Give Me a SQL Injection, I Shall PWN IIS and SQL Server

Explore a comprehensive Black Hat conference talk that delves into the vulnerabilities of IIS and SQL Servers within the Microsoft ecosystem. Learn about SQL injection techniques, the relationship between IIS/SQL Server and the Microsoft JET database engine, and how these can be exploited from an attacker's perspective. Discover the potential for leveraging SQL injections in ACCESS databases beyond simply viewing unexpected data. Gain insights into circuit injection, cross-database attacks, and various attack scenarios involving Access and IIS/SQL Server. Witness demonstrations of exploits, including web shell injection and memory corruption vulnerabilities. Understand the security boundaries and implications for the Microsoft infrastructure in this 36-minute presentation by security experts Qi Deng, Bo Qu, and Tao Yan.

Introduction
Agenda
Who are we
Motivation
Circuit Injection
Jet Database Engine
Main Dish
Cross Database
MSJet
MS Excel
Summary
Attack Scenarios
Access Scenario
Analysis
Demo
Scenario 2 is and the second server
Example
Information
Web Shell
Core EX
Memory Copy
Destination Address Buffer
Page Description Object
Demonstration
Short Summary
Conclusion
Security Boundary