Blind SQL Injection Automation Techniques

Presented at DEF CON 12 (2004), Aug. 1, 2004, 3 p.m. (50 minutes)

Due to improper software design and implementation practices, the number of web-based applications vulnerable to SQL injection is still alarmingly high. Yet the actual steps used to exploit these applications remain very tedious and repetitive. This presentation will focus on methods available to automate the task of exploiting blind sql injection holes. It will also feature a new tool, "SQueaL" and explain some of the research, used in the creation of this tool as well as ideas for expansion on the tool or other uses of the core libraries developed.

Presenters:

• Cameron "nummish" Hotchkies - 0x90.org
  Cameron Hotchkies, aka nummish, is a member of the 0x90.org digital think-tank and head developer of the new blind injection tool, SQueaL. In his non-free time, he works as a web-application developer and has witnessed (and had to repair) great atrocities in web application design. This has left him a bitter and frail shell of his former self. Some people have suggested he get out more. He is currently struggling to write code to teach him how to properly pronounce the word "about". This will be his first time speaking at DEFCON.

Links:

• https://infocon.org/cons/DEF CON/DEF CON 12/DEF CON 12 video/DEF CON 12 - C Hotchkies - Blind SQL Injection - Video.mp4
• https://www.youtube.com/watch?v=3gt3nnwEiRk

Similar Presentations:

• DerbyCon 2.0 Reunion (2012) / Rapid Blind SQL Injection Exploitation with BBQSQL
• ShmooCon I (2005) / Automated Blind SQL Exploitation
• DEF CON 20 (2012) / Rapid Blind SQL Injection Exploitation with BBQSQL