Time
14 hours 26 minutes
Difficulty
Advanced
CEU/CPE
15

Video Description

This lesson covers SQL injection. SQL injection allows code to be injected into sequel statements. This allows for hacking into databases. This lesson gives step by step instructions using the sqlmap command which is one of the most popular tools for SQL injection.

Video Transcription

00:04
All right, let's take a look at injection. There's lots of different kinds of injection, probably the most well known. It's something called sequel Injection, which allows us to inject
00:14
code into
00:16
sequel statements for
00:18
acting on databases. But there's also other forms of injection. L'd up injection
00:24
expats injection.
00:26
It's a different kind of injection, so let's take a look at a couple here. We got a couple of injection issues on this site.
00:35
Typically, where one goes. First of all for
00:39
injection is actually the log in.
00:43
The Logan does have an injection issue. It's just not a sequel injection issue.
00:49
So we want to start start with sequel injections on the home page. But pick one of these books and click on it and get more details.
00:58
It says up your I D equals two in this case, So it is
01:03
probably our guest picking books out of database and selling out this information based on what's in the database.
01:11
So what I want to do is my first
01:15
thing I check when trying to do a sequel. Injection is just put a single
01:23
quotation marks. A single quote at the end
01:26
to this should cause the sequel Syntax to break.
01:30
Yes, it is vulnerable to sequel injection. If they're using sequel correctly, this should be filtered out any of my special characters. We filtered out so it will still kill up to
01:42
and filter that out somehow
01:46
or pull up nothing, possibly depending on how it filters
01:49
but is it is vulnerable. The sequel. Injection and accept that
01:53
single quote. Then it should break the Sequels in tax, and it should throw in error.
02:00
Sure enough, I get an error unclothed quotation mark after the character strength, so even get some code that says I'm a sequel of Adapter. It has what My
02:13
sequel statement is Select star from Book Master, where Book I d equals
02:20
plus book I. D. My cons on my connection Strange at once
02:24
the book idea, which in this case was too.
02:29
But then I broke it with
02:31
Colon.
02:34
You're not so Michel on, kiddo. Quote.
02:38
So
02:39
based on that,
02:43
we should be able to create a valid
02:46
sequel statement.
02:52
What if we d'oh
02:54
is playing with the errors? Weaken! Do like
02:58
to where Eagles to or
03:01
one in.
03:04
So Lex Devi name.
03:08
We just tell based on this care that this is gonna be in a sequel. So we need to talk in this sequel. So depending on what kind of database you get, you wanna change Your syntax is dash dash at the end.
03:20
That's gonna be that's, like comment
03:23
for sequel. So everything after this, all this
03:28
Michael on et cetera is gonna be
03:31
gotten rid of. So we closed
03:35
here the
03:37
corns
03:38
for the
03:39
not corns,
03:42
where others were. You stole Francis's area.
03:46
This is still gonna throw an error, but it should give us
03:52
data and the error. So conversion failed when converting the inverter value book up to date a type. And
04:00
so the D. V name is booked up.
04:03
That looks like it has
04:05
the table called book Master.
04:12
We could do
04:15
what we put into or warn equals
04:19
one.
04:23
So even though we put in to we actually ended up with book I d. One because we put in two or one equals one on commented out the rest for the first thing that's gonna come up there Basically, one equals one is always true. Show two or true. So the first thing in the database lists that comes up is
04:43
to or true is gonna be the first injury. So ended up with the first injury, which is not as interesting here because we just got another book. But when we get to the expats injection for the law again, that will be pretty interesting. So one equals oneness. Always when I go for his, it'll just make everything true.
05:00
I can make things rather nights for us. So we saw an example of being able to get data out
05:05
an example of manipulating what it gives us.
05:10
So another tool I like to use
05:13
four sequel injection because in order to do sequel injection well, you have to know sequel. So there's a ton of things you can do with the sequel injection. But like I said, you have the pretty proficient at your sequel commands to do it to this
05:28
what you're doing.
05:30
I like you tool called sequel map to help me with my lack of skill
05:35
and a sequel.
05:39
Huh? Does you? And give it the girl I want
05:46
and give it an injection point.
05:51
What years?
05:56
Detail? That s P X and
06:00
I de eagles. Something it said it wants. I d equals two,
06:05
and
06:08
we have a lot of different options and read the hell pages on this. But dash dump
06:13
dumps database
06:15
groups. I didn't close my quotation marks
06:21
area.
06:25
So what this is gonna do is it's going to take the
06:28
injection point that we give it. Try it for a sequel injection. If it works, it'll do. Whatever we asked it to
06:35
could be Microsoft sequel surgery. Do you want to skip test pay that's specific to other databases? Yes,
06:46
yes, that's fine.
07:00
Grinds up
07:01
the I. D perimeter is indeed injectable.
07:12
Oh, so you know that Stanley prouder there is anyways,
07:15
So since I told Is it dump? It actually will dump out the entire database, which assistants just books again. It's not particularly interesting,
07:24
but it's an example
07:26
I thought we could do if it was a user database and they weren't using solid encryption or even if they were, we saw in a password section that we
07:33
have some options there. As long as they're not using good salting, we still may be able to get some stuff out really easily.
07:43
We have some other options. Besides, Dump is well, like when we might like is a less Dow shell which, as the name implies, it's actually going to use the database to try and get a shell on the underlying system. So we got a
07:58
A couple shells on our Windows seven system
08:01
already, but we could certainly use more and mess equal. Generally runs is a really privileged user. So could save us the trouble of going to this post exploitation steps if it's already running a system.
08:16
So this is the X p under short command. Shell procedure does not seem to be available
08:22
so that on newer versions and the sequel is true because,
08:26
well, people were using it maliciously, like we are just opening up a command shelf. It's all spite of fault on newer versions of M s equal that said, you may be able to re enable it
08:37
in the default configuration. You can
08:41
you just turn it back on.
08:43
So also, yes. Do you want to re enable it?
09:05
Sure.
09:07
All right. So we got our show.
09:11
Cool.
09:13
So how about you, Ma?
09:16
Yes. I want to retrieve the output. I'm system. So you know that point?
09:22
Yeah.
09:22
Users.
09:33
Not many local users, but
09:39
where they were more than that.
09:48
Um, so much
09:50
cool.
09:54
You know all this already?
09:56
Long
10:11
aggressions.
10:13
00 that's not working. What? I would like him, but we could always do like Ivy. Get ready. First,
10:22
there's our I P address information. So I mean, we saw all this and
10:28
Coast exploitation section, but we do have system level access for this.
10:33
That's cool.
10:35
So sequel injection is one that's pretty big. If you're
10:39
not developing correctly in terms of security, you can have issues like this of dumb it myself. You know, it's just like I need to get this
10:48
Web front and working right now, because I have to present the tulip tomorrow and I'll fix it later kind of thing and
10:56
can end up with
10:58
sequel injection issues like this. So it does still happen. Hopefully,
11:03
your application developers are doing a better job now. It is pretty well known about security issues and Web applications. That said, it's easy issues like this happen all the time and applications.
11:16
No rule that says
11:18
you can't have
11:18
issuing you're out.
11:22
All right, so let's take a look at
11:24
log in. I mentioned this is actually using XML all syndication, so it's gonna be a little bit different, but
11:33
the logistics of the same. So I get my
11:35
user input fields, and I'm just gonna put single quotes and both of them
11:41
go get my error
11:45
users. User,
11:46
I ATT. Name and password has an invalid token. Well, here's how I was setting it up. How nice that it gives us the source code. Right?
11:56
The string credential. Use your name and password.
12:01
So it is using X e mails with ex past,
12:05
but we should be able to attack it in the same way. So I don't want a single quote, but it does go forward.
12:13
So it looks like
12:20
with three quotations here. So when they use your name, it looks like it has a quote on either side. Since it's a strength. Like since the other one was an Energizer, there were no quote, single quotes around it, with the used being strings.
12:33
They do have quotations around it. So we're ending up with three quotations for use your name and passwords or that tower
12:39
creating the error. So we are gonna want to leave our quote ends. I want
12:43
quote to finish
12:46
or one equals one
12:50
on DDE.
12:52
Gonna want single quotes around these.
12:56
It is string, so one with single quotes around it equals one with one quote around it. And then that extra one
13:05
will come from the actual
13:07
log in going through the same in password
13:11
or
13:16
go,
13:16
I'm logged in. I'm logged in as usual named Mike. I don't know what Mike's password is. No clue, but I imagine Mike is the first entry in that XML. In this case, a list of users show it's a
13:31
nothing. So use your name is blank and password is blank or running with one. That's true. So the first time there is a user name and password, which should be the first user, that's what the one we get logged in us. So no password required.
13:45
Pretty cool, huh? Now we're that user
13:48
with post. We see information about them, or even if they short credit courage by things on their behalf.
13:54
Pretty cool.
13:56
That's just a little bit about injection again. There's certainly much more practice to be had on each of these. Having Web is huge. Everybody does web now, so certainly an area to spend your time There were out to Who's this nose?
14:15
The off its up before I do the next video, but I'm not sure why. I suddenly don't have connection between my to Reims. But I got my
14:24
I've done for this video at least.

Up Next

Advanced Penetration Testing

The Advanced Penetration Testing course teaches the cyber attack lifecycle from the perspective of an adversary. Become more familiar with the most widely used penetration-testing tools, manipulate network traffic, and perform web application attacks such as cross-site scripting and SQL injection.

Instructed By

Instructor Profile Image
Georgia Weidman
Founder and CTO at Shevirah and Bulb Security
Instructor