SQL Security Revisited

Explore SQL security vulnerabilities and best practices in this Black Hat USA 2001 conference talk by Chip Andrews. Delve into the SQL Server security framework, authentication modes, and roles. Learn about C2 level auditing and other SQL 2000 security features. Examine common attack vectors, including target acquisition methods, SQL scanning techniques, and account acquisition strategies. Understand the risks of source code disclosure and privilege escalation. Discover defensive measures to protect against SQL attacks. Gain insights into the scope and impact of SQL injection, with live demonstrations and practical examples. Master advanced SQL injection tricks to enhance your understanding of database security threats and countermeasures.

Intro
Presentation Outline
Presence
Security Framework
Net Libraries
SQL Server Service Context
SQL Server Security Modes (cont.)
Good Idea - What's the problem? • Microsoft recommends Windows Authentication Mode
Mode Guidelines
SQL Server Roles
C2 Level Auditing
Some Other SQL 2K Goodies
The Bad
Target Acquisition
Newsgroups
SQL Scanning
Broadcast Discovery
SQL Server Discovery
SQL Ping Utility
Account Acquisition (cont.)
Source Code Disclosure
Privilege Escalation (cont.)
Other Potential Pitfalls
They're in - Now What?
Your Defenses
Section 2 Conclusion
The Ugly
Scope of SQL Injection
SQL Injection Example 2
Live Demonstration
SQL Injection Samples
SQL Injection - Tricks