Well, I’m offstage now having just presented my talk on “SQL Injection for Fun & Profit” at Blackhat in Las Vegas. One of the main aims of the talk was to provide more coverage on the mass SQL injection attacks that started earlier this year (and are still going on). The Internet Storm Center has some good discussion and coverage on this topic from earlier this year. The other aim was to point out some of the ways it could have, and probably will be in the near future, much much worse.

You can find a copy of the slides that were presented here, as well as a flash video of the demo that was done of the self replicating SQL Injection worm I wrote for this talk.

I’ve just uploaded an update to AntiXSS, based on feedback we’ve received from developers looking at the library. This can be found at the GDS Tools page. I have also updated the original AntiXSS announcement post to point to the new release.

Since the release of the library, the two main areas of feedback we got from users of the library were:

• Why is it only Java 5 and above? We have a lot of Java 1.4 code.
• Why are the methods all named with UpperCamelCase? We use lowerCamelCase for all of our method names.

In brief, we’ve addressed the first issue but not the second in this release. You should find that AntiXSS will work with your Java 1.4 code as we’ve changed the underlying functionality to remove the dependency on Java 5. As for the method names, those are the names used in the Microsoft Anti-Cross Site Scripting (AntiXSS) v1.5 library for .NET applications of which this library is a port. As such, we’ve preserved the API as is, and think it would be counter productive to rename the methods, have duplicate methods with different capitalisation, or to ship an adapter interface with lowerCamelCase names.

Any feedback, bug reports, or reports of usage appreciated.

Current version of Sqlbrute supports Microsoft SQL Server and Oracle, however the similarities between Microsoft SQL Server and Sybase make it easy to adapt to Sybase with a few minor tweaks. Make the following changes to the current version and you should be able to brute Sybase as easily as SQL Server:

1) Line 484:

foo = “xtype=’u’ and ”

TO

foo = "type='U' and "

2) Line 533:

predblike = “%3Bif EXISTS (select name from ” + self.database + “sysobjects where xtype = ‘u’ and name like ‘”

TO

predblike = “%3Bif EXISTS (select name from ” + self.database + “sysobjects where type = ‘U’ and name like ‘”

3) Line 558:

predbequals = “%3Bif EXISTS (select name from ” + self.database + “sysobjects where xtype = ‘u’ and name = ‘”

TO

predbequals = “%3Bif EXISTS (select name from ” + self.database + “sysobjects where type = ‘U’ and name = ‘”

4) Line 583:

foo = “xtype=’u’ and ”

TO

foo = “type=’U’ and ”

Essentially, we’re just changing the “sysobjects” column named “xtype” to “type” in order to be Sybase compatible. Justin will be releasing an updated version of Sqlbrute with Sybase support in the near future. For more information on Sybase system tables, go here. Enjoy!