Automated Blind SQL Exploitation

Presented at ShmooCon I (2005), Feb. 6, 2005, 10 a.m. (60 minutes)

Because of improper software design and implementation practices, the number of web-based applications vulnerable to SQL injection is still alarmingly high. Yet the actual steps used to exploit these applications remain very tedious and repetitive. This presentation will focus on methods available to automate the task of exploiting blind sql injection holes and will discuss the use of pattern recognition in the domain of web applications. The audience will be given a tour through the logic used for "Absinthe", the 0x90.org blind injection tool.

Presenters:

• Nummish
  Cameron Hotchkies, aka nummish, is a member of the 0x90.org digital think-tank, and holds a B.Eng in Software Engineering. He currently develops business based applications on the .NET platform. Outside of work, he generally spends most of his time writing code. Some people have suggested he get out more.

Links:

• https://web.archive.org/web/20060116151828/http://www.shmoocon.org/2005/program.html#nummish

Similar Presentations:

• DerbyCon 2.0 Reunion (2012) / Rapid Blind SQL Injection Exploitation with BBQSQL
• DEF CON 12 (2004) / Blind SQL Injection Automation Techniques
• DEF CON 20 (2012) / Rapid Blind SQL Injection Exploitation with BBQSQL