Time
4 hours 20 minutes
Difficulty
Intermediate
CEU/CPE
5

Video Description

This lesson focuses on using SQLSUS which is found on the Kali 2 platform. In this lesson, participants learn how to use SQLSUS to create a config file, name the attack, nano the file and then use the config file to launch an attack against a vulnerable web page to find tables, columns and users.

Video Transcription

00:04
our next two, we're gonna be using a sequel. Suss sequel Suss can be found on Callie to automatically
00:11
there's some steps that we're gonna have to take. So
00:13
for sequel Suss, you have to type Sequels us attack G first to create the CONFIG file
00:21
and then name it whatever you want. Well, we're gonna name that attack.
00:24
After that, we're gonna nano that attack file to read it.
00:28
And once we go to edit it, we wanna change the Earl start toward Target page.
00:34
After we do that, we're gonna type sequel Such attack that calls the config file that we create it. So whatever you call your convict file, that's what you'll take there.
00:46
We're gonna tape start, and then we're gonna type get item,
00:51
ask her to show us all the available items that we could get.
00:54
All right.
00:55
It's going to show it were able to get tables. So and then we're gonna tape get tables. There's good shows, the columns, and we're gonna see a calm for user's. Then we're gonna type get columns users
01:04
on DDE.
01:07
After that, we're gonna type select everything from users. Thio, get the passwords. Let's go check it out
01:19
this type.
01:21
So it's a sequel says here
01:23
and
01:23
we see
01:26
some basic commands here.
01:29
So we want to do a sequel.
01:30
It's us.
01:34
Tak G
01:36
attack
01:38
and the configuration successfully saved to attack.
01:42
Now we're gonna type nano
01:46
attack.
01:48
We're gonna open up that convict file.
01:51
Now, if we come down here,
01:53
we see you or else start now, in between these double quotations where we're gonna put are you Earl
02:02
Gum Paste And are you were all from before. Then we're gonna hit control X.
02:07
Let's go ask. Do you want to save? Were so yeah. Yeah, we want to save
02:13
file name too. Right?
02:15
Attack You hit, Enter
02:16
and it's written
02:20
and we go back. We type sequel cess
02:23
attack
02:25
and the session has been created
02:29
for attack.
02:38
Next we're gonna type start
02:43
and it has pulled some targets for us.
02:46
So we're able to see the version
02:50
user and the database Here,
02:53
let's get
02:57
item
02:59
And here's some items we can get. So it says, Hey, you can get tables so say get
03:06
tables
03:10
And
03:13
we have users as one of the tables we can get.
03:15
So that's a get
03:20
columns,
03:34
users,
03:50
There we go
03:51
So
03:53
now we've gotten the columns. So we say, Hey, they have ID's names, age group ideas and passwords.
04:00
So
04:03
we want to get the database here. We want to dump this information.
04:15
So we're gonna dio is a little secret query here Gonna say Select everything
04:20
from
04:23
users.
04:25
Look at that.
04:27
We've now gotten
04:28
all the names and all the passwords for this website. Once you've gathered your information,
04:33
you say exit
04:34
and hit. Enter.
04:39
So it was covered in this video
04:41
What we discussed exploding sequel injection manually
04:44
and then we discussed see exploiting it with tools than the two tools were used. We're sequel map and sequel Suss Happy acting, everyone.

Up Next

Web Application Penetration Testing

In this web application penetration testing course, SME, Raymond Evans, takes you on a wild and fascinating journey into the cyber security discipline of web application pentesting. This is a very hands-on course that will require you to set up your own pentesting environment.

Instructed By

Instructor Profile Image
Raymond Evans
Instructor