med-mastodon.com is one of the many independent Mastodon servers you can use to participate in the fediverse.
Medical community on Mastodon

Administered by:

Server stats:

363
active users

#sqlinjection

1 post1 participant0 posts today

Content warning: Domestic abuse, stalking, controlling behavior, Schadenfreude, irony.

A new data leak shows the dangers of secret, silent #stalkerware. An app known as #Catwatchful appears to be just as insecure as all the others.

The Catwatchful app’s user login database was vulnerable to a simple #SQLinjection attack. In #SBBlogwatch, we call for Little Bobby Tables.

@TheFuturumGroup @TechstrongGroup @SecurityBlvd: securityboulevard.com/2025/07/

(Also known as #spouseware and #creepware, this vile trade enables all manner of frightening and dangerous abuse, from stalking to serious sexual assault. It’s no laughing matter.)

Today I learned one can create an alias which executes a custom #java function via #sql in a #H2 database. Combine this with a #springboot or other application allowing #sqlinjection and "oops, compromised". Lucky for me it was only an exercise and not in a real application.

Someone else wrote about it: medium.com/r3d-buck3t/chaining

And here are the official docs: h2database.com/html/commands.h

I truly miss the days I did not know of such things...

R3d Buck3T · Chaining Vulnerabilities in H2 Database for RCE - R3d Buck3T - MediumBy Nairuz Abulhul

SQL Injection (SQLi) 💉 – Everything You Need to Know

What is SQL Injection?
SQL Injection is a code injection technique that allows attackers to interfere with the queries an application makes to its database.

Types of SQLi:

1. In-band SQLi – Most common and easy to exploit.

2. Blind SQLi – Data isn’t visibly returned but can still be extracted through inference.

3. Out-of-band SQLi – Uses external servers to get results (less common but powerful).

4. Time-Based Blind SQLi – Server delay used to infer info from the database.

Attack Scenarios:
▫️Bypassing logins
▫️Dumping database contents
▫️Modifying or deleting data
▫️Escalating privileges
▫️Accessing admin panels

Common SQLi Targets:
🔹Login forms
🔹Search boxes
🔹URL parameters
🔹Cookies
🔹Contact or feedback forms

How to Prevent SQLi:
▪️Use parameterized queries
▪️Employ ORM frameworks
▪️Sanitize all user inputs
▪️Set least privilege for DB users
▪️Use Web Application Firewalls (WAF)

♦️Red Team Tip
Test all user input points, especially where data touches the database. Think beyond login forms—SQLi hides in unexpected places.

🔖Hashtags:
#SQLInjection #CyberSecurity #EthicalHacking #InfoSec #WebSecurity #RedTeam #BugBounty #Pentesting

⚠️Disclaimer:
This content is for educational purposes only. Always perform security testing with explicit permission. Unauthorized testing is illegal and unethical.

Everything About SQL Injection 💉

What is SQL Injection?
SQL Injection is a web vulnerability that lets attackers manipulate database queries. This can lead to unauthorized access, data leaks, or even full control of the system.

🔬Types of SQL Injection

1️⃣ Classic SQLi – Injecting raw SQL commands.
2️⃣ Blind SQLi – No errors, but the response changes.
3️⃣ Time-Based SQLi – Uses response delays to extract data.
4️⃣ Union-Based SQLi – Merges malicious queries with valid ones.
5️⃣ Out-of-Band SQLi – Exfiltrates data through DNS, HTTP, etc.

♦️Potential Impact
▫️Access & dump sensitive data
▫️Bypass login systems
▫️Alter or delete database entries
▫️Full system compromise

🔰Common Entry Points
▫️Login forms
▫️Search inputs
▫️Contact forms
▫️URL query parameters

Defense Strategies 🛡
✅ Use parameterized queries
✅ Validate & sanitize inputs
✅ Apply least privilege to DB accounts
✅ Monitor logs for anomalies
✅ Perform regular security audits

📀Image Description (for visual):
🔹A sleek cyber-themed layout with:
🔹A hacker icon injecting code
🔹A login form being exploited
🔹Database icons showing exposed data
🔹A shield labeled “Prepared Statements” blocking the attack

🔖Tags
#SQLInjection #CyberSecurity #EthicalHacking #WebSecurity #BugBounty #InfoSec #Pentesting #OWASP #DatabaseSecurity #HackerTips

⚠️Disclaimer
This content is for educational and ethical purposes only. Do not attempt to exploit vulnerabilities without proper authorization. Always follow legal and ethical guidelines when testing or learning about cybersecurity.

Umbraco CMS....it has been over 10 years since I heard this name.
I am now involved in a migration project for Umbraco from Umbraco 4.6 (unsupported) to Umbraco 6.2.x (unsupported again). And.......there are a ton of MSSQL Stored Procedures along with a monstrosity called Razor framework which is JSP equivalent for C#; along with Dynamic String SQL. This is SQL Injection nightmare waiting to happen.

Attackers are exploiting Fortinet's CVE-2023-48788 (CVSS 9.3) to install remote desktop tools like #AnyDesk and ScreenConnect.

They’ve already targeted companies across 12 countries, leveraging:

» #SQLinjection for unauthorized access
» Password recovery tools like Mimikatz
» PowerShell scripts for persistence

Don’t just patch vulnerabilities—assume attackers are already inside.

thehackernews.com/2024/12/hack