SQL injection attacks as a new threat to security challenges of the operating systemSQL injection attacks, using
SQL injection of multi-level attack on the operating system can provide an interactive GUI (graphical user interface) to visit.
A European study found that,
SQL injection attacks not only to databases and web pages, the impact of the huge storm can also attack as a stepping stone into the operating system.
Portculliscomputer security penetration testing of senior staff
Alberto Revelli in London EUSecWest meeting demonstrated a multi-stage attacks, it can be used to attack a fundamental right to the bottom operating system for interactive GUI mode of access.
Revelli was also referred to as "icesurfer", he pointed out that today's database management systems have a number of tools and features component, can directly with the operating system and Internet connection. He said: "This means that if I can be a
SQL injection attack a Web application, I will not be confined to store the data in the database, but I can also seek to obtain the DBMS (database management system) is the host of interactive Visit.
He attacks, with
SQL injection attacks, IPS, the Web application firewall, and other means of escape, is designed to crack powerful system administrator passwords, Web application attacks as the initial stage. Revelli said that "in these cases, Web applications is the real goal of a stepping stone, which is deployed at the mainframe DBMS." Displayed on the EUSec Before that, he maintained a secret really some of the details.
He said that such attacks allow an attacker to damage the systems running order, and can see the results of attacks. "Under normal circumstances, such attacks would lead to enter the DOS (disk operating system) prompt, it is not very strong. My view is likely to further step, in many cases will be given to the remote database server and desktop graphics Visit.
Revelli, in its presentation will be used in Microsoft's SQL Server as an example, he said, such attacks applies to all the database technology. These weaknesses not only exists in the database software, and Web applications, firewall rule set, a number of other configurations also make it possible for such attacks. "This attack constitutes an integral part of each will use every loophole in different parts of the structure or a wrong configuration.
Once an attacker to access the database of remote access, he can view the documents, seized data, close the database, even more deeply into the network.
Revelli also plans to release this week of his attack tools Sqlninja a new version, he will demonstrate the use of such tools.
Revelli said that to defense against this database / operating system attacks need a combination of a variety of measures, including at least privileges, in-depth defense, and in the design of network security and the page will be kept in mind.
"The key is in assessing a network exposed the risks, we should not only be seen as a
SQL injection stored in the database data on the threat, but should be seen as a threat to the entire network."