Secrets of Exploiting Blind SQL Injection
- Wednesday, April 30th, 2014 at 1:00 PM EDT (17:00:00 UTC)
- Justin Searle
You can now attend the webcast using your mobile device!
Join us for a follow up to the "Secrets of Exploiting" series, a series of webcasts giving you sneak peaks into one of hottest new SANS classes, SEC642: Advanced Web App Penetration Testing and Ethical Hacking. In this webcast, we'll take a deeper look at how to exploit blind SQL injection vulnerabilities. Since blind SQL vulnerabilities do not inherently return data from the database, we have to find other ways to retrieve the data we want. This webcast will discuss how we can overcome these limitations through four different exfiltrate methods including single line retrieval, error messages, boolean indicators, and attacker controlled timing delays. More importantly, we'll show you how this can be automatically done with sqlmap so you don't have to become a DBA to launch these types of attacks.
Justin is a Managing Partner of UtiliSec, specializing in Smart Grid security architecture design and penetration testing. Justin led the Smart Grid Security Architecture group in the creation of NIST Interagency Report 7628 and currently plays key roles in the Advanced Security Acceleration Project for the Smart Grid (ASAP-SG), National Electric Sector Cybersecurity Organization Resources (NESCOR), and Smart Grid Interoperability Panel (SGIP). Justin has taught courses in hacking techniques, forensics, networking, and intrusion detection for multiple universities, corporations, and security conferences, and is currently an instructor for the SANS Institute. In addition to electric power industry conferences, Justin frequently presents at top security conferences such as Black Hat, DEFCON, OWASP, and AusCERT. Justin co-leads prominent open source projects including the Samurai Web Testing Framework, Middler, Yokoso!, and Laudanum. Justin has an MBA in International Technology and is a CISSP and SANS GIAC certified Incident Handler (GCIH), Intrusion Analyst (GCIA), and Web Application Penetration Tester (GWAPT).