We got everybody alright let’s do this okay guys I’m Jill McRae if you’ve never heard of me you’re like the rest of the conference I’m a network pentester guy you know anybody ever heard one of those guys you know I’m aka the black guy at security conferences yeah it’s me it’s me there’s like three of us you know.
If you’re one of them so see I got yes see okay that’s us that’s us I’m a network pen tester who is with me that web application security is stupid shit yes that.
Was me for years in years and years and years I was like cross-site scripting who the fuck cares I get pop-ups when I surf the web all the.
Time just one that says XSS yeah kind of wasn’t scaring me so I realized that I have been here God since like Def Con 8 so.
I’m fucking old who’s with me old yes okay I remember okay let’s take take me back my.
So fuck it let’s go back who remembers back in the good.
Old days when you wouldn’t tell the customer all you need to do is apply a patch who remembers that and customers would say shit to you like it might break something okay people didn’t apply patches they would go read you know about the patch to figure out like.
If it was gonna break some important shit that’s what I remember you know I remember we would use ISS because necess was like some rogue open-source things anybody remember that back when necessary who remembers.
Necess used to be free yes so I remember back in the days we break out our uber tools we did it.
Something like this go with me guys go with me so you’d port scan the network you’d run in map find a bunch of open ports you’d banner grab you go okay.
This is what you’re running you go out to websites like root shell does anybody remember root shell yes so we go out we grab our exploit code we own half the freaking planet nobody apply patches back then so we would go we would own the whole freaking planet we’d write a report that just said you suck that was it that was it you tell the customer you suck really you suck apply a.
That was it people would be like wow this guy.
Is bad well now pentesting is different every I mean like you can’t even walk in a Barnes & Noble without tripping over a security book so everybody’s the CISSP every customer is a security consultant trying to tell you how to do the assessment right come on yeah so we would get paid for telling people that they were dumbasses now they think that because they read.
You know hacking exposed they’re the pen tester now but they’re still hiring us so now they’ve got 50 million other security things for us to go against you know firewalls antivirus intrusion detection intrusion prevention they’ve.
Got everything there’s so much stuff for us to go against you know the game has changed it’s it’s not ports get who doesn’t ports can’t anymore who’s like why who’s with me okay I’ve got one man back there I don’t port scan anymore it’s pointless why I go through the web app so I.
Used to be one of those guys who said this web app stuff is stupid shit it’s dumb you know and then I saw SQL ninja uploading that cat via SQL injection and bro it like changed my life like Jesus I was like that’s it that’s what I want to.
Switched to the web app I completely change house just like bucket I’m gonna go learn this web app shit so let’s walk you through the agenda hopefully my laptop.
Will stay on I always submit a talk called SQL injection for mere mortals or I cover the basics.
Of SQL injection it never gets accepted this is like the 15th time I’ve given this talk no one ever wants to learn.
The basics so I’m not teaching the basics if you don’t know SQL sucks to be you because I’m not teaching it if you don’t know the basics.
Of SQL injection again sucks to be you I’m not teaching it so anyone who does know me knows that if you buy me rum and coke hey teach whatever the hell you want to know so get me some rum and coke I will explain to you any of this shit by the way if you guys haven’t noticed I curse just I’m black I’m not here to clean I’m a security guy I do curse okay stay with me all right guys we’ve got three classes of.
SQL injection in ban out-of-band inferential so I’m sure.
Everybody can read the slides let’s get through this because I’m gonna try and move on to the SQL injection in the real world okay so in band SQL injection is when you’re attacking the site and then you see the error message so like here it says syntax error converting the.
Varchar’ value of Joe to a column of.
Data type int so in this case the error message is right on the screen you did your attack it’s in band you see it right where you did it out of band is different different you maybe get the response back over email over HTTP or over DNS so you do the attack and then the results of the attack.
Come back over at different means okay please kind of bear.
With me I’m kind of moving quickly okay all right inferential inferential is when you don’t get error messages you always get developers who tell me stuff like well what if I just turn off for both error messages what if I redirect everybody to a custom 404 page won’t that stop you and you kind of look at them like No so with inferential SQL injection.
You’re asking the database of question you’re like.
Hey database if you’re running a system administrator why don’t you wait 10 seconds and then give me the valid page so you ask the database the question any waits a couple of.
Seconds and then it gives you the valid page you’re like oh cool so you are running us you know dbo or whatever the case may be all right so what about tools everybody loves tools so let’s go over some simple concepts with the tools one I don’t use close source tools sorry so with the first tool I can’t even say it sorry a little bit too much alcohol W poison SQL map with pity w3 AF perros s qid these tools.
Identify as ql injection but the thing that I run into is they only identify one or in some cases two okay so this is that little hint people there’s three types of SQL injection era based Union based and blind so if your tool only identifies one or two types of SQL injection there’s anybody kind of picking up on what I’m.
Here come on come on come on yes.
You will miss something you will miss something okay so again.