Presentation Material
Abstract
One-Way SQL Hacking: Futility of Firewalls in Web Hacking
Topics covered will be:
Overview of Web attacks One-way attacks SQL Entry points Privilege escalation Installing a web based sql command prompt Back-end Database Enumeration tool
One Way SQL Web Hacking: SQL Web hacking is the next generation of hacking “kung fu.” This talk expands on our previous web talks with new SQL techniques for taking apart an e-commerce site. Join us for an eye-opening demonstration on what can go wrong with poorly secured Web applications, how severe the risks are, and how to protect yourself and your company.
We shall be covering vulnerabilities ranging from web server misconfigurations, improper URL parsing, application level vulnerabilities, Java application server hacking and some special advanced techniques.
AI Generated Summarymay contain errors
Here is a summary of the content:
The speaker discusses their experience in a hacking challenge, where they exploited vulnerabilities in Unix and Open Server systems. They describe the process of modifying credentials, including changing sensitivity labels and user IDs. The team developed a method to create a new sensitivity label structure in C language and then copied it with an assembly component.
The speaker also mentions a security vulnerability similar to LDT1, which allows a user to execute code at zero protection level on a processor. This vulnerability was found in SC Open Server and stems from the fact that the set context system call does not properly check who sets the CS segment code register of a given process. The team informed Kera Systems about this vulnerability, and fixes are already available.
The presentation aims to show the complexity of modern security mechanisms and the importance of understanding canal level vulnerabilities, which can have a significant impact on system security. The speaker also shares their experience participating in the hacking challenge, including the benefits (meeting interesting people, winning prize money) and drawbacks (sleepless nights, hard work).
Finally, the speaker mentions that a technical article about the canal level vulnerabilities and the AUST challenge will be available on their website, along with proof-of-concept codes for every vulnerability.