By Scott Behrens and Ben Toews
Ben and I have been grinding away on slides and code in preparation of our talk at DefCon 20. Without letting all of the cats out of the bag, I wanted to take a second to provide a little more context into our talk and research before we present our new tools at the conference.
BBQSQL is a SQL injection framework specifically designed to be hyper fast, database agnostic, easy to setup, and easy to modify. The tool is extremely effective at exploiting a particular type of SQL injection flaw known as blind/semi-blind SQL injection. When doing application security assessments we often uncover SQL vulnerabilities that are difficult to exploit. While current tools have an enormous amount of capability, when you can’t seem to get them to work you are out of luck. We frequently end up writing custom scripts to help aid in the tricky data extraction, but a lot of time is invested in developing, testing and debugging these scripts.
BBQSQL helps automate the process of exploiting tricky blind SQL injection. We developed a very easy UI to help you setup all the requirements for your particular vulnerability and provide real time configuration checking to make sure your data looks right. On top of being easy to use, it was designed using the event driven concurrency provided by Python’s gevent. This allows BBQSQL to run much faster than existing single/multithreaded applications.
We will be going into greater detail on the benefits of this kind of concurrency during the talk. We also will talk a bit about character frequency analysis and some ways BBQSQL uses it to extract data faster. Will be doing a demo too to show you how to use the UI as well as import and export attack configs. Here are a few screenshots to get you excited!
If you come see the talk, we would love to hear your thoughts!