2021-11-19, 11:05–11:25, Sponsors - Workshops
This presentation will dive into multiple SQL injections faced in the field and showcase spicy SQL injections that go from exploiting interactive display terminals of a mall center to AWS WAF bypass using a scientific notation parser bug in MySQL. In addition, we will be sharing techniques to help you find SQL Injections.
You can hear on the [infosec] streets that SQL injection is dead. Guess what? It’s not. This presentation will dive into multiple SQL injections performed in the field . We will showcase increasingly spicy SQL injections and put them in context. On the menu, we have: second order SQL injection 🌶️, pre-authentication SQLi to domain admin 🌶️🌶️, AWS WAF bypass using a scientific notation parser bug in MySQL 🌶️🌶️🌶️ and even an SQL injection in an interactive display terminal of a mall center 👶. We will conclude by sharing techniques based on our experience exploiting these types of bugs. Join us for a deep dive in SQL injection, a vulnerability that is still very real in 2021 unfortunately!