History Of Hacking prt 6 By CEO of TIA

It was December 1998, When Jeff Forristal (AKA Rain Forrest Puppy), published the first article ever in Phrack magazine detailing the discovery of SQL injection vulnerabilities and exploitation. Due to the criticality of the discovery, the new toy, SQL injection attacks, became a magnet for hackers, both good and bad. Soon enough, many individuals started attempting to evolve it and escalate it which led into the discovery of many types of SQL injections, most famous are the following:

Reflective:

Union based injections.

Error based injections.

Blind:

Boolean based injections.

Time based injections.

It wasn't long until someone figured out the Stacked Queries injections, which is a technique used with SQL injection attacks that exploit a vulnerable system and abuses privileges to escalate the normal (read-based) SQL injection attacks into RCE (Remote Code Execution).

SQLi2RCE is born, non-technically speaking, it is like holding a remote control to the vulnerable target, where you (remotely) send commands and the target executes them, hence the name RCE.

It is very hard to pinpoint the first instance of SQLi2RCE due to the cunning nature of such elevated attacks and the lack of reporting or publishing in the wild of that era.

However, the first "documented" instance (as far as we could track), was in February 2002 when a guy named Jeremiah Jacks identified that Guess.com was susceptible to such attacks allowing attackers to retrieve over 200,000 customer names, credit card numbers, expiration dates and so.

Nowadays, SQLi2RCE, being so critical, still holds the highest price in bounty hunting programs globally. Worth noting that any cyber attack that can be elevated to RCE automatically adds 30% of the bounty to the total amount being paid.

... But then, years later, "skiddies" happened...

(stay tuned for part 7)

By Elie Ghabash

‍