Time
4 hours 20 minutes
Difficulty
Intermediate
CEU/CPE
5

Video Description

This lesson covers SQL injection. In this lesson, participants learn about: 1. What is a SQL Inject? 2. How it works 3. Types 4. Examples A SQL inject is a form of attack which takes advantage of an improperly filtered user and takes the input acquired to enumerate and manipulate a database. This lesson discusses two types of SQL Injections which are classic and blind. The instructor also offers examples of where to inject an SQL.

Video Transcription

00:04
Welcome to Cyber Eri. I am Raymond Evans and I will be your subject matter expert for Cyber Aires. Web app. Penetration tasting course
00:11
this video. We will be discussing sequel injection. So what will be covered?
00:15
What a sequel injection, how it works. Some types of some examples. So what is the sequel? Inject
00:22
Well, A sequel Inject is a code injection attack, which takes advantage of improperly filtered user input to a numerator and manipulated database.
00:30
What exactly does that mean? Well, an attacker can use a statement to send commands to a sequel database and get information back from it.
00:39
Jack and I can also use this statement to manipulate data on the database as well, such as doing things like
00:46
dumping an entire database two types of sequel injections. We will be covering our classic sequel Injections or Sq Ally
00:54
and Blind sequel Injections or Blind Sq Ally
00:58
I'm Gonna Be Interchanging sequel Inject and SQL I throughout this course, because that's how you will see it in the real world. You'll see
01:07
both of those terms used, so it's a classic sequel injection.
01:11
Well, the simple injection encourage when escape characters are improperly filtered,
01:17
escape character is something like a single or a double quote
01:21
on these air used to denote the end of something and then the beginning of a series of commands. A sequel, Injection
01:32
Command. ISS then sent
01:34
two the sequel application.
01:36
The results are immediately displayed to the Attacker
01:40
Classic sequel Injections. You realize where Klaus Modification and union operator injections to exploit the improper filtering,
01:49
the
01:49
where in union
01:52
modifications you will be seeing later on it will be explaining them further. Blind Sequel Injection is a form of sequel injection,
01:59
with the same exact thing as normal sequel injection. Except the attacker is able to immediately see the results
02:07
for Web application that needs tested for blind sequel injection. It's best to use an automated tool.
02:13
Such is one that tells us to blow or, if you want, you can also craft a statement with a sequel, inject to do something like create a user account or had some kind of data to the database. If this works, then you know that it's vulnerable to a blind sequel. Inject so
02:31
individual
02:32
I can't perform a sequel, inject and get data immediately back. However, they can perform a blind sequel inject to do something like dump the database or at a user account for themselves to gain access. Where would you exactly inject, though
02:47
Well, secret injections could be placed in various portions of a Web page and the source code of the page itself as well.
02:53
However,
02:55
the two most common areas you will find them
02:58
are in the URL and inform fields. And here we see
03:04
couple examples of those attacks in those different fields in the U. R l here we see in the 1st 1 that uses a single escaped capture to tryto discover if a sequel injection as possible.
03:16
Sending with the 2nd 1 is using escape character to try to get a sequel. Error back.
03:23
1/3 1 here it actually uses a one equal one statement
03:28
and this would be used. Tried a
03:30
get data.
03:32
Same thing with in the form field. Here
03:35
you are telling it that you're looking for
03:38
anything any use dream. It has one or any user name that is true. So it'll it'll dump out all the user data names to you because they all the all the user names are true in fact, So why is that pleases dangerous Well,
03:55
what website is vulnerable to a sequel injection? The site may disclose a lot of sense of information. Stuff like credit card data, Social Security numbers, addresses, usually human passwords.
04:06
This data can be used to steal identities and money, or it could be used to con victims over a long period of time.
04:14
In the case of usernames and passwords, this could be used to
04:18
get admin credentials and elevate their privileges on a system as well. So that's one. That's another reason why it's really, really dangerous is because of privilege escalation. If something like this goes unchecked for years upon years
04:33
on, attacker could just sit back and siphon off data. Just steal credit cards. Is there security numbers for many, many years?
04:43
If it's left unchecked, and if there's nothing set up like an I. D. S.
04:47
Oh, are an I. P. S to identify these kept type of attacks. So here's a couple of examples of sequel injections.
04:57
So in our 1st 1 here
04:59
we see that one equal 11 equals one statement again.
05:01
So this queer is recognized as true, and we'll dump the database onto the screen. This is one of most common examples that you will see, and it's amazing how much this works Now
05:13
you can
05:14
trick a system even if it's filter in the classic. One equals one. Because as long as any variables are in there whatsoever,
05:23
it will do this. So you could d'oh! Tim or Bob equals Bob. As long as that statement
05:30
and the second portion is equal and correct, it'll dump the database for you.
05:36
So that's something you know, Watch out for you know, if you say Oh, hey, it's cool. We got the classic. One equals one filtered
05:45
Well, do you have a banana? Is banana? Our dog equals dog?
05:49
I don't think so. And next we have an example which is asking to display every column from every table where the I d equals one which would display the entire database.
06:02
This type of statement could be used to refine your search even further. So here we see select star from Star where I'd equals one
06:13
Now those star spots there
06:15
can be used to refine your search is so that star represents a variable for everything.
06:24
So you're saying select everything from everything. Ride equals one. So you could say something like
06:29
select user names or users if you know the tables called users,
06:34
um, from customer,
06:38
where
06:39
I d equals Frank
06:42
and you would get a list of everybody named Frank from that database. Next we see an example of how to modify something
06:48
on the table, and what we're doing is saying Select everything from everything where I d equals one and then it says, Drop table
06:57
everything. If your database was vulnerable to sequel injections and somebody was to put this in there,
07:04
could and would drop your your tables, which is really bad, because it would be deleting your database. Our final example. Here the statement blow uses a sequel, post injection, to refine its attacks. Even more So is showing, like above. Select a variable
07:24
from a variable where type I d equals one,
07:27
and then it uses a Union select union all select statement.
07:31
Thio. Define it even further. This type of ah of sequel post injection will most likely be used with a program such as sequel map, which we will be showing later on, and I will be demonstrating later on
07:48
how to create a more refined search with this string here. Right now, it seems
07:55
like
07:56
a lot of, Ah, garbage to you. But once we actually
08:00
practice it and show how it's used will make a lot more sense. So where someone really world Examples of
08:07
sequel injection is being used in impacting people.
08:09
Well. In 2008 sexual and violent Offenders Registry of Oklahoma had 10,597 secure Social Security numbers belonging to sexual offender stolen via sequel inject. 2002 guest dot com was vulnerable to a sequel injection attack. Pretty remaining anybody can.
08:28
Who can construct a properly crafted girl to pull down
08:31
200,000 plus names, credit card numbers and expiration dates in the sights customer database.
08:39
And then, in 2011 Little SEC
08:41
was accused of using sequel injection to steal coupons, download keys and passwords that were stored in plain text on Sony's website. So the guest dot com vulnerability, the sequel injection vulnerability that was there was one of the one equals, one statements that
09:00
you had seen
09:01
in the earl itself. So that's one example of where that was used, and that's for the 2011 Losec attack. You never store anything that sensitive in plain Tex ever anywhere.
09:15
So it was covered Well, I talked about what a sequel inject ISS, showed a couple eggs of examples, talked about outworks, talked about some types of sequel of injections and then gave you some real world examples.
09:26
I'd be hacking everyone.

Up Next

Web Application Penetration Testing

In this web application penetration testing course, SME, Raymond Evans, takes you on a wild and fascinating journey into the cyber security discipline of web application pentesting. This is a very hands-on course that will require you to set up your own pentesting environment.

Instructed By

Instructor Profile Image
Raymond Evans
Instructor