Null offensive hacking hands-on training.
Proposed sessions for this event:
- Understanding and Exploiting SQL Injection flaws in Web Apps by Riyaz Walikar
Understanding and Exploiting SQL Injection flaws in Web Apps
You can register by clicking on the Register button and Confirming Registration on the next page.
Registrations will close on March 9th 8:00 PM or when the count reaches 55 (whichever happens first).
Only the registered participants will be sent a confirmation email with the venue details. This email will be sent by Friday March 10th 10:00 AM.
Please read the following instructions carefully. This will enable us to have a smooth, hassle free session.
This will be a completely hands on session on detecting and exploiting SQL Injection issues. At the end of this session, the participant will be able manually identify SQL Injection vulnerabilities in web applications and use the vulnerability to perform the following:
-- Extract data from backend databases
-- Execute system level commands on the server
The following types of SQL Injection will be covered:
-- Basic SQL Injection(Using database schema to extract specific information)
-- Error Based SQL Injection (Using DB errors presented to the user via the application)
-- Time Based SQL Injection (Using induced delays to check for true / false conditions)
-- Second Order SQL Injection (Triggered via resident data)
-- Server compromise using SQL Injection (MSSQL and MySQL).
Hardware Pre-requisites (Mandatory)
- A system capable of running Virtual Box. You can test this by installing Virtual Box and creating a test VM.
- Atleast 2 GB of RAM
- Atleast 1 GB of free space (to copy the VM that will be distributed)
Software Pre-requisites (Mandatory)
- VirtualBox (Any version higher than 5.1). Please install this and come before the session. VMWare will not be supported.
- PuTTY to SSH into the VM. This is for Windows hosts. https://the.earth.li/~sgtatham/putty/latest/w32/putty.exe
- BurpSuite free
- Firefox with FoxyProxy Addon
|Saturday March 11 2017
|Understanding and Exploiting SQL Injection flaws in Web Apps