Confidence - (19-20.11 2009 Warszawa)
Język: polski | english


Bernardo Damele

Temat: Expanding the control over the operating system from the database

Język: angielski

Bio:
Bernardo Damele Assumpcao Guimaraes is an IT security engineer currently based in Londonand working as penetration tester and security researcher for Portcullis Computer Security Ltd. In recent years he has been researching web application, database management systems security and post-exploitation techniques. He is sqlmap (http://sqlmap.sourceforge.net) lead developer, MySQL UDF repository developer, Metasploit contributor and speaker at international and local IT security conferences.

Homepage: http://bernardodamele.blogspot.com.

 

Abstrakt:
Using a database (MySQL, PostgreSQL and Microsoft SQL Server), either via a SQL injection or via direct connection, as a stepping stone to control the underlying operating system can be achieved. There is much to say on operating system control by owning a database server: Windows registry access, anti-forensics technique to establish an out-of-band stealth connection, buffer overflow exploitation with memory protections bypass and custom user-defined function injection. These topics and more will be highlighted during the presentation.