Full Disclosure mailing list archives
Re: EUSecWest 2009 CFP (May 27/28, Deadline April 7 2009)
From: Sumit Siddharth <sumit.siddharth () gmail com>
Date: Thu, 2 Apr 2009 07:57:24 +0100
HI Drago, i didn't get a respose for my earlier mails. I would like to submit my talk "Recent Advancements in SQL Injection Injection Exploitation Technique". I gave this talk earlier at OWASP Appsec Au 2009, where it was very well received. The talk has a number of demos which makes it very enjoyable. Lemme know if you wish to include this. I am based in London.Here is the full agenda: Abstract This talk will cover different aspects of SQL Injection techniques and will highlight why every SQL Injection is unique. Starting with the very basics the talk will get more and more complex and will discuss exploiting SQL injections which seem to be un-exploitable. Numerous examples will be presented when the SQL Injection vulnerability will go undetected even by leading scanning software costing $$. A very common vulnerability will be shown along with a google dork which will return several "top" websites vulnerable. Further, a new technique of exploiting SQL Injection in Oracle to hack internal networks will be discussed. The Talk will also discuss a number of SQL injection tools and will prove why tools can still not replace a human pen tester. Outline:- *What is SQL Injections (yawn...) *Type Of SQL Injections (yawn...) *Identifying SQL injections (Identification.......time to wake up..) *xp_cmdshell is disabled, wtf....(exploitation) *whats xp_cmdshell alternative on mysql and oracle..(Exploitation) *Blind SQL Injections (exploitation/identification) *Deep Blind Injection (exploitation/identification) *Time Delay Functions & beyond (exploitation) * UTF7 encoding, magic quotes etc. *Avoiding Time Delay Functions (exploitation) *Convert Time Dealy to blind Injections (Exploitation) * Injection in order by,group by and limit clause (Exploitation .&.Surprise!!) *Out Of Band Channels (Exploitation) *Using Oracle's SQL Injection(UTL_HTTP) to own internal SQL server ( Exploitation) *Exploiting Internal hidden networks (Exploitation) * Can your tool detect these Why should you include this talk:- 1. As more and more injection tools are available in the market, this talk will help the audience choose the right tool for the right injection. 2. The oracle's utl_http method to sploit internal networks is cutting edge and no-one has ever talked about it, in the context i will talk. 3. Its fun, everyone loves sql injection, and its not a talk, its all demo and people will love to see the oracle sql injection returning a shell from a ms-sql server. About me:- I graduated from IIT Kanpur in 2005, and after working for NII Consulting for about a year i have shifted to U.K, where i work for Portcullis Computer Security. I have been a speaker at many conferences and my articles and advisories are available on various security websites.I also own the website www.notsosecure.com . /* I will probably rewrite the bio later */ Thanks Sid On Wed, Apr 1, 2009 at 10:29 PM, Dragos Ruiu <dr () kyx net> wrote:
Call For Papers The EUSecWest 2009 CFP is now open. Deadline is April 7th, 2009. EUSecWest CALL FOR PAPERS LONDON, U.K. -- The third annual EUSecWest applied technical security conference - where the eminent figures in the international security industry will get together share best practices and technology - will be held in downtown London at the Sound Club in Leicester Square on May 27/28, 2009. The most significant new discoveries about computer network hack attacks and defenses, commercial security solutions, and pragmatic real world security experience will be presented in a series of informative tutorials. The EUSecWest meeting provides international researchers a relaxed, comfortable environment to learn from informative tutorials on key developments in security technology, and collaborate and socialize with their peers in one of the world's most most important technology hubs and scenic cities. The timing of the conference allows international travelers to travel to Berlin for FX's Ph-Neutral on the weekend, and Rennes the following week for SSTIC. We would like to announce the opportunity to submit papers, and/or lightning talk proposals for selection by the EUSecWest technical review committee. This year we will be doing one hour talks, and some shorter talk sessions. Please make your paper proposal submissions before April 7th, 2009. Some invited papers have been confirmed, but a limited number of speaking slots are still available. The conference is responsible for travel and accommodations for the speaker (one speaker airfare and one room). If you have a proposal for a tutorial session then please email a synopsis of the material and your biography, papers and, speaking background to secwest09 [at] eusecwest.com . Only slides will be needed for the paper deadline, full text does not have to be submitted - but will be accepted if available. The EUSecWest 2009 conference consists of tutorials on technical details about current issues, innovative techniques and best practices in the information security realm. The audiences are a multi-national mix of professionals involved on a daily basis with security work: security product vendors, programmers, security officers, and network administrators. We give preference to technical details and new education for a technical audience. The conference itself is a single track series of presentations in a lecture theater environment. The presentations offer speakers the opportunity to showcase on-going research and collaborate with peers while educating and highlighting advancements in security products and techniques. The focus is on innovation, tutorials, and education instead of product pitches. Some commercial content is tolerated, but it needs to be backed up by a technical presenter - either giving a valuable tutorial and best practices instruction or detailing significant new technology in the products. Paper proposals should consist of the following information: 1. Presenter, and geographical location (country of origin/passport) and contact info (e-mail, postal address, phone, fax). 2. Employer and/or affiliations. 3. Brief biography, list of publications and papers. 4. Any significant presentation and educational experience/background. 5. Topic synopsis, Proposed paper title, and a one paragraph description. 6. Reason why this material is innovative or significant or an important tutorial. 7. Optionally, any samples of prepared material or outlines ready. 8. Will you have full text available or only slides? 9. Language of preference for submission. 10. Please list any other publications or conferences where this material has been or will be published/submitted. Please include the plain text version of this information in your email as well as any file, pdf, sxw, ppt, or html attachments. Please forward the above information to secwest09 [at] eusecwest.com to be considered for placement on the speaker roster, or have your lightning talk scheduled. If you contact anyone else at our organization please ensure you also cc the submission address with your proposal or it may be omitted from the review process. cheers, --dr -- World Security Pros. Cutting Edge Training, Tools, and Techniques London, U.K. May 27/28 2009 http://eusecwest.com pgpkey http://dragos.com/ kyxpgp _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
-- Sumit Siddharth
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- EUSecWest 2009 CFP (May 27/28, Deadline April 7 2009) Dragos Ruiu (Apr 01)
- Re: EUSecWest 2009 CFP (May 27/28, Deadline April 7 2009) Sumit Siddharth (Apr 02)