DEFCON 17: Advanced SQL Injection

One of the best Defcon Talks I've ever watched. Joseph McCray's awesome.

I know nothing about SQL and I still sat here and watched the first ten minutes of this... Good stuff.

If you can't explain it simply, you don't understand it well enough. - Albert Einstein
This man surely knows what he is talking about!)

This guy is AWESOME.

Mother.... I am a lawyer and what the hell am I doing learning programming? You are the most interesting teacher. I am going to keep watching this over and over again.

This guy sounds so cool and down to earth. I hope he's like that in real life. He made this topic sound so interesting.

this is my first defcon watch , and i loved it , it just changed whole way of thinking ; definitely like passing a legacy to juniors thank you "Joseph McCray" thank you DEFCON

"We used to get payed to tell people they where dumbasses... Now because they think because they read hacking exposed, now they're pen-testers but they're still hiring us. " LMFAO... couldnt have said it better!

Everybody trying to sql inject the commets now

One of the BEST Defcon speakers ive even seen :D!
Bravo Joseph McCray ! :)

One of the best talks.

see the way he calls them sir respect

You are awesome... I'm programming for my work and this really helped me understand how it is possible to hack in...

Hey man, gotta say this: Your presentation was not dry, to say the least.. most lectures and such are the perfect cure for insomnia- yet this was opposite!! Really enjoyed the flik and hope to watch more vids on pentestin from you.. Do you have anymore that I can watch? if so email me.... or post linx on here

@Joseph: very good presentation, you manage to keep the viewer interested.

Snort actually supports regular expressions and you can easily make a few rules to catch all sorts of SQL injections.

Hats off to Joseph, really enjoyed your presentation. Thanks

It was a very good and well thought out presentation. Very nice and thank you for your contribution!

Realy good conference!! I don't speak English very well but I understood almost everythings!!
More over you are very funny and cool, it's a pleasure listen to you!! Thanks from Italy ;)

You are the best (y) DEFCON SPEAKER

Just because it appears to be an integer doesn't always mean that it's actually an integer. You can have numerical strings.

Bringing that guy to Switzerland would be fun!

Thanks for this awesome video. That's explained very simply and clearly.

@viniciuskmax actually this talk was a few years ago. This is DC17, and we just had DC19 a few weeks ago.

Thanks to this talk I just injected my own database. now to fix it.

I'm confused a bit. Was it a security lecture or a stand-up performance. Mr McCray is just a awesome

Nice tips on SQL injection. you rock Joseph Mccray

I loved this video. Definetly going to watch other defcon videos

This guy Joe is so awesome! i've leanred so much!

I am not good with computers but this is actually very intriguing

Here's a thought for the mischievous out there...
Recruiters use Applicant Tracking Software (ATS) to read, compare & filter resumes just like a Web-Scraper would parse data from a page. Chances are good this software is In-House, home rolled, proprietary, confidential etc and hasn't been overhauled since the day it was written. If it works then ship it, I don't judge we've all been there. But, I wonder if the developer sanitised the input for SQL injection attacks like Jonny DROP TABLES ?

Use prepared statements. I recommend switching over to PDO driver for PHP.

On the internet, and I just don't understand the second question, if you are watching this video, you are learning from him.

very good presentation!

isn't using order by easyer than union select for finding out the number of columns?

This video a classic. How did you get started in info sec?

Also - incrementing the columns like that at 12:05 is long-winded.. It's better to use "ORDER BY column_number" - quicker and more efficient.

so why don't you use parallelization to speed up these WAITFOR tests? get the length of the username in N parallel requests, followed by as many parallel requests to determine the individual chars as you want/need/consider safe.

Love the humor. Info is good to know too.

i want to tell youtube to get this video out of my suggestions section, but i dont want to give it a thumbs down :/

Joe, where to start learning Pen Testing? Can 1 newbie ninja learn from you?

he's hilarious, thanks for sharing experience.

hey guys he said if the DB is int we dont need to use the '
but when i have for example ?id=1 and i put a tick i get an error message. why?

This guy is awesome!

Awesome job!

Wow. You actually comment what people write under this video? Holy shit. You're cool. Really.
No big person would do this but you do it - makes you more awesome than any other security guy :D
This presentation was really awesome. It was technical, interesting and very well explained.
So, you said just using stuff like mysql_real_escape_string(); in PHP won't protect you, right?
What kind of filtering would I have to do?
I really hope you get back to me!
Thanks,
Thomas

This was soooo great! Thanks

great watch

i realy enjoyed that guy

great video man, thank you so much.

Great vid..

What could I do to learn and practice this stuff without breaking the law? I don't wanna go around hacking into random websites cause even if there is no malicious intent that shit can get you real time. I'm interested in going into some sort of security related IT role after uni (currently doing computing and management)

I need to know if this is possible on server games, well in this case, apps. This includes Legend of the cryptids, and Mobage games. I really want to know how to do that. Because I heard people did this and cheated there way through the games... Way better then spending money on the games if you ask me.

Nice reference.

Haha he removed the comment :P You were great at Hactivity!

nice video , awesome

oh yeah...did you get any flack for the harsh language at that talk?

"No idea how it works but it does"

You the man Joseph :D

search after this here on youtube Toorcon 2007 - Matt Fisher - SQL Injecti it's a very good talk aswell.

Thanks.

This is one cool guy.

good video but quality very low. I barely can read text

I have no fucking idea what he is saying.

thanks for sharing, maybe ask him via twitter?

This is Cool ♥

Or if the web application developer bothered to sanitize inputs.... no dice.

this is the first time i ever heard a black man say pen test and it not refer to prison rape

Respect

IT'S GOOD

GREATE THANKS

I've been watching this for half an hour but I don't know why because I don't understand anything :(.

Awesome- Legit

legend

15:00 holy shit!!! MemeLord

but the rest is well done.

like 0.1% is SQL sites now

lol. If you haven't mastered the modern search engine you probably shouldn't bother trying to "Learn security online"
Just google for it, it's right there.

Tick or treat :)

a Gangster PenTester !!

I might be the other brotha a the security cons....

还挺清晰

This guy is killing me LOL

This guy is so funny

Hmm so you know much too?

huge guy :D:D:DD

'SELECT system_user(theblackone) {
How do you inject something that isnt real? You're lying.

.......thanx thanx thanx :)

Noone asked where he stole his computer

Better teach SQL.. ain't nobody got time for that

always same lil jhon story .. but still making me laugh everytime

all i want to learn is how to hack money from the bank.is that asking for too much?

this made me realise that there is no black people at all in my computer science class

smart :D

enigmagroup.orf

This guy is a genius. :D haha made me laugh my ass off :D

I 'member...

to late

hahah.. what a guy

lol dude was hilarious