SQL Injection Exploits a Button Click Away? No!

An SQL injection attack is perhaps still the worst enemy of a corporation. Simply put it allows a malicious person, entity, “codebot” or even a nation to draw information out of a corporations/governments databases and use this to nefarious means.

Is the cure for these sort of attacks simply the use of automated scans using commercial products.

No.

One has to dig further once a “vulnerability” is discovered”.

To be clear, code/SQL injection attacks are still one of the most common methods for hackers to get into your system.

There is a pretty good write up on tools to use after the initial “click” that help automate what might otherwise be manual testing. However manual testing is still a part of the process. The security industry should not get lazy and think that automated tests are all that is needed.

Back to the “pretty good write up”. In my experience (and we all have our own experiences with testing) the following list needs to be re-ordered to list the following tools first:

1. SQLMap – hands down the best tool I have used after working with scores of tools.
2. Havij – very effective. It costs some coin but it is worth the cost.
3. Pangolin – beware the malware downloads and the false positives but this product does a great job.

The others are good but nothing I have found compares to the top three here, especially SQLMap. You’ll need to use a command line interface and read some documentation but imagine injecting a site based on cookies, headers, GET, POST, etc requests. Then getting usernames, passwords, privileges, network access, etc.

And then gaining shell access to the computer and traversing through the network?

Uploading payloads?

Yes.

This is possible with SQL Injection and SQLMap.

Jock Pereira
http://www.jockpereira.com
jockster@gmail.com
978-666-4000

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s