2.3 Manual SQL Injection Attack Lab 1 Part 1

00:00

Hi, everyone. Welcome back to the course. So in the last video I showed you where you go get virtual box. Kelly Lennox as well. A cz the menace ploy Doble download. Now, I've also included those in the resource is section of the course, so I've actually got a lot of resources in that particular tab

00:17

on this course. So make sure you go ahead and download all of that. You'll find many, many resources

00:22

to practice the hands on components for a sequel injection.

00:26

So in this video, we're gonna go ahead and start off with our first lab. Now, in this lab, we're gonna be using the cyber lab environment. So if you don't have access to this, you'll just wanna practice. Sees things using medicine, portable and Callie linens on your own virtual machines. But again, I'm gonna be staying inside of cyber lab environment for this lab.

00:42

One quick note I want to mention on the upcoming labs is you will notice, and I'll mention this again. You'll notice that I've blocked out some information on those upcoming labs specifically because you don't have permission to access the particular you are A ls that I'm running attacks against or scans against S O. I don't want you to get in trouble, So that's why I blocked that out. So nobody gets curious

01:02

and tries to go

01:03

attacking things they don't have permission for. Because again, that's more than likely illegal in your particular jurisdiction.

01:11

But for this lab were inside of cyber lab environment, as I mentioned, so we could go ahead and play around a little bit and attack different things. It's out of this lap now. This lab's gonna cover some manual sequel injections. Basically, we're gonna be talking in different commands in and then you'll notice in the upcoming laps, I'll use a couple of different tools, too.

01:29

Performer us some scans as well as perform potential attacks.

01:34

So here the Siberia catalogue, you're just going to search for the lost top 10 a one injection lab. And the easiest way to do this is actually just typing in a one and then pressing. Enter little pull up everything related to that, and you notice that the very top one here is the lab that we want.

01:49

So what is gonna go ahead and click on that?

01:51

And then we're gonna select the launch button right here. And we've got one more button to click. It's gonna be a launch item button right here, and that's gonna launch the lab in a separate tab for us.

02:00

Now, this particular lab takes anywhere from 1 to 2 minutes, usually to boot all the way up. So I'm gonna go ahead, pause the video and come back as soon as just booted up on my side.

02:14

All right, so you'll see the lab booted up in the background there. Now again, the step by step guides I have in the resource of section of the course and make sure you download those. He could walk to these labs, and that's a good thing. So that way, if you find that I go too slow or too fast and in the lab, you could just go ahead and pause a video and do it on your own.

02:30

So we went ahead. We've already been loved into the cyber, a lab environment. We've went ahead and searched for the introduction of loss Top 10 lab for a one injection. Again, I just typed in a one, and that's what I recommend you do it just pressing enter. That's the easiest way to find it.

02:44

We selected a launch button. We selected the launch in a button and that went ahead and actually booted up the lab for us. So you'll see in the background. There we were at the Cali Lennox log in screen.

02:53

Now we're here. It's step six. Very important here. I want to note very important that you will not be logging in with the traditional Callie Lennox. Log in so you won't be using route and tour. You're gonna be using student and student. If you log in with root and tour, it should still work, but it may not work. You may not

03:10

be able to use Mattila date properly, so

03:13

I just keep that in mind. Just make sure you log in with student in student. If you have any trouble at all in the lab, it's May more than likely is because you've went ahead and logged in with the traditional log in for Callie Lennox. Now, for those of you not using the cyber lab environment, you'll use the standard logging for Callie Lennix

03:30

on your side. But for anyone using the cyber alive environment here,

03:34

you're gonna be using student and student for the user name and password.

03:38

So let's go ahead and enter that in. We'll just get logged in here. So student for the user name

03:43

and you'll see sometimes it doesn't take the s initially when you type it in there on the user name

03:46

and then student for the possible there, and that will pull us up into our Callie Lennox.

03:51

Now, once Callie Lennox launches up there in the background will click on it, and we're gonna be launching Firefox here in step number eight

03:59

and what that should do. It should take us directly to the Mattila day, Paige. Now, for those of you that are gonna be doing this in your own environment, you'll just want to access medicine portable. Basically, you're gonna inside of medicine voidable. And I kind of showed that in the previous video

04:13

you'll look up the i p. Address for your medicine portable machine. And then you're just gonna type that in the browser, the Firefox browser

04:19

inside of your Callie Lennox machine, and then you'll be able to follow along with everything that we're doing in this particular lab.

04:28

So here we're just gonna launch Firefox. Just just click the little orange icon there that launched Firefox. Sometimes it takes a moment, so to lunch up. But it will eventually lunch up for you. And it should take us again to the mature date. Paging you see there in the background it does.

04:42

Now we want to go ahead and start our lab as faras the hands on component. So the first thing we're gonna do on the left side, you'll notice it has a Laswell lost in some other different menu options there. We're looking for the old lost 2017 which is actually the top one there. So what we're going to do, we're gonna navigate to this location, We're gonna go to the last 2017.

05:00

Then we're gonna go to the A one injection sequel and then SQL I buy and then bypass authentication, and then we're gonna be selecting log in.

05:11

And then, from there, we'll see a user name and password feel that we can actually go ahead and enter some commands against. So let's go ahead and do that now.

05:17

So where to go to a lost 2017 here at the top. And she's a very top option here. That a one injection, sq. Well, we're gonna go to the SQL I bypass authentication

05:28

and then log in right there and again. If we click on that, you'll see we're taking to a user name and password field.

05:33

So let's go back to our lab document here.

05:35

We'll see that in the user named Field. We're gonna just start off by entering admin in there, and then we're gonna be manipulating the password fields. We're just gonna be typing in whatever single quotation and then space or space one equals single quotation and the number one.

05:51

So let's go ahead and do that and see what happens. So we're just gonna type in admin for the user name

05:57

and then for a password again, we're gonna be typing in whatever

06:01

space. Excuse me. Whatever. Single quotation, then a space

06:08

and then or O r. A lower case. Another space.

06:12

One

06:13

the equal Sign

06:15

a single quotation mark again, and then the number one again.

06:18

So once you enter that in there, you can either hit enter unto keyboard or just click on the lobbying button there.

06:24

And then she would authenticate us so close these little pop ups here.

06:28

Now, let's go back to our lab document, cause I do have a quick question for you. So question number one here, If you look at the top right of the Mattila Day, Paige,

06:34

are you logged in as the route or, you know, basically the admin user Are you loved in? Is that now?

06:41

So you see that I am. So I was successful there. And if you were successful in your end, you should also be logged in as the admin or the route account for this. This particular site.

06:50

Let's go back to our lab document. No.

06:54

So next thing we're gonna do is just log out. We're gonna enter another command of that same log in screen here, but we're just gonna be manipulating the user name field this time. So

07:01

the way we log, I just click log out up here at the top left of the screen.

07:05

I was gonna just redirect us back to that initial love and screen here. And if we go back to our step by step guide here, you'll see in step 15 that we're gonna be entering this command right here. So we're gonna enter an admin single quotation and then the pound sign.

07:19

Let's go and do that now. So we're just gonna type in admin all over case. Ah, single quotation mark and then the pound sign.

07:26

Now again, Nothing here for the password where either you're just gonna hit, enter on the keyboard or click the lobbying, but in there,

07:31

and we should get similar results. Right.

07:33

So let's take a look here.

07:35

So question to hear doesn't allow us to log in. And then also what account shows us loved into the top, Right. So let's answer both of those by clicking back over here

07:44

and we'll see that, Yes, I was able to log in, and that's the admin account again. Or the route account.

07:50

All right, let's go back to our lab guide.

07:54

So if you come down here to step 17 we're gonna go to a different area now. So we're still going to the lost 2017 and then still the a one injection s key. Well, but now we're gonna go to the SQL I extract data and then user info.

08:07

So let's go ahead and navigate there now.

08:09

So we're gonna go to a lost 2017 We're gonna go to the injection one of the top against with the injection SQL.

08:16

Now we're gonna go to SQL. I extract data. So if you remember right before we went to the bypass authentication, this time we're doing the top option here. We do the extract data and then we're gonna select user info.

08:28

All right, so that's gonna take us to another log in screen here, and I'm gonna go ahead and policy video, and we'll pick things back up in the next video to wrap up this lab. And in this video again, all we did is we've launched the lab. We went to the Mattila Day site by using Firefox again. If you're using your own virtual environment, you're gonna want to go ahead and access your

08:46

menace portable box and get the I P. Address. And then

08:50

put that into Callie Lennox in your Web browser there prefer preferably fire fox. And then from there, you should be able to follow along with all the things we're doing in this particular lab.