This video is about local SQLinjection vulnerability in Linux and MacOS desktop applications of Zoom – conference app that gained even more popularity as remote meeting got more common in 2020. Exploiting the SQLi required to bypass doubling quotes protection that Zoom app used.

Original writeup:
https://medium.com/@keegan.ryan/patched-zoom-exploit-altering-camera-settings-via-remote-sql-injection-4fdf3de8a0d
Keegan’s twitter:
https://twitter.com/inf_0_

Follow me on twitter:
https://twitter.com/gregxsunday

Timestamps:
00:00 Intro
00:25 Initial discovery – zoommtg:// links
01:24 Analysing the binary
03:06 SQLi protection
03:55 ASCII & UTF-8
05:17 bypassing the SQLi protection
06:45 Impact


#sqli

Add comment

Your email address will not be published. Required fields are marked *