Part 11 - Discovering SQLI
Video Activity
This lesson focuses on the Arachni free scanner. In this lesson, participants receive step by step instructions in how to cd into Arachni and use it to scan for vulnerability via the local host and admin account using the target URL command to check for SQL injections and perform a direct scan and discover examples of SQL injections. You can hit 'r...
Video Description
This lesson focuses on the Arachni free scanner. In this lesson, participants receive step by step instructions in how to cd into Arachni and use it to scan for vulnerability via the local host and admin account using the target URL command to check for SQL injections and perform a direct scan and discover examples of SQL injections. You can hit 'review' to see what was injected, what was sent as well as the response (if any).
Video Transcription
00:04
And finally, we're gonna show you another great free scanner,
00:07
which is Iraq night. So let's go check it out.
00:11
We're gonna come every a folder.
00:30
Let's come over here
00:34
and
00:36
jump into the Iraq knife. Older
00:40
CD to our desktop.
00:44
Do a quick L s
00:47
Sierra Iraq knife older.
00:55
We will CD into Iraq. Nine.
01:26
All right here.
01:26
I can't remember exactly where it was located at. All right, So we're going to
01:33
run the Iraq my Web script here
01:40
to get the Iraq nice Web set up.
02:06
All right, we see here that listening on
02:09
port 92 92. Local host.
02:13
We're gonna come over here or a browser
02:15
going. D'oh! Local host 9 to 9 to
02:22
the
02:24
admin account is admin at admin dot admin and the password is
02:30
administrator
02:37
Tipton, incorrectly. So,
02:46
Hey, we, uh
02:53
All right, we're gonna come up here to scans click Now,
02:55
I'm gonna do a target. Earl of one into it. Out. 168
03:01
I don't want that.
03:04
Zero down. 11 are whatever it is that you chose.
03:15
Remember to add the http
03:16
and we're gonna check for sequel injections.
03:22
Then
03:23
if you want some kind of special description here Something for you to remember the different kind of scans of Jilin or who you're doing enforcement like that. You type that
03:31
right here in the description portion.
03:37
We're gonna perform a direct scan
03:39
and then click Go
03:46
scanner is initializing and running through.
03:49
So is that it? Do its thing.
03:59
All right, we're certain to see some results here.
04:01
We scroll down here
04:04
when can see. Hey, look at that sequel example. One.
04:09
It's found a a sequel injection here.
04:14
So in Click
04:15
Awaiting review,
04:17
and I'll give us some further detail,
04:20
such as
04:23
what exactly was injected into it,
04:27
and then the request it was sent
04:30
the man.
04:31
If there was a proper response back, it would be here. But there was not a proper response for this one.
04:44
Here's some more information about the sequel injection, which could be very helpful for building or your report.
04:50
Now you can click scans here,
04:56
and it will show you your current scans and a skins you had in the past.
05:00
Then you just click on the eye and I'll take you back to your current active scan, and you can continue looking at
05:06
and reviewing the different
05:11
injections here that you get
05:32
now, as you can see here that this may be missing some contacts because the skin is still running. So if we wait for the end of the skin and will give us some more detail about what? Actually,
05:44
um,
05:45
it found fully
05:47
So
05:48
let's let this ah, continue scanning. Here
05:53
is what you see. Here we see the runtime,
05:56
how many pages of sexually scanned and how many issues it's found. So let's continue. Let's let this continue doing it saying here
06:13
all right. And the scan is complete.
06:15
Found seven different
06:18
vulnerabilities.
06:21
And, uh,
06:23
let's go. Let's go check out the review further. See what additional details we may have gone from this.
06:39
So
06:41
recognize a fantastic tool.
06:43
It allows you to heavily edit your skins.
06:49
We could look at the different profiles force canings.
06:56
We could see what kind of different areas
07:00
it's actually
07:02
buzzing and what it actually is putting into
07:05
the different fields here.
07:10
So if we wanted Thio
07:13
customize
07:15
the, uh the sequel injection,
07:18
we go over to our profiles, click the edit button
07:24
and in here
07:26
is ah is where we were at it. You know what we want our did it and think things like that.
07:32
Um,
07:33
so this is very important for
07:36
you know how in depth you may want the scan ago. How may how aggressive you may want it. Any kind of user names that you want put in a password. So say you have an application that requires,
07:50
you know, being logged into you could put your authentication methods here, let it log in and scan even deeper into
08:01
that. The page. So very handy stuff,
08:05
Very useful stuff to damage Iraq, and I
08:09
tweak it. Check it out. It's fantastic. So what exactly was covered? Why the scanning is important. You know why the discovery is important?
08:16
Two different types of discoveries. And then we also discuss these different tools that you can use, and I showed you some examples of how to use them. So go play a little, try out the different variables, see what you can dig up.
08:31
Happy acting, everyone
Up Next
Web Application Penetration Testing
In this web application penetration testing course, SME, Raymond Evans, takes you on a wild and fascinating journey into the cyber security discipline of web application pentesting. This is a very hands-on course that will require you to set up your own pentesting environment.
Instructed By
Similar Content
