Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
New Techniques Obfuscate, Optimize SQL Injection Attacks
Newest First  |  Oldest First  |  Threaded View
Rubberman
50%
50%
Rubberman,
User Rank: Apprentice
7/30/2013 | 5:03:48 PM
re: New Techniques Obfuscate, Optimize SQL Injection Attacks
Any web application that utilizes raw SQL should be taken out behind the shed and shot! There is a reason why there are stored procedures in every SQL database worthy of the name, and why one NEVER uses input data to help build an SQL query - you ALWAYS use bind variables and validate the input. This is likely not 100% effective, but it would be as close to it as you can probably get.
notsosecure
50%
50%
notsosecure,
User Rank: Apprentice
7/9/2013 | 3:43:05 PM
re: New Techniques Obfuscate, Optimize SQL Injection Attacks
learn advanced exploitation techniques in SQL Injection as well as lesser known flaws such as LDAP, XPATH, XXE etc in 2 days hands on course at Black Hat:

https://www.blackhat.com/us-13...


Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Enterprise Cybersecurity Plans in a Post-Pandemic World
Download the Enterprise Cybersecurity Plans in a Post-Pandemic World report to understand how security leaders are maintaining pace with pandemic-related challenges, and where there is room for improvement.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-40669
PUBLISHED: 2021-09-16
SQL Injection vulnerability exists in Wuzhi CMS 4.1.0 via the keywords parameter under the coreframe/app/promote/admin/index.php file.
CVE-2021-40670
PUBLISHED: 2021-09-16
SQL Injection vulnerability exists in Wuzhi CMS 4.1.0 via the keywords iparameter under the /coreframe/app/order/admin/card.php file.
CVE-2021-29763
PUBLISHED: 2021-09-16
IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.1 and 11.5 under very specific conditions, could allow a local user to keep running a procedure that could cause the system to run out of memory.and cause a denial of service. IBM X-Force ID: 202267.
CVE-2021-29825
PUBLISHED: 2021-09-16
IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) could disclose sensitive information when using ADMIN_CMD with LOAD or BACKUP. IBM X-Force ID: 204470.
CVE-2021-29842
PUBLISHED: 2021-09-16
IBM WebSphere Application Server 7.0, 8.0, 8.5, 9.0 and Liberty 17.0.0.3 through 21.0.0.9 could allow a remote user to enumerate usernames due to a difference of responses from valid and invalid login attempts. IBM X-Force ID: 205202.