This presentation describes how attackers could take advantage of SQL Injection vulnerabilities using time-based blind SQL injection. The goal is to stress the importance of establishing secure development best practices for Web applications and not only to entrust the site security to the perimeter defenses. This article shows exploitation examples for some versions of Microsoft SQL Server, Oracle DB Engine,MySQL and Microsoft Access database engines, nevertheless the presented technique is applicable to any other database product in the market. This work shows a NEW POC Tool.
Chema Alonso is a Computer Engineer by the Rey Juan Carlos University and System Engineer by the Politecnica University of Madrid. He has been working as security consultant last six years and had been awarded as Microsoft Most Valuable Professional from 2005 to present time. He is a Microsoft frequent speaker in Security Conferences. He writes monthly in several Spanish Technical Magazines as "Windows TI Magazine", "PC Actual" or "Hackin9". He is currently working on his PhD thesis under the direction of Dr. Antonio Guzman and Dr. Marta Beltran. Recently spoke at BH Europe 2008 about LDAP Injection & Blind LDAP Injection attacks. More info:https://mvp.support.microsoft.com/gp/mvpInsider_2006-08
Jose Parada is an IT Pro Evangelist in Microsoft. He is a very famous speaker in Spanish conferences about IT Infrastructures, Microsoft Technologies and Security. He has been working in the Microsoft Technet Program from 2005 delivering conferences, webcasts and technical information.