Whitepaper called Database Security Threats and Injection Technique. Written in Persian.
5d18ecda87e677b9be4fcc471c55096e2eefcceb48e70cc55ca0ed8b6636b300
Whitepaper called MySQL UDF Exploitation.
e3f1baa170d27afb7c63c85824246d5dacb72df1f9b55d3c574624348aab3380
This is a whitepaper that discusses leveraging SQL injection attacks against SQLite databases.
2d25bf7c68c93856be515e7d7f9ce1c5e31d0ff0e1c4c03ba1d67a61f385507e
This paper discusses an overflow in the DOUBLE data type in MySQL.
994da41348fedec81430a33635725f5ef5bf21eaded32a286053dfd2938cf982
This is a public blog posted by Oracle's CSO Mary Ann Davidson. It provides a rare glimpse into the corporate mindframe reminding us all that license agreements are always respected by hostile parties and therefore security researchers should not even consider reverse engineering Oracle's code base. As has been proven time and again, Oracle's bullet proof unbreakable security does not need public vetting and they consistently can identify and address all issues without your needless meddling.
d16deebdad2785cf38a42eaa182a2fd03f6976eacc830f7b05b1f5489393b40f
Whitepaper discussing penetration and security testing against Microsoft SQL Server. Written in Turkish.
dc6404d93aa87f8467a2c37aca466c0c947bae3530334eb4dd8b112aa3850d18
This whitepaper discusses hacking with sqlmap and leveraging cross site request forgery vulnerabilities. Written in Turkish.
7130a96bfe8e601c63c6db831c76a47578959bc3aa160183ca7c39ba4c380efd
The ability to execute arbitrary SQL on Oracle via a SQL injection flaw is hampered by the fact that the Oracle RDBMS will not batch multiple queries. Typically, a low privileged attacker with say only the CREATE SESSION privilege, must find a function they can inject that will allow them to execute a block of anonymous PL/SQL. These are known as auxiliary inject functions. Depending upon the version of Oracle and what components are installed auxiliary inject functions may be few and far between. For example, on Oracle 12c with the internal Java VM removed, there may be none. Indeed, during a recent client assessment the author of this paper was confronted with such a situation: a PL/SQL injection flaw but with no easy method for easy exploitation to gain full control of the database server. This paper presents a method around such a problem using DBMS_XMLSTORE and, co-incidentally, DBMS_XMLSAVE. This method can be used in web-based SQL injection attacks, as well.
42373a43d60cc25c4d8fb1e06e905e8adafeae668b2a402d7121f1232ab9d611
Oracle data redaction is a simple but clever and innovative idea from Oracle. However, at present, there are weaknesses that undermine its effectiveness as a good security mechanism. These weaknesses can be exploited via web based SQL injection attacks and this paper details those weaknesses and provides suggestions on how it can be improved and made more secure.
8cb488d94f0f24c541295b45894955646b915f06b2bd3f2038f2c4e7aac4422f
Whitepaper called Oracle SID Detection Techniques - Part 1. Written in Persian.
216902657ee1a360c1b1d862f34bf7cec694092990536e667eff806c67124f16
Whitepaper called Oracle SID Detection Techniques - Part 3. Written in Persian.
99d5fc68bd7f308a7fb0286580dfe9fb08fa67f54a4512ba6fc79242096c12a4
Whitepaper called Oracle SID Detection Techniques - Part 2. Written in Persian.
dce6b5307b6f20bb7d98b49054356d04c564fab5330fc55d8943a23c414fdf59
Whitepaper called Oracle SID Detection Techniques - Part 1. Written in Persian.
b840fcc9f91bdcdd628bf96a2b8007f515b3578cf72d2146034d794c32e08817
This is a brief whitepaper that goes over different payloads that can be leveraged in SQL injection attacks.
9499be52d5cfed9d72ecaf10bc20f2276bb6bc14fd6d1eb70d8afca6916fdf70
Whitepaper called Exploitation of MS-SQL Servers Explained. Written in Turkish.
4ffc2985fa1f3d4996dafdb8b9f4aeb73a2c9f7d902970dcdd4e16f2f7207a9d
Whitepaper called Indexed Blind SQL Injection. Time based blind SQL attacks suffer from low bit/request ratios. Each request produces only one valuable bit of information. This paper describes a tweak that produces higher yield at the expense of a longer runtime. Along the way, some issues and notes of applicability are also discussed.
84e74daa46ea6185f1c1f4ee9764bc2315f2a4cf39e46f8dfcea99039a5ecb21
Whitepaper called Blind SQL Injection with Regular Expressions Attack.
167010ab38c65a1b629b2eb5767870004cb391e155573d9cd652fbf5476b540f
Whitepaper called Advanced MySQL Exploitation.
eeed1189d006c0343e26e681e5c40d6acc19a93e76346607fc677f073a104192
Whitepaper called Tutorial Blind SQL Injection Referensi. Written in Indonesian.
e3aa7441ce7deb5e534679f40dc15f786367faa10e651b0d1a65433fca02f778
Whitepaper called Oracle Penetration Testing Using the Metasploit Framework.
5f83e34bb9fafd4e3e942567202ceb11434ef372ffb87749583ed54f98922e90
These are slides from the Practical Padding Oracle Attack presentation given at BlackHat Europe 2010.
44d6bd6f34982348a4af9f4bd0fe7a99db3855f3ff6cb55230636fab6a2bbf7b
This is a short tutorial called MySQL Injection - Simple Load File and Into OutFile.
6866aa8f28dcac6458750046b3125a824fcea99b3aedbddd27f63076b1098e76
This whitepaper is a MySQL SQL injection tutorial.
517d27c0d6f06d56b0bfa16f3e725b79f33fe4a3755de1772342c7350620aa7c
Whitepaper called SQL Injection with File Privileges. Written in German.
8a840f1a4c02b27eff38fa668101a0c35692ec019f154067aa6c23502a435bd6
Whitepaper called SQL Injection with INFORMATION_SCHEMA. Written in German.
a163eee81c0b2b2ca61c599aa48a492b19d92ef0e7f6836c52b7048326274b35