In 2011, SQL injections became front page news as ever more high profile companies were victims of automated SQL injection attacks. Responders spent countless hours looking at values in log files like "0x31303235343830303536" trying to figure out what was being exfiltrated by whom. Incident response costs skyrocketed while the cost of attacking fell.
This presentation will debut SQL ReInjector, a tool for the rapid assessment of logs from SQL injection attacks to determine what data was exfiltrated.
When responding to an SQL injection attack, responders have to determine what was exfiltrated by manually parsing the web server logs from the victimized host. This is a time consuming process that requires a significant amount of a responder’s time. Moreover, manual replay of the SQL injection does not account for system level discrepancies in how queries are executed by the system – running SQL against a SQL server directly doesn’t account for the behavior of any intermediary systems – e.g. any application layer logic or nuances in how the web application and database server interact.
SQL ReInjector uses the log files from the machine that has been subject to a SQL injection attack to replay the attack against the server (or a virtualized forensic image thereof) and captures the data returned by the SQL injection web site requests, reducing the amount of time responders have to spend looking at web server logs and allows for responders to recreate the data exfiltrated through a SQL injection attack.