Showing Articles About
sqli
-
Alex Pettifer 
Miłosz Gaczkowski - 6 Feb 2024
Multiple vulnerabilities in eLinkSmart padlocks
Multiple vulnerabilities were found in the eLinkSmart smart lock range. Flaws in the implementation of the locks' Bluetooth Low Energy (BLE) communication and the back-end API enable an attacker to unlock any lock within Bluetooth range, identify the location of any lock in the world, and compromise user credentials. This blog post describes the vulnerabilities, as well as the process followed to identify them, and demonstrates the issues in action.
- 29 Sep 2020
Application-level Purple Teaming: A case study
An application-level purple teaming approach was demonstrated using a file-sharing web application. The methodology focused on improving logging, alerting, and potential response mechanisms by systematically identifying detection gaps across enumeration and injection attack categories. The project used tools like Elasticsearch, Logstash, Kibana, and ElastAlert to enhance application security detection capabilities.
-
Ken Gannon - 20 Nov 2019
Uncommon SQL Database Alert - Informix SQL Injection
An authenticated SQL injection vulnerability was discovered in the Cisco UCM administrative portal using Informix SQL. Custom techniques were developed to enumerate database tables, users, and sensitive information when standard SQLMap tools failed. The research involved creating specialized scripts to exploit the vulnerability by bypassing security restrictions in the database.
- 4 Jul 2013
BSides Challenge Walkthrough
The BSides London 2013 challenge involved analyzing the 'Evil Planner' Android application for security vulnerabilities. Multiple critical security flaws were discovered, including directory traversal in content providers, weak PIN encryption using device ID, and SQL injection in database content providers. These vulnerabilities could allow an attacker to access sensitive user data stored within the application.
- 2 Dec 2011
How to find Android 0day in no time
WebContentResolver is an Android assessment tool that exposes Content Providers through a web interface. The tool allows security testing of Android Content Providers by enabling queries and revealing potential vulnerabilities like SQL injection. It provides a simple method to explore and test Content Providers using web application testing techniques.
- 11 Aug 2008
Defcon 16 Talk Review: Time-Based Blind SQL Injection Using Heavy Queries and the Marathon Tool
A summary of a DEF CON talk on advanced SQL injection attacks.