Sign up for Snyk at https://snyk.co/ippsec
00:00 - Talking about why I like SQL Boolean Injection
01:47 - Opening up the source code to the web app
02:00 - Snyk sponsor segment, talking about how it can find and fix vulnerabilities in your code in real time
04:30 - Demonstrating validating boolean injection with an or statement
07:00 - Showing a small python client I made for this video to play with the SQL Injection, then showing subqueries
09:20 - Showing how to enumerate columns in the database via brute-force guessing because we can't use information_schema
11:25 - Going over the LIMIT statement so we can control which row we are looking at, then showing LIMIT 2 offset 1 is the same as LIMIT 1,1
15:00 - Showing the SUBSTR command so we can guess individual characters in a column/row
17:05 - Talking about converting a string to number in mysql which makes it possible to guess bad characters
21:45 - Start of creating our script, talking about the 3 functions we need, then creating one to dump the number of rows in a column
29:40 - Automating getting the length of a column in our row
32:40 - Automating exfilling the actual data and implementing a binary search/divide and conquer algorithm to speed our request up
46:00 - Debugging our script
47:35 - Found the error, messed up the column name. Showing the algorithm we made to bruteforce characters with the BETWEEN
49:00 - Putting all the functions together to automate dumping all the data
54:50 - Showing SQLMap has troubles with this, especially because the function (GEOGRAPHY_AREA) it uses to fingerprint the app won't work because it contains a bad character (_)
57:10 - Cleaning up and explaining the code a little bit
Support the originator by clicking the read the rest link below.
