タグ

articleとSQLに関するefclのブックマーク (7)

  • Skytable Octave is here | Skytable Blog

    efcl
    efcl 2023/12/12
    SkytableのBlueQLについて。 Injection攻撃ができないようにパラメタライズクエリのみのサポート、コメントはなし、1クエリ1ステートメントになっている。 また意図的に明確になるようにクエリの表現を調整している。
  • Defending new vectors: Threat actors attempt SQL Server to cloud lateral movement | Microsoft Security Blog

    Microsoft security researchers recently identified a campaign where attackers attempted to move laterally to a cloud environment through a SQL Server instance. This attack technique demonstrates an approach we’ve seen in other cloud services such as VMs and Kubernetes cluster, but not in SQL Server. The attackers initially exploited a SQL injection vulnerability in an application within the target

    Defending new vectors: Threat actors attempt SQL Server to cloud lateral movement | Microsoft Security Blog
    efcl
    efcl 2023/10/07
    SQL Serverへの侵入から、`xp_cmdshell`を有効化してコマンドインジェクションが可能な状態にして、OSコマンドを使って横に展開していく攻撃。 webhook.site にデータを送って確認、インスタンスメタデータの取得して展開していく
  • テストを書きたいプログラムがSQLの固まりだ - やっとむでぽん


    (2009.3.5 ) Working Effectively with Legacy Code(test harness, seam)使  SQL  (100)() 5(10)(JOINUNIONUPDATE/INSERT) 
    テストを書きたいプログラムがSQLの固まりだ - やっとむでぽん
    efcl
    efcl 2023/09/17
    SQLのテスト
  • {JS-ON: Security-OFF}: Abusing JSON-Based SQL to Bypass WAF

    Team82 Research {JS-ON: Security-OFF}: Abusing JSON-Based SQL to Bypass WAF Executive SummaryTeam82 has developed a generic bypass of industry-leading web application firewalls (WAF). The attack technique involves appending JSON syntax to SQL injection payloads that a WAF is unable to parse. Major WAF vendors lacked JSON support in their products, despite it being supported by most database engine

    {JS-ON: Security-OFF}: Abusing JSON-Based SQL to Bypass WAF
    efcl
    efcl 2022/12/11
    今時のRDBはJSONをサポートしてるけどWAFは対応してなかったので、クエリにJSON構文を混ぜると大体のWAFを突破できてしまったという話。
  • Client-Side SQL Query Parsing with ANTLR

    Multiple Queries in the Console Query Editor Rockset Console’s query editor allows users to type and run queries over collections. Until now, however, whatever was typed in the editor was run and parsed as a single query. This means that, for a user, it wasn’t that easy to switch between multiple queries in our editor. They would have to comment out the queries they didn’t want to run, or keep all

    Client-Side SQL Query Parsing with ANTLR
    efcl
    efcl 2019/11/10
    ANTLRを使ったSQL構文のパーサをJavaScriptで書く方法についての記事
  • Stop using Knex.js (and earn $30)

    This is true about any SQL query builder. I chose to use knex.js as an example because it is the most popular SQL query builder in the Node.js ecosystem and we need an example. tl;dr; Knex.js (and other query builders) was designed to be a building block for ORMs; it does not add value when majority of the query is static. If you are evaluating alternative to Knex.js, I have since published anothe

    Stop using Knex.js (and earn $30)
    efcl
    efcl 2019/08/09
    ORMなKnex.jsとSQLクエリについて
  • SQLアンチパターンもりもりDBを設計しよう! - Qiita


     SQL SQL ER  ER    使ER   
    SQLアンチパターンもりもりDBを設計しよう! - Qiita
    efcl
    efcl 2019/06/23
    SQLアンチパターンのテーブルをリファクタリング
  • 1