then the results of the attack come back over at different means. Please kind of bear with me. I'm kind of moving quickly. All right, inferential. Inferential is when you don't get error messages. You always get developers who tell me stuff like, well, what if I just turn off verbose error messages? What if I redirect everybody to a custom 404 page? Won't that stop you? I mean, you kind of look at them like, no. So with inferential SQL Injection, you're asking the database a question. You're like, hey, database, if you're running a system administrator, why don't you wait 10 seconds, and then give me the valid page? So you ask the database the question, and he waits a couple of seconds, and then he gives you the valid page. And you're like, oh, cool. So you are running as DBO or whatever the case may be. All right, so what about tools? Everybody loves tools. So let's go over some simple concepts with the tools. One, I don't use closed source tools. Sorry. So with the first tool, I can't even say it. Sorry, a little bit too much alcohol. WPoison, SQL Map, WAPiti, W3AF, Paros, SQL ID. These tools identify SQL injection. But the thing that I run into is they only identify one, or in some cases, two. So this is that little hint to people. There's three types of SQL injection, error-based, union-based, and blind. So if your tool only identifies one, or two types of SQL injection, is anybody kind of picking up on what I'm inferring here? Come on, come on. Yes, you will miss something. You will miss something. Okay, so again, error-based is asking the database a question, and then gleaming the answer to your question in an error. Union is joining your own SQL query to the query that's already there. And then lastly, blind, that's asking it like, okay, well, does one equal one? Database is like, yeah, it does. Does one equal two? Database is like, no, it doesn't. That's inferential-based. All right, so here's my methodology. Key things that are important for me. Everybody knows that when you're testing for SQL injection, you need to use a tick, okay, the single quote. So I always say, identify the injection point. You see in the query string that you can insert your tick. You go, all right, cool. Identify my injection. And then determine the type. Is the point that I'm injecting into, is it an integer, or is it a string? And if I can figure that out, which shouldn't be too hard, because can we differentiate between numbers and letters? Okay, so if you can do that, you can figure out that if it's a number, it's an integer. If it's got letters, it's a string. So that's determined the injection type. Is it integer-based or is it stream-based? Now I know that sounds stupid, but the reason that that's important is because if you can figure that out, that's how you know whether you need your tick or not, your single quote for all of the rest of your attacks. And as corny as it sounds, that's extremely important for IDS evasion and web application firewall evasion. So now we start going down into it. How do we attack it? Well, the first thing is to just go for error-based. That's the easiest. If it throws an error, we can look at it and go, ah, SQL error. Pretty easy, okay? Sometimes we don't have errors. We have to move on to a union-based where we try to append our own query to it. Union joins two queries. And if none of it works, we go for blind. All right, so I have to focus on manual testing. If none of your tools identify all three types of SQL injection, you're really gonna have to be forced to learn how to test for this stuff manually. Now who uses WebGoat? Anybody? WebGoat? Okay, so when I first started using WebGoat and Web Maven and HackMe Bank and HackMe Books and all these applications that are designed to teach you WebApp Sack, I was like, wow, this is cool. Then I actually tried to pen test the real WebApp. See anybody go through that one? It's kind of a little different, right? Okay, SQL injection in the real world is difficult. Okay, so that's really kind of why I started putting this together because it was all the headaches I went through. Okay, so integer-based injection, so you see page.asp, question mark, that's the parameter, ID equals one, cool. So it's a one, so now we know it's, this isn't working very well. So it's a one, so we know that that's an integer, we don't need our tick. We look down here at string-based SQL injection, ID equals X, so now we know we need to use our tick. Very important to remember. So I'm gonna move through this kind of quickly because it's a breakout talk. I don't even have a QA period, I'm supposed to just go 50 minutes, so we're gonna move quickly, okay? All right, so let's talk with MSSQL syntax. So you're attacking a website and it's page.asp ID equals one, one of the most common things that people will say is, or one equals convert int user. Now the database comes back and he's like, dude, you can't convert the value of user into an integer. What are you, an idiot? So in that, we get the actual database user, so see syntax error converting and varchar value of DB user into a column of data type int. So the database responds by actually answering your question, who is the user in the error message? So some other things that I've learned is to grab some other things. Grab the database user, grab the database name, grab the server name, grab the OS version, just replace this user DB name, server name, just replace that in your injection point. And that'll help you, you can get through these things quickly, okay? Union-based looks like this. So here you see that ID equals one, so you add a union select all one. Then it comes back and it tells you, whoa, all queries in an SQL statement contained in a union operator must have an equal number of expressions in the target list. You have to have the correct number of columns. So now what do you do? You go, okay, well let's try union one, two, and you keep getting the error message. So you keep adding numbers until you finally get no error message. So here you see it's union select all one, two, three, four, no error message. So we go, okay, now I know there's four columns. So now I can replace one of those columns with the word user or DB name, and now we can start extracting data out of it. Okay, and this is those cases when you don't have error messages. All right, lastly, blind SQL injection. This is where you start asking really weird questions. If the database user name is one character, wait 10 seconds. Okay, if the page comes back immediately, okay, well I know it's not one character. If the database user is two characters, wait 10 seconds, it comes back immediately. Okay, so I know it's more than two characters. If the database user name is three characters, wait 10 seconds, then you see that it waits 10 seconds, and then the valid page displays. Even if it's just a home page, you go, wow. Okay, so the database user name is three characters. So we break out our handy-dandy conversion chart, ASCII decks, ASCII decimal hex. We say, okay. A 97 is the letter A. So is the database first letter of the database name in A, if it is, wait 10 seconds. So now you'll see that it's not, and you keep iterating through it. Is it a 98, a letter B? No, it's not. Is it a 99, a letter C? No, it's not. It's a letter 100, the letter D, and then it waits 10 seconds. Is anyone picking up on the fact that this is gonna take a while? I'm just hoping, I know it's early. I know it's early. Does anyone realize this is gonna take a while? This is blind SQL injection. Who's with me? This fucking sucks. This fucking sucks, you don't wanna do blind. You wanna do error-based first. You wanna read the errors. Well, okay, if that doesn't work, then we go for a union. And if that doesn't work, then we go for blind. So I don't like when guys say, oh, I just use SQL map. Do you realize SQL map uses blind SQL injection? I had a buddy of mine tell me he's on a pen test. So he asked me to help him with this injection. So we're talking and I'm helping him. So he's like, oh, I wanna dump the whole database. And I'm like, okay, I'll help you out. What are you gonna use? He goes, SQL map. And you ever have one of those days where you're talking to your buddy and you really wanna tell him some simple shit, but you're like, you know what? This is one of those lessons that it's better you learn on your own. Two days later, he dumped the entire database. Two fucking days of database queries for him to dump the entire database. Hello. So that was a good lesson. He doesn't do that anymore. So here we finally guess the second character is a B. Here we guess the third character is a B. Oh, database owner. Okay, I'm gonna skip my SQL syntax. If you wanna know this stuff, catch me outside. All right, but real quick on the union. How do I figure out where to throw in the word user and all that kind of stuff? What's happening is if the website is saying ID equals one, union all select one, two, three, four, five. Now I get a valid page. So I know there's five columns. I'll change the value one to a negative number. Doing that will make numbers display on your screen. It looks fucking weird, but it works. So you change the value to a negative number. And now what happens, or the word no. And then you'll get the column numbers that echo back data right to the center of the screen. So it looks like this. So it's a real website, you know, sucks to be them. But I just changed the word to ID equals no. There's seven columns in the table. But can you see now that the number six and the number three display right in the middle of the screen? So now I replace column six and column three with my queries. So now you can see that column three is user. You guys see the lower case three of the small three? That's WS user at local host. You see the at version. Now it comes back saying, hey, I'm my SQL version 5.045. So now we're extracting all this data straight to the website. Okay, and then the same thing like I showed you with Microsoft SQL injection. You know, you can just replace them with user, database, version, data directory. There's a whole bunch more. All right, now we already know about the blind SQL injection. So let's move on through that. SQL injection in the real world. So I call it, ugh, what the fuck? Pen testing is a pain in the ass. And if it's not a pain in the ass, you're probably using core impact. So if you're a real pen tester, it's fucking work. Weird error messages, okay? So I watch TV while I hack. You know, so I watch a lot of videos and stuff like that. So is it just me or is little John a millionaire with only a two word vocabulary? Does anybody, this is the shit I think about while I'm hacking. I think this is deep thought for me, you know. So it bothers me, you know, like I'm hacking into banks. I'm breaking into like multi-million dollar systems and all that kind of stuff. And I don't make seven figures. I've got an extensive vocabulary comprised of fuck and shit and all kinds of words I can use. I can put some long words together. I'm telling you. And how the hell, okay, well, let me move on to the next slide. I'm not bitter. We're just gonna own littlejohn.com. So we're going to littlejohn.com. It's littlejohn.asp and it's Lil, right? So Lil is the parameter. It's a string, so we need the tick, right? Yes, yes we do. So we need the tick and here we get this funny error. Microsoft OLEDB, provider for SQL server, incorrect syntax near your right parenthesis. So about two freaking days goes by of me Googling everything on these types of errors. So I get a wild idea. I append a second parenthesis and it fucking works. Now, who's with me? You don't give a shit how or why as long as it works, right? Okay, well if you do webgoat and all that kind of stuff you put in a tick and the whole damn database drops. It's not like that in the real world, people. Not anymore. That stuff's gone. So now that I realize that I still need my tick and I need my right parenthesis for every injection, I'm cool. So if you're using an open source tool just open up your Perl or Python based tool and change that for all the rest of your injections. Okay, so now here we can see or convert int, debby name and we see that the database name is yeah. Yeah? Now here we go int version and it comes back and tells us hey, we're running Microsoft SQL Server 2005 on Windows NT 5.2, which is Server 2003, Service Pack 2, okay? So there's a whole lot of yeah and what and basically at the end of it I just got that little John shut the fuck up. Just bothered me. Okay, so here was my next what the fuck. This one took me a little while. So I'm working on this website and it's PHP. So I do a union all select one, union all select two. This is usually where I ask my girlfriend, I'm like okay, so what do you think? I go union, she's like yeah, go union baby, go union. Right, so I'm like union all one, two, then I get this error, whoa. The text, in text or image cannot be displayed as distinct. Who's a programmer? You guys are way better than me because I'm not. I was like I have no fucking idea. I Googled and Googled and Googled, called my friends, Googled some more, called my friends, drank some more rum. None of it was working, those are my usual things by the way. And I'm working at it, working at it, working at it and I'm like God, so finally one day I'm using that whole Google translate thing and I find this Chinese website where the guy's like dude, if you just do a convert text hello, it'll allow you to keep enumerating past this point. I'm like you've got to be kidding me. And he's like yeah, so I tried it, freaking works. Okay, the issue is people put things in their database like favocons, like thumbnails. So it doesn't come up, it's just a regular string or a regular integer. Couldn't somebody have just put that in the first five results of Google? I mean damn, can you help a brother out? So now we go back to iterating four, five, six, seven, eight, nine, then we come up with whoa, operin clash, text is incompatible with type int. Another weird freaking database. The database developer decided to do something cool. You know how these guys go, right? They're the smelly guys who, you know, you have these guys who work with you, right? The smelly one that you don't let talk to the customer? Come on, right? So he's back in the server room going oh, this is gonna be so cool, if I just write these queries this way, it's that guy. So you're like okay, man. So this one I found that if you actually just substitute the word no, I can get by that one. So some quick tips I came up with. Always use the union with all because of similar or non-distinct field types. By default, union tries to get records with type distinct. Okay, use null in union as much as you can. It's just a much easier way when you don't know what the data type is. Really big help. Okay, I'm gonna skip privilege escalation to save time. But essentially what's happening is you're allowed to make an SQL OLEDB connection to the database and pass a username and password to it. Well, because of that, you can actually brute force the database. You just keep iterating through usernames until the connection is authorized. Okay, and I'm gonna skip this stuff. If you wanna ask me about it outside, I'll help you out, because we're kinda pressed for time and battery life. Okay, so essentially you just create, you'll add the current user to the SQL server admins group. Okay, filter evasion. Let's talk about the real stuff. The first thing is client-side filtering. How many of you know that client-side filtering sucks ass? Okay, so we don't need to explain on that one too much. People who do client-side filtering, it's easy to bypass by just using something like tamper data or peros or saving the page locally and changing all that because they're trying to stop you with JavaScript. So I talk to developers and I say, hey bro, does this pass the common sense test? All of your security mechanisms you're putting in the browser and the hacker has control of his browser. Does that pass the common sense test? And then they kinda look at me like, wow Joe, I guess that doesn't. No, it doesn't. Okay, restrictive blacklist. Sometimes you run into websites that use filtering and they'll say, okay, well, we're gonna use alphanumeric filtering. So you can't use things like a greater than, a less than and equal than sign. So maybe I can't say or one equals one, but you can do some cool things like, well, is one like one? Yes it is. Okay. Whoa, that didn't work. Okay, so signature-based IDS. This is the one that everyone always wants to talk about. How do you bypass the IDS? So break out your handy dandy chart because this is what you're gonna need to bypass the intrusion detection system. So can everyone read Snort? Who speaks Snort? Everyone speaky Snort? Cool. Okay, so alert TCP, any IP address, any port going to our web servers on our web server ports. The message we're gonna send to the analyst is SQL injection attempt. Now, what are we looking for? The content is tick or one equals one. So that's what we're looking for. Guys, how do we bypass this one? How about tick or two equals two? Huh, huh? Okay, simple IDS signatures suck. And I was an IDS analyst. I know what I'm talking about. I wrote a lot of simple IDS signatures. So why do we have signatures like this? You can say two equals two. You can say one is less than two. You can say one is like one. You can intersperse comments or two slash astros, astros slash or two. The whole bit, okay? We have these kind of signatures to catch automated tools. These are good signatures, believe it or not. We catch tools, automated tools, and we catch idiots. When I was an IDS analyst, I always used to say things to my boss, like we catch idiots. We catch people who deserve to be caught. We catch people who don't know how to delete logs. We catch people who don't know where IIS actually stores logs. You know, we catch idiots. Great signature for idiots. So my opinion of IDS is, okay? I love this. I was an IDS analyst and we would get an alert and it'd be like, I got one. It's a real hack. Like, I got one. 50 million false positives all day long. I got a real hacker today. Got one. Got one. Okay, let's move on to a little bit more complex of a signature. So in this case, any IP address, any port, going to our web servers, and we've got PCRE, Pearl Compatible Regular Expressions. We're looking for the word and, we're looking for the word or, but we're still looking for one equals one. We're also looking for the comments that people add to the end of their injection. So in this case, we bypass that very simply. So we'll do a two equals two. And then instead of the dash dash, percent sign 2D, percent sign 2D is that comments. It's that hyphen hyphen. So again, we've bypassed the signature. Okay, so again, this is another example of a signature that we have for automated tools, but they're really not good because you can just open up your open source tools, SQL map, SQL ID, WAPIDI, or any of these tools and change your injections to look like this. That's what I do. Okay, so now we've got some more complex ones. So here we're looking for a select statement. So select all records from, and then here we're looking for a union with the dash dash. So can you guys see that I just did a or to in, and then it's just a whole bunch of hex. Well, that hex translates to select user. So the entire signature is bypassed because we've encoded it completely in hex. Same thing with the union. Now there are some IDSs that can do normalization. So we'll talk about that. If you guys have questions, you can just kind of grab me outside. We'll talk about bypassing hosts that, I mean intrusion detection systems that do normalization because that's possible as well. So here, in some cases, maybe they've got a signature that looks for hex, but they're not looking for the uppercase and lowercase versions of each letter. So a percent sign 73 and a percent sign 53, that's the capital and the lowercase x. Well, how do we bypass that? Use another encoding type, utf7, utf8, utf16, okay? The attacker has the advantage, guys. Okay, anyone ever heard of PHP IDS? PHP IDS rocks, okay? So the best thing about the PHP IDS site is not deploying PHP IDS, it's what they call the smoke test. So what happens is you can try all of your attacks on the smoke test site and it tells you what regular expressions for rules that it triggers. So what I do is I just keep going on this site and trying all of my different injections and different encodings until it finally tells me, just like football, right? It's good! So that's what I know. That's what I know. That's the type of injection that I'm gonna use against this host, okay? All right, so signature-based IDS, it's actually pretty easy to bypass. Okay, web application firewalls. I'm gonna kind of skip through some of this kind of quickly, okay? So, key things that I look for, mod security, anybody deploy mod security, okay? All right, mod security is awesome because if you actually do something scary, like read the documentation, it'll tell you put slash cmd.exe at the end of the URL. And if you do that, you'll get this 501 method not implemented error. So great, how do you think I fingerprint mod security now? That helps. So, other things like WebNite, which is another open source web application firewall, you'll see in the response, HTTP 1.1.999, no hacking. See, it's like, don't do that. Okay, well, Gary O'Leary Steel, he has this awesome unicoding coding tool. It's Ruby-based, so you can just put in your cross-site scripting or SQL injection and it codes it all in Unicode. So this is great. So in this case, this is another web application firewall. So it gives me a 200 okay message, which is great for tricking vulnerability scanners into thinking that the host is okay and not vulnerable. It just flat out gives another 200 okay, the scanner just moves on. But if you actually look in the response, you'll see it says condition intercepted. So now you know you're dealing with some sort of filtering device. So I was on a bank pen test recently and I ran into this little bugger called .NET Defender. So I'm like, wow, .NET Defender has blocked your request. Joe, you suck. So I was like, damn, now what? So I break out my smoke test and lo and behold, conversion error failed when converting in Varchar value DBO to data type int. This thing is running as administrator, $16 billion bank running as administrator, but they've got a web application firewall. So they're PCI compliant. So wow, the web application firewall is stopping the bulk of my attacks. So I went for the encoding thing. So I used the Gary O'Leary tool and now you see that it says, hey, I'm running SQL Server 2005 on server 2003 service pack two. So I said, you know what? That's cool, but I want something good. Why don't you just give me the admin password hash for the database? It's the end of my talk, fellas. Okay, so if you wanna learn SQL, some great references, go learn SQL, great tutorials, cheat sheets. This guy, pen test monkey. I don't know if he's here today, but if any of you know him, I've never met him, but he helped me out when I was trying to learn SQL injection, gave me some good pointers and all that kind of stuff. If he's here and you know him, pointed my direction, I'm buying that guy a drink. Thanks. He's got the best cheat sheets on the internet for doing SQL injection and he's got them for every backend database. Okay, so MS SQL, MySQL, Oracle, Postgres. He's even got a fricking access SQL injection tutorial. The guy is the shit. Okay, all right, references from me. Paul Batista's Tourcon nine presentation was really good, helped me out a lot. Brad Warnack, he works at SecureWorks. He's got a great GAC paper that's really good. That was helpful and lots and lots of rum and coke. That's how I do my thing. Okay, if you wanna catch up with me, work at Learn Security online. You know, hey, I'll try my best to help you out. If you want my slides, it should be on the Defcon CD or you can email me for them. I'm on Twitter, I just don't use it here because it's all on the wall of shame. You know, but if you wanna holler at me on Twitter, I got your back, okay? I'm on LinkedIn, say what's up. Cool? All right, what do you call it? How much time I got? You got 10 minutes. I got 10 minutes? Who's got questions? Okay, well, I can't tell you about that bank, but we did a really cool bank where we were actually able to move money between accounts and all that. Who's ever wanted to do that, like change your grades in school and all that kind of stuff? So that was cool, we could move money between accounts and it was an investment bank so we could do some cool things. SQL injection is great for that kind of stuff. We're able to dump the whole tables, we could see this particular bank. I remember the guy who was telling me the director of information security said, well, if you can get to the SWIF network or if you can get to these three accounts and they're individuals whose account assets were over $200 million each, it's like if you can get to their social security numbers, pen test is over, good job. So miraculously, via SQL injection, life is good. Okay, any more of this? What's up, man? Not really. Okay, so the question was, have you ever found a way to get around prepared statements? So generally what people are gonna tell you is, if you use parameterized queries or prepared statements, it's really just a matter of input filtering and saying that this is what I'm passing to my database. I really have not run into that where we were intentionally bypassing or injecting into prepared statements. What I have run into is injecting and distort procedures. So people who say that stored procedures is a valid means of preventing SQL injection, they are wrong, right? You know, talk to the left because you ain't right type thing, it wrong, does not work. Okay, so if they scrub the input, great, great. But again, how well are they filtering? Are they filtering for encoded type data? Correct, correct, correct. That would be the smart thing to do. And if I had customers like that, I wouldn't have a job. I mean, it's really that simple. Data input validation is always gonna be huge, right? So if you're gonna say, I'm only going to accept from zero to nine in this field, I'm not going to accept anything else, no ASCII, anything, that's exactly what it would have to be. But in those cases where you don't know what it is, like I've been tested a car website. So they had the car model numbers. So if it's like a 325 IBMW, it's got strings and characters into it. So some of that kind of stuff is where it gets hairy. Okay, you have a question? Sure. Well, you're gonna hire me so we can try it out. So he's basically telling me, can you say that one more time? Okay. Okay, so essentially what you're dealing with is you're not saying that you're doing good input validation, you're ensuring that the attacker doesn't see database errors. Okay, so in that case, that's when we use union-based SQL injection and true false or time-based blind SQL injection. So you're asking the database, hey, does one equal one? If the database gives you a valid webpage, then yes, he's processing that request. If you say, hey, does one equal two? And then it gives you an error page or a custom 404 page. Again, it processed your request. Now you know SQL injection is possible. Another one that's really, really good, Paul Batista shows this technique. So let's say it says ID equals five. If you can take that number five encapsulated in parentheses and say four plus one and then you get this correct page, you now know that it's processing your database queries. It's doing arithmetic operators. So now we know that SQL injection is possible without error messages. So it is possible. The best thing to do is prepared statements, parameterized queries, use things like ASP.net. If you're using classic ASP, do your upgrades to ASP.net. That's the kind of stuff that's gonna help. Okay, any other questions? Yes? I have not run into anomaly-based detection while I was pen testing. I have not. So I really can't speak on that. If somebody has something like that that they wanna give me, I've got like probably 30 or 40 vulnerable applications I can put it in front of, I would love to see what it's like. But I just can't see behavior-based SQL, behavior-based anomaly-based detection catching things like all of these different encoding types. I think it would be really, really difficult. I'm partnering with a couple of web application, firewall companies, and encoding is where it's at. That is just where it's at. Okay, did you just add a question, sir? Sure. Sure, sure, sure, sure. They are, they are. What I've seen that's the best in this kind of thing, and to be honest, I really haven't seen it deployed as PHP IDS. ASP.net has what's called Request Validate. And that's been very, very good. But does anybody know Portswigger? You know, they make Burp Suite? Okay, great, great, great tool. He has a blog post on parameter name SQL injection as a means of bypassing Request Validate. So if it's ID equals five, instead of actually injecting into the five, you're injecting into ID, the parameter name itself. So that's a very, very good way for that kind of stuff. You'll get a, you're not injecting into the where clause, which is the norm. You know, you've got a completely broken query. You have to manufacture the query out of it. But it's definitely possible. You know, so again, you're going to do that. Put your injection in and then just comment out the rest of it. Okay, yes, sir? Sure, sure. Dynamic pre-processors and snort and normalization of traffic are what we're going to have to talk about outside. But yes, that's a very good solution, but extremely resource intensive. And, you know, again, someone with just got like a whole server farm and all that kind of stuff, I just haven't seen it be effective. You know, and I'm not down in snort or any of those guys. And all those guys are here. I'm not hating on it. I'm just saying, you know, really, I don't see customers who deploy it that way. And then when they do, they're dropping packets all the time because it's just so much stuff to load all these dynamic pre-processors. Yes, sir? I personally haven't. I think the hottest thing right now for... Okay, so he was talking about ORMS. I haven't tested it. So I can't really speak on that one. Can't really speak on that. I run into a lot of ASP, a lot of PHP, a lot of ASP.net. The thing that's starting to be new for my business is Ajax and web services. That's really kind of what I'm running into a lot of this new stuff. Yes, sir? Yeah. Do you, are you on LinkedIn or something like that? Email me. Definitely work with you on that. I've got a list of stuff that I've been giving to developers. That's actually something I should put in the slides. That would like make sense, huh? I guess that passes the common sense test. Yes, sir? Yes, there is. He's asking you, are there any tools for showing you what is in the way? There's a guy's name is Sandro Gachi and another guy named Wendel. Wendel works for Trustwave. Sandro works for what he owns, Enable Security. And I've been helping with that and they've got a project called WafWoof and WafFun. And it's on Google code. I should throw that up there. And basically what we're doing with that is we are fingerprinting web application firewalls. And now with WafFun, we're brute forcing web application firewall rule sets. So we'll just keep sending all the different types of requests and see what types of filtering that we get back to determine what the web application firewall rule set is. So that's definitely on the way. We need code monkeys who can help us with that. And we need people who don't mind us beating up on their website. So if you're like, hey, we're running in perva, let us give it the beat down and we'll happily add that to the tool. Yes? Sure. Okay, that's a pain in the butt. He's talking about escaping. So what's happening is you're doing your injection and this is another one of those WTF ones. It'll, you'll say, or one in select user and then right at your or, you'll see in the error message that it's added an extra tick and broken your query. Right? So that's a, you know, I call that a little poor man's fix, a ghetto fix. That's a pain in the ass, but it is bypassable. You can use slashes to negate your tick and you can use encoding or what's even better is what if you're injecting into an integer and in that case, you don't need your tick at all. Okay, so that's really the two things that I'm using that helped me in those cases. Do we have any other questions? Yes, sir. Yeah, yeah. Biggest things that I'm finding, he's talking about injecting into Ajax, JSON, biggest things that I'm finding is you need something that's going to allow you to mess with that request in and of itself. So things like soap UI, great tool for that because you can actually generate, you know, the, the, uh, Wistful and connect to this web service. You need things like that. You need to be able to break the entire request apart. And worst case scenario, you'll just track the request itself manually with something like wire shark and then submit the request on its own. You know, it's really just a manual tedious process to be honest. Okay. All right. We got five minutes, a couple more questions. All right. Hey guys, my first time speaking at DEF CON, I've been here like so many years. I really appreciate you guys hanging out with me. Thanks a lot.