WebApp (part 3) SQL Injection

00:04

All right, let's take a look at injection. There's lots of different kinds of injection, probably the most well known. It's something called sequel Injection, which allows us to inject

00:14

code into

00:16

sequel statements for

00:18

acting on databases. But there's also other forms of injection. L'd up injection

00:24

expats injection.

00:26

It's a different kind of injection, so let's take a look at a couple here. We got a couple of injection issues on this site.

00:35

Typically, where one goes. First of all for

00:39

injection is actually the log in.

00:43

The Logan does have an injection issue. It's just not a sequel injection issue.

00:49

So we want to start start with sequel injections on the home page. But pick one of these books and click on it and get more details.

00:58

It says up your I D equals two in this case, So it is

01:03

probably our guest picking books out of database and selling out this information based on what's in the database.

01:11

So what I want to do is my first

01:15

thing I check when trying to do a sequel. Injection is just put a single

01:23

quotation marks. A single quote at the end

01:26

to this should cause the sequel Syntax to break.

01:30

Yes, it is vulnerable to sequel injection. If they're using sequel correctly, this should be filtered out any of my special characters. We filtered out so it will still kill up to

01:42

and filter that out somehow

01:46

or pull up nothing, possibly depending on how it filters

01:49

but is it is vulnerable. The sequel. Injection and accept that

01:53

single quote. Then it should break the Sequels in tax, and it should throw in error.

02:00

Sure enough, I get an error unclothed quotation mark after the character strength, so even get some code that says I'm a sequel of Adapter. It has what My

02:13

sequel statement is Select star from Book Master, where Book I d equals

02:20

plus book I. D. My cons on my connection Strange at once

02:24

the book idea, which in this case was too.

02:29

But then I broke it with

02:31

Colon.

02:34

You're not so Michel on, kiddo. Quote.

02:38

So

02:39

based on that,

02:43

we should be able to create a valid

02:46

sequel statement.

02:52

What if we d'oh

02:54

is playing with the errors? Weaken! Do like

02:58

to where Eagles to or

03:01

one in.

03:04

So Lex Devi name.

03:08

We just tell based on this care that this is gonna be in a sequel. So we need to talk in this sequel. So depending on what kind of database you get, you wanna change Your syntax is dash dash at the end.

03:20

That's gonna be that's, like comment

03:23

for sequel. So everything after this, all this

03:28

Michael on et cetera is gonna be

03:31

gotten rid of. So we closed

03:35

here the

03:37

corns

03:38

for the

03:39

not corns,

03:42

where others were. You stole Francis's area.

03:46

This is still gonna throw an error, but it should give us

03:52

data and the error. So conversion failed when converting the inverter value book up to date a type. And

04:00

so the D. V name is booked up.

04:03

That looks like it has

04:05

the table called book Master.

04:12

We could do

04:15

what we put into or warn equals

04:19

one.

04:23

So even though we put in to we actually ended up with book I d. One because we put in two or one equals one on commented out the rest for the first thing that's gonna come up there Basically, one equals one is always true. Show two or true. So the first thing in the database lists that comes up is

04:43

to or true is gonna be the first injury. So ended up with the first injury, which is not as interesting here because we just got another book. But when we get to the expats injection for the law again, that will be pretty interesting. So one equals oneness. Always when I go for his, it'll just make everything true.

05:00

I can make things rather nights for us. So we saw an example of being able to get data out

05:05

an example of manipulating what it gives us.

05:10

So another tool I like to use

05:13

four sequel injection because in order to do sequel injection well, you have to know sequel. So there's a ton of things you can do with the sequel injection. But like I said, you have the pretty proficient at your sequel commands to do it to this

05:28

what you're doing.

05:30

I like you tool called sequel map to help me with my lack of skill

05:35

and a sequel.

05:39

Huh? Does you? And give it the girl I want

05:46

and give it an injection point.

05:51

What years?

05:56

Detail? That s P X and

06:00

I de eagles. Something it said it wants. I d equals two,

06:05

and

06:08

we have a lot of different options and read the hell pages on this. But dash dump

06:13

dumps database

06:15

groups. I didn't close my quotation marks

06:21

area.

06:25

So what this is gonna do is it's going to take the

06:28

injection point that we give it. Try it for a sequel injection. If it works, it'll do. Whatever we asked it to

06:35

could be Microsoft sequel surgery. Do you want to skip test pay that's specific to other databases? Yes,

06:46

yes, that's fine.

07:00

Grinds up

07:01

the I. D perimeter is indeed injectable.

07:12

Oh, so you know that Stanley prouder there is anyways,

07:15

So since I told Is it dump? It actually will dump out the entire database, which assistants just books again. It's not particularly interesting,

07:24

but it's an example

07:26

I thought we could do if it was a user database and they weren't using solid encryption or even if they were, we saw in a password section that we

07:33

have some options there. As long as they're not using good salting, we still may be able to get some stuff out really easily.

07:43

We have some other options. Besides, Dump is well, like when we might like is a less Dow shell which, as the name implies, it's actually going to use the database to try and get a shell on the underlying system. So we got a

07:58

A couple shells on our Windows seven system

08:01

already, but we could certainly use more and mess equal. Generally runs is a really privileged user. So could save us the trouble of going to this post exploitation steps if it's already running a system.

08:16

So this is the X p under short command. Shell procedure does not seem to be available

08:22

so that on newer versions and the sequel is true because,

08:26

well, people were using it maliciously, like we are just opening up a command shelf. It's all spite of fault on newer versions of M s equal that said, you may be able to re enable it

08:37

in the default configuration. You can

08:41

you just turn it back on.

08:43

So also, yes. Do you want to re enable it?

09:05

Sure.

09:07

All right. So we got our show.

09:11

Cool.

09:13

So how about you, Ma?

09:16

Yes. I want to retrieve the output. I'm system. So you know that point?

09:22

Yeah.

09:22

Users.

09:33

Not many local users, but

09:39

where they were more than that.

09:48

Um, so much

09:50

cool.

09:54

You know all this already?

09:56

Long

10:11

aggressions.

10:13

00 that's not working. What? I would like him, but we could always do like Ivy. Get ready. First,

10:22

there's our I P address information. So I mean, we saw all this and

10:28

Coast exploitation section, but we do have system level access for this.

10:33

That's cool.

10:35

So sequel injection is one that's pretty big. If you're

10:39

not developing correctly in terms of security, you can have issues like this of dumb it myself. You know, it's just like I need to get this

10:48

Web front and working right now, because I have to present the tulip tomorrow and I'll fix it later kind of thing and

10:56

can end up with

10:58

sequel injection issues like this. So it does still happen. Hopefully,

11:03

your application developers are doing a better job now. It is pretty well known about security issues and Web applications. That said, it's easy issues like this happen all the time and applications.

11:16

No rule that says

11:18

you can't have

11:18

issuing you're out.

11:22

All right, so let's take a look at

11:24

log in. I mentioned this is actually using XML all syndication, so it's gonna be a little bit different, but

11:33

the logistics of the same. So I get my

11:35

user input fields, and I'm just gonna put single quotes and both of them

11:41

go get my error

11:45

users. User,

11:46

I ATT. Name and password has an invalid token. Well, here's how I was setting it up. How nice that it gives us the source code. Right?

11:56

The string credential. Use your name and password.

12:01

So it is using X e mails with ex past,

12:05

but we should be able to attack it in the same way. So I don't want a single quote, but it does go forward.

12:13

So it looks like

12:20

with three quotations here. So when they use your name, it looks like it has a quote on either side. Since it's a strength. Like since the other one was an Energizer, there were no quote, single quotes around it, with the used being strings.

12:33

They do have quotations around it. So we're ending up with three quotations for use your name and passwords or that tower

12:39

creating the error. So we are gonna want to leave our quote ends. I want

12:43

quote to finish

12:46

or one equals one

12:50

on DDE.

12:52

Gonna want single quotes around these.

12:56

It is string, so one with single quotes around it equals one with one quote around it. And then that extra one

13:05

will come from the actual

13:07

log in going through the same in password

13:11

or

13:16

go,

13:16

I'm logged in. I'm logged in as usual named Mike. I don't know what Mike's password is. No clue, but I imagine Mike is the first entry in that XML. In this case, a list of users show it's a

13:31

nothing. So use your name is blank and password is blank or running with one. That's true. So the first time there is a user name and password, which should be the first user, that's what the one we get logged in us. So no password required.

13:45

Pretty cool, huh? Now we're that user

13:48

with post. We see information about them, or even if they short credit courage by things on their behalf.

13:54

Pretty cool.

13:56

That's just a little bit about injection again. There's certainly much more practice to be had on each of these. Having Web is huge. Everybody does web now, so certainly an area to spend your time There were out to Who's this nose?

14:15

The off its up before I do the next video, but I'm not sure why. I suddenly don't have connection between my to Reims. But I got my