.

The Art of Exploiting SQL Injection: 1 day hands on training at Black Hat US

<<

notsosecure

User avatar

Newbie
Newbie

Posts: 12

Joined: Thu Apr 21, 2011 5:13 pm

Post Wed Feb 15, 2012 2:30 pm

The Art of Exploiting SQL Injection: 1 day hands on training at Black Hat US

Hello All,

This year at Black Hat Las vegas, I will be hosting a 1 day training course on the most popular web app hacking technique 'SQL Injection'.

Here is the abstract of the course:

"This is a full day hands on training course which will typically target penetration testers, security auditors/administrators and web developers to learn advanced exploitation techniques. SQL Injection, although now nearly 15 years old, still exists in over 30% of the web applications. This vulnerability could typically result in 3 scenarios:

Authentication Bypass
Extraction of arbitrary sensitive data from the database
Access and compromise of the internal network.
This training will target 3 databases:

MS-SQL
MySQL
Oracle

and discuss a variety of exploitation techniques to exploit each scenario. The aim of the training course is to address the following:

Understand the problem of SQL Injection
Learn a variety of advanced exploitation techniques which hackers use
Learn how to fix the problem
Identify, extract, escalate, execute; we have got it all covered.

More details can be found here:
https://www.blackhat.com/html/bh-us-12/ ... ction.html

There are a few seats still left and the course will sell-out very soon. If you require more details feel free to contact me at sid-at-notsosecure-dot-com

Thanks
Sid
<<

MaXe

User avatar

Hero Member
Hero Member

Posts: 671

Joined: Tue Aug 17, 2010 9:49 am

Post Wed Feb 15, 2012 4:59 pm

Re: The Art of Exploiting SQL Injection: 1 day hands on training at Black Hat US

Are you going to cover topics like sub-queries?  ;D
I'm an InterN0T'er
<<

notsosecure

User avatar

Newbie
Newbie

Posts: 12

Joined: Thu Apr 21, 2011 5:13 pm

Post Thu Feb 16, 2012 2:35 am

Re: The Art of Exploiting SQL Injection: 1 day hands on training at Black Hat US

Topics like sub-query are indeed covered. We start from very basic SQL Injection; authentication bypass and then gradually move to advanced topics such as blind injection, extracting data with out-of-band channels (like DNS), time based SQLI, heavy query, injection in order by, group by, limit etc. There are as many as 15 exercises to practice every technique. 
<<

MaXe

User avatar

Hero Member
Hero Member

Posts: 671

Joined: Tue Aug 17, 2010 9:49 am

Post Thu Feb 16, 2012 5:44 pm

Re: The Art of Exploiting SQL Injection: 1 day hands on training at Black Hat US

Now that sounds like I can associate the word advanced to it  :) Thanks for the info!  ;D I was wondering how advanced it would be, as "advanced" is relative, compared to who's looking. After all, a complete beginner might think something relatively simple is advanced, while a MySQL pro, will probably think the common SQLI is easy, but it looks good, esp. that you included the "limit" injection angle / vector too, as that's definitely not as easy as a UNION SELECT :-)
I'm an InterN0T'er
<<

notsosecure

User avatar

Newbie
Newbie

Posts: 12

Joined: Thu Apr 21, 2011 5:13 pm

Post Thu May 03, 2012 2:08 pm

Re: The Art of Exploiting SQL Injection: 1 day hands on training at Black Hat US

here is a video preview of the training:

http://www.youtube.com/watch?v=6pg-lRv8XTQ

only a few seats left......
<<

MaXe

User avatar

Hero Member
Hero Member

Posts: 671

Joined: Tue Aug 17, 2010 9:49 am

Post Thu May 03, 2012 6:36 pm

Re: The Art of Exploiting SQL Injection: 1 day hands on training at Black Hat US

Interesting video, even though I've seen most already.  :) Very well produced  ;D
I'm an InterN0T'er
<<

notsosecure

User avatar

Newbie
Newbie

Posts: 12

Joined: Thu Apr 21, 2011 5:13 pm

Post Sun Jun 03, 2012 3:54 am

Re: The Art of Exploiting SQL Injection: 1 day hands on training at Black Hat US

A few seats still left in the course. The course has been completely re-written and contains only relevant/advanced instances/examples.

Such as SQLI in orderby, group by etc
SQL in stored procedures
double encoding
Injection in cookies, headers
OS code exec by UDF Injection
and loads more..

See you there!
https://www.blackhat.com/html/bh-us-12/ ... ction.html

Thanks
Sid
www.notsosecure.com

Return to Web Applications

Who is online

Users browsing this forum: No registered users and 1 guest

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software