All right, let's take a look at injection. There's lots of different kinds of injection, probably the most well known. It's something called sequel Injection, which allows us to inject
sequel statements for
acting on databases. But there's also other forms of injection. L'd up injection
It's a different kind of injection, so let's take a look at a couple here. We got a couple of injection issues on this site.
Typically, where one goes. First of all for
injection is actually the log in.
The Logan does have an injection issue. It's just not a sequel injection issue.
So we want to start start with sequel injections on the home page. But pick one of these books and click on it and get more details.
It says up your I D equals two in this case, So it is
probably our guest picking books out of database and selling out this information based on what's in the database.
So what I want to do is my first
thing I check when trying to do a sequel. Injection is just put a single
quotation marks. A single quote at the end
to this should cause the sequel Syntax to break.
Yes, it is vulnerable to sequel injection. If they're using sequel correctly, this should be filtered out any of my special characters. We filtered out so it will still kill up to
and filter that out somehow
or pull up nothing, possibly depending on how it filters
but is it is vulnerable. The sequel. Injection and accept that
single quote. Then it should break the Sequels in tax, and it should throw in error.
Sure enough, I get an error unclothed quotation mark after the character strength, so even get some code that says I'm a sequel of Adapter. It has what My
sequel statement is Select star from Book Master, where Book I d equals
plus book I. D. My cons on my connection Strange at once
the book idea, which in this case was too.
But then I broke it with
You're not so Michel on, kiddo. Quote.
we should be able to create a valid
is playing with the errors? Weaken! Do like
to where Eagles to or
We just tell based on this care that this is gonna be in a sequel. So we need to talk in this sequel. So depending on what kind of database you get, you wanna change Your syntax is dash dash at the end.
That's gonna be that's, like comment
for sequel. So everything after this, all this
Michael on et cetera is gonna be
gotten rid of. So we closed
where others were. You stole Francis's area.
This is still gonna throw an error, but it should give us
data and the error. So conversion failed when converting the inverter value book up to date a type. And
so the D. V name is booked up.
That looks like it has
the table called book Master.
what we put into or warn equals
So even though we put in to we actually ended up with book I d. One because we put in two or one equals one on commented out the rest for the first thing that's gonna come up there Basically, one equals one is always true. Show two or true. So the first thing in the database lists that comes up is
to or true is gonna be the first injury. So ended up with the first injury, which is not as interesting here because we just got another book. But when we get to the expats injection for the law again, that will be pretty interesting. So one equals oneness. Always when I go for his, it'll just make everything true.
I can make things rather nights for us. So we saw an example of being able to get data out
an example of manipulating what it gives us.
So another tool I like to use
four sequel injection because in order to do sequel injection well, you have to know sequel. So there's a ton of things you can do with the sequel injection. But like I said, you have the pretty proficient at your sequel commands to do it to this
I like you tool called sequel map to help me with my lack of skill
Huh? Does you? And give it the girl I want
and give it an injection point.
Detail? That s P X and
I de eagles. Something it said it wants. I d equals two,
we have a lot of different options and read the hell pages on this. But dash dump
groups. I didn't close my quotation marks
So what this is gonna do is it's going to take the
injection point that we give it. Try it for a sequel injection. If it works, it'll do. Whatever we asked it to
could be Microsoft sequel surgery. Do you want to skip test pay that's specific to other databases? Yes,
the I. D perimeter is indeed injectable.
Oh, so you know that Stanley prouder there is anyways,
So since I told Is it dump? It actually will dump out the entire database, which assistants just books again. It's not particularly interesting,
I thought we could do if it was a user database and they weren't using solid encryption or even if they were, we saw in a password section that we
have some options there. As long as they're not using good salting, we still may be able to get some stuff out really easily.
We have some other options. Besides, Dump is well, like when we might like is a less Dow shell which, as the name implies, it's actually going to use the database to try and get a shell on the underlying system. So we got a
A couple shells on our Windows seven system
already, but we could certainly use more and mess equal. Generally runs is a really privileged user. So could save us the trouble of going to this post exploitation steps if it's already running a system.
So this is the X p under short command. Shell procedure does not seem to be available
so that on newer versions and the sequel is true because,
well, people were using it maliciously, like we are just opening up a command shelf. It's all spite of fault on newer versions of M s equal that said, you may be able to re enable it
in the default configuration. You can
you just turn it back on.
So also, yes. Do you want to re enable it?
All right. So we got our show.
So how about you, Ma?
Yes. I want to retrieve the output. I'm system. So you know that point?
Not many local users, but
where they were more than that.
You know all this already?
00 that's not working. What? I would like him, but we could always do like Ivy. Get ready. First,
there's our I P address information. So I mean, we saw all this and
Coast exploitation section, but we do have system level access for this.
So sequel injection is one that's pretty big. If you're
not developing correctly in terms of security, you can have issues like this of dumb it myself. You know, it's just like I need to get this
Web front and working right now, because I have to present the tulip tomorrow and I'll fix it later kind of thing and
sequel injection issues like this. So it does still happen. Hopefully,
your application developers are doing a better job now. It is pretty well known about security issues and Web applications. That said, it's easy issues like this happen all the time and applications.
All right, so let's take a look at
log in. I mentioned this is actually using XML all syndication, so it's gonna be a little bit different, but
the logistics of the same. So I get my
user input fields, and I'm just gonna put single quotes and both of them
I ATT. Name and password has an invalid token. Well, here's how I was setting it up. How nice that it gives us the source code. Right?
The string credential. Use your name and password.
So it is using X e mails with ex past,
but we should be able to attack it in the same way. So I don't want a single quote, but it does go forward.
with three quotations here. So when they use your name, it looks like it has a quote on either side. Since it's a strength. Like since the other one was an Energizer, there were no quote, single quotes around it, with the used being strings.
They do have quotations around it. So we're ending up with three quotations for use your name and passwords or that tower
creating the error. So we are gonna want to leave our quote ends. I want
Gonna want single quotes around these.
It is string, so one with single quotes around it equals one with one quote around it. And then that extra one
will come from the actual
log in going through the same in password
I'm logged in. I'm logged in as usual named Mike. I don't know what Mike's password is. No clue, but I imagine Mike is the first entry in that XML. In this case, a list of users show it's a
nothing. So use your name is blank and password is blank or running with one. That's true. So the first time there is a user name and password, which should be the first user, that's what the one we get logged in us. So no password required.
Pretty cool, huh? Now we're that user
with post. We see information about them, or even if they short credit courage by things on their behalf.
That's just a little bit about injection again. There's certainly much more practice to be had on each of these. Having Web is huge. Everybody does web now, so certainly an area to spend your time There were out to Who's this nose?
The off its up before I do the next video, but I'm not sure why. I suddenly don't have connection between my to Reims. But I got my
I've done for this video at least.