1.4 SQL Injection Attacks and Types

00:00

Hey, everyone, welcome back to the course. So in the last video we talked at a very high level about how the client

00:06

server relationship works with Web applications. So, for example, if we're trying to browse to a website like let's say, cyber ery or YouTube or something like that, we basically send a request to that site saying, Hey, I want this information And then the site says, Yes, you can access that or in the example of, like, use the neighbor prosper of this site says, Wait a minute,

00:24

I don't know who you are. You can't have this information

00:28

in this video. We're gonna talk at a very high level about sequel injection itself. We're gonna talk about the different types of sequel injection attacks

00:37

so quick, pre assessment question here to test your knowledge. Jennifer's working as a pen tester and is tasked by client to assess their Web applications for vulnerabilities.

00:45

She's already run tools like burps, sweet and now wants to specifically run blind sequel injection attacks.

00:51

What do the following is not a tool that could be used for a blind sequel injection attacks. So is that gonna be a sequel? Map be sequel. Solaris. See Sequel Ninja or D sequel Suss

01:03

***, If you guess answer. Bur correct. So again, that's one that's just a made up answer. Their sequel, Maps, Equal Ninja and Sequel Suss, can all be used for blind sickle injection attacks and specifically for this course we're gonna use in last three. We're going to use equal map to just run a basic scan of a U. R L

01:23

now aside mentioned many times throughout this course, I'm going to be blocking out

01:26

the u R L that I use because I don't have authorization for students to use that particular u R l So you just want to replace that with one. You have legal access to use for this type of attack.

01:41

So what is sequel injection? Well, of course, it's code injection, right? This starts with improper filtering. So, for example, find putting in specific commands that shouldn't be allowed by the database. So let's say it's a database or excuse me a form on a website that

01:56

says, Okay, enter a phone number right.

01:59

That form shouldn't allow me to enter

02:00

letters right or special characters. It should just allowed number. So that's that would be an example of a vulnerability, right? If I can find a site where I type in a letter, and

02:13

even if it kicks me in, her message says, Oh, letters not allow that. I know that Oh, it's just numbers. But maybe I get information about the database itself so basically improper filtering as the overarching thing you need to remember their that if we're not filtering things properly, an attacker can use that to their advantage. To craft different, select and join those together with union statements

02:31

to attack our database and potentially either delete it

02:36

or just dump the database and get all the information from us

02:39

now. Sequel injection attacks themselves. So with the OSS, top 10 from 2017 injection and tax injection vulnerabilities are number one on the list, so it's the most dangerous thing there. And sequel injection attacks are by far the most popular form of injection attacks. So

02:55

if you're wondering my sequel injection attacks and definitely recommend checking out the old wall stop 10 you could find more information about sequel injection attacks a lot more in depth and also I have this course, and I mentioned that I mentioned that later in the course is well in the conclusion section, but I have a course in Siberia where it kind of talk about the law. Stop 10

03:13

from 2017 2 If you're curious about that at all, definitely check out that course and take a look at it.

03:19

So we have many different types of secret ejection attacks to to kind of overarching types on, and they'll be debate back and forth on these kind of main ones here. But it's actually have, like, the classic type where we manually type stuff in. So maybe I put in a type of user name of like, you know, Joey and a password I put like whatever

03:38

you know, single quotation or one equals one,

03:43

and that gives me back some kind of results, right? So I'm as the attacker I'm able to see.

03:47

Once I put information in whether I do it myself or use a tool, I'm able to see that information right away.

03:53

And then we got the blind attack, which, as the name applies as an attacker, I can't really see that. So let's talk about those a little more in depth now. Classic sequel Injection Attack kind of grouped in the most common ones you see there. So, like the union based air base in tautology, So union based is gonna be basically joining together different select statements

04:14

and

04:15

you'll know you'll see that in a lab, one that we do on this course where I go ahead and I just we at the near the end of the lab, we use a union statement to essentially select different categories of the database at different tables in the database and try to get information back from those.

04:32

Now Union based again is one of more common way she would do it with basically again stringing together

04:40

select different select statements to get whatever information you want that might be used in most most cases. That'll be usernames and passwords or, you know, maybe credit card information, dates of birth. That sort of stuff.

04:50

Airbase is a little a little different in the aspect of like we're just trying t we're trying to get to kick back and air message. So that way we could potentially see

05:00

table names, column names or you know, other information about the database itself, and that helps us as an attacker craft our union based attack better.

05:09

And then, of course, we have tautology based which I've got kind of, ah, chicken scratch image there of

05:15

But essentially it's tautology base is some kind of true statement. So in this example here, reusing admin and they were basically saying one equals one, right? That's a true statement. One equals wanted will always, you know, one equals one no matter what.

05:29

So the databases, if it's not filtering our data properly, if we're not checking the input when I validating input, then we could potentially bypass any authentication here by using this, you know, little command here because

05:44

the database is checking like, Well, admin is not right, but it says, or

05:48

let me check and see if this other thing is is a true or false type of thing. Oh, hey, it's true. One does equal one. Let me go ahead and allow this person to log in. So that's where that becomes dangerous act.

06:00

And then we've got blind sequel injection. So again, the Attackers not getting like a specific air message back or anything like that, but they are potentially getting information back. They can use to figure out. Is it a kind of a true or false answer to whatever I'm trying to do?

06:15

So we've got two main types that you'll see out there, Bill. 1,000,000,000 based and time based bullying based is gonna be, ah, very slow attack. Both of these are our ones that you want to use a tool for. So, like any type of blind sequel injection attack you want to use a tool for because it will take an exuberant amount of time for you to actually do

06:32

so. You just let a tool run and do its thing. And it shouldn't take too long in most cases to run this type of attack.

06:39

So bullion is gonna be a slow attack. And basically, with that one, the http response may change. And that might indicate if a particular query or doing is gonna be a true or false statement in response to that

06:50

and then we have time based where similar to the http response. But in the time based, the response time can then indicate, you know, is this kind of a true or false statement? So that's that's where we get the blind sequel injection those air kind of the differences there on those two.

07:08

So how do we protect against the stuff? Of course. Input validation by farce. You know, number one also avoiding dynamic sequel

07:15

also Ah, patching right. The common sense type of stuff. We can also use an I D S r I P s system thio number one Try to keep people from ex illustrating the data from our database and also on the flip side of that to protect against

07:32

an attacker potentially coming into our database.

07:35

Hardening is basically turning off. So if you're not familiar with hardening, were basically turning off. Unnecessary features were doing other things with hardening was well, but one of the main things is in relation to databases is a lot of times default Configurations of databases will have all sorts of features turned on that will never use right. I equate it to like Microsoft windows

07:56

like there's so much stuff on Microsoft windows you will never, ever use in your entire life

08:00

s. So I go through every time I installed windows or, you know, upgrade or something like that. If I'm touching windows at all, I basically go in and remove all the software I don't want, and I also try to harden it as much as I can,

08:13

at least privilege. So if I am, you know, Joe Schmo user or if an attacker gets Joe Schmo user's account information, they can't just automatically get, like admin access to the database, right? So the least privileged principle applies here as well.

08:28

Now for the default we basically want to avoid, like, any type of default, you know, configurations or default passwords. You know, things that that might be easy for an attacker to find out on the Web someplace and then, you know, exploit our database.

08:43

So we want to make it as difficult as possible. So that's really kind of going back to the hardening aspect of making it a little more secure, if we can.

08:50

And then, of course, there with with regard to their messaging, we want to turn off for disable air messaging. You know, basically as much as we can. You know, outside, of course, you know, like a test, her development type of environment. But in production, we wanted disabled as much as we can, so we limit the amount of information

09:07

that attacker could potentially get about our database.

09:11

So this one quick post assessment question here, James is performing sequel injection attacks for his company, and he notices that the http response has changed,

09:20

which could provide him information to him on whether a response from the database is true or false.

09:26

So what type of sequel injection attacks he most likely performing. Now choose the best answer here because I tried to Tricky a little bit

09:33

aren't so If you guessed answer A you are correct. Now you could make an argument for answer. See, because it is a blind sequel. Injection attack. That's the overarching thing. But again, I mentioned choose the best answer is that the best answer as the various lowest level which is gonna be the bullion type of attack

09:52

are. So in this video, we discovered a high level overview of sequel injection attacks as well as the different types of attacks.