Ruben Ventura [tr3w] got involved in the field of hacking and info-sec for around 17 years. He has worked performing pen-tests and security assessments for many international firms, governments and law-enforcement agencies from all around the world (also a bank). He has been presented as a speaker and trainer at many different conferences in his country of origin.
His interests include hacking, reverse engineering, meditation, music production, theoretical physics, psychology, lifting weights and coffee (lots).
Lightspeed SQL Injections
This presentation will focus on private and new optimized SQL injection exploitation methods.
New private tools that exploit Blind SQL Injection vulnerabilities will be released. These ones are much more faster than the existing free and commercial tools
out there because the private ones use modern attack vectors (created by myself) which perform clever injections designed to hack databases in more efficient methods.
To explain this, graphs and tables will be used to show the differences between the best tools out there and the 3 private tools introduced in the talk.
All the techniques used by the tools, which are the result of original private research, will be exposed in high detail.
The most popular free tool to exploit SQL Injections, sqlmap, needs to make a maximum of 7 requests to retrieve a single character and it also has threading
limitations. There is a notable gap between sqlmap and my new tools because they only require a maximum of 3 requests to retrieve a character. They
are also finer not only because of the number of requests they require nor due to the threading capabilities they have, but also because the SQL injection itself runs much faster faster due to the instruction set they use.
Underground methods (some discovered by a fellow 1337 researcher and others by me) to test for SQL Injection and XSS vulnerabilities will be shown. These will transform pen-testing into an easier and more optimized task.