1 1 00:00:01,670 --> 00:00:03,543 Okay, now I'd like to show you 2 2 00:00:03,543 --> 00:00:06,420 an SQL injection and in a different file 3 3 00:00:06,420 --> 00:00:07,650 and in different page 4 4 00:00:07,650 --> 00:00:10,410 and I'll show you a few different things 5 5 00:00:10,410 --> 00:00:13,830 that you can do to exploit the vulnerability. 6 6 00:00:13,830 --> 00:00:18,070 So the first thing I'm going to go to the login page 7 7 00:00:18,070 --> 00:00:20,560 which is in here. 8 8 00:00:20,560 --> 00:00:21,393 User Info. 9 9 00:00:21,393 --> 00:00:24,400 So the first time we went to the Login page from there, 10 10 00:00:24,400 --> 00:00:26,330 this time we went to the User Info page. 11 11 00:00:26,330 --> 00:00:29,710 So this page will show you the information 12 12 00:00:29,710 --> 00:00:32,930 about the user provided you give the username and password. 13 13 00:00:32,930 --> 00:00:34,430 So I'm gonna do zaid 14 14 00:00:34,430 --> 00:00:37,750 and I'm gonna put my password, 123456. 15 15 00:00:37,750 --> 00:00:40,950 And it'll show my details, username and password 16 16 00:00:40,950 --> 00:00:42,243 and my signature as aa. 17 17 00:00:44,130 --> 00:00:45,990 So the statement that's being executed here 18 18 00:00:45,990 --> 00:00:48,100 is similar to what was being executed 19 19 00:00:48,100 --> 00:00:49,060 when you log in. 20 20 00:00:49,060 --> 00:00:50,948 So selecting star from accounts 21 21 00:00:50,948 --> 00:00:54,330 where username is what you put in the user field 22 22 00:00:54,330 --> 00:00:57,670 and password is what you put in the password field. 23 23 00:00:57,670 --> 00:00:59,730 So what we're going to do now 24 24 00:00:59,730 --> 00:01:02,480 is we're going to see a different way 25 25 00:01:02,480 --> 00:01:04,520 of exploiting this kind of vulnerability. 26 26 00:01:04,520 --> 00:01:05,870 In the previous video, 27 27 00:01:05,870 --> 00:01:10,200 we were doing it using a POST text box. 28 28 00:01:10,200 --> 00:01:12,180 So whatever you put in the text box 29 29 00:01:12,180 --> 00:01:17,000 was being posted using a POST method to the web application. 30 30 00:01:17,000 --> 00:01:20,230 Now, these vulnerabilities can exist into GET. 31 31 00:01:20,230 --> 00:01:21,360 And what I mean by Get, 32 32 00:01:21,360 --> 00:01:24,850 is when you do a Get when something is sent as GET, 33 33 00:01:24,850 --> 00:01:27,010 you will see it here in the URL. 34 34 00:01:27,010 --> 00:01:28,330 So if you look at the URL here, 35 35 00:01:28,330 --> 00:01:31,330 you see it's being sent as the username zaid 36 36 00:01:31,330 --> 00:01:33,823 and password 123456. 37 37 00:01:35,090 --> 00:01:37,163 So let me just copy this URL here. 38 38 00:01:38,690 --> 00:01:40,130 And we'll start playing with it 39 39 00:01:40,130 --> 00:01:43,763 from the URL instead of doing it on the web page. 40 40 00:01:45,100 --> 00:01:46,850 I just wanna show you a different example 41 41 00:01:46,850 --> 00:01:48,800 'cause in many places, 42 42 00:01:48,800 --> 00:01:50,720 there might not even be text boxes, 43 43 00:01:50,720 --> 00:01:53,440 for example, it could be something like news 44 44 00:01:53,440 --> 00:01:56,780 and news.php, so we can see here, for example, 45 45 00:01:56,780 --> 00:01:59,040 in this example, it's index.php. 46 46 00:01:59,040 --> 00:02:00,520 And in your pen testing, 47 47 00:02:00,520 --> 00:02:02,929 you might see something like news.php 48 48 00:02:02,929 --> 00:02:06,210 and for example, id is equal to two 49 49 00:02:06,210 --> 00:02:09,040 and then you can try to inject stuff in there. 50 50 00:02:09,040 --> 00:02:10,850 So we're having an example here 51 51 00:02:10,850 --> 00:02:12,960 where we're gonna be injecting things 52 52 00:02:12,960 --> 00:02:16,090 into the username field which is this field 53 53 00:02:16,090 --> 00:02:19,213 and we're gonna be injecting stuff in here. 54 54 00:02:20,330 --> 00:02:22,580 So any time when you're doing your pen test, 55 55 00:02:22,580 --> 00:02:24,850 any time you see parameters like this, 56 56 00:02:24,850 --> 00:02:26,020 you should try to inject them. 57 57 00:02:26,020 --> 00:02:27,520 Anytime you see something .php 58 58 00:02:28,550 --> 00:02:30,860 and then you have a parameter equals something, 59 59 00:02:30,860 --> 00:02:33,320 then always try to inject stuff in there 60 60 00:02:33,320 --> 00:02:34,720 and see if it works for you. 61 61 00:02:35,610 --> 00:02:39,000 So we've also seen a way of discovering the injection 62 62 00:02:39,000 --> 00:02:42,180 and that was using the quotation mark 63 63 00:02:42,180 --> 00:02:43,530 and using the and. 64 64 00:02:43,530 --> 00:02:46,410 So we do a false and a true and 65 65 00:02:46,410 --> 00:02:47,520 and one is equal to one 66 66 00:02:47,520 --> 00:02:49,290 and then and one is equal to two 67 67 00:02:49,290 --> 00:02:52,640 and if the server is executing what we want, 68 68 00:02:52,640 --> 00:02:56,110 then we're gonna know that there's an SQL injection. 69 69 00:02:56,110 --> 00:02:57,210 I'm gonna show you another way 70 70 00:02:57,210 --> 00:02:59,240 of discovering these exploits 71 71 00:02:59,240 --> 00:03:02,060 and it's using the order by. 72 72 00:03:02,060 --> 00:03:03,580 As the name suggests, 73 73 00:03:03,580 --> 00:03:06,030 the order by statement is used 74 74 00:03:06,030 --> 00:03:09,690 to order the results that we get on the screen based 75 75 00:03:09,690 --> 00:03:12,040 on a specific column. 76 76 00:03:12,040 --> 00:03:14,890 So our injection's going to be like this. 77 77 00:03:14,890 --> 00:03:18,677 So I'm gonna do order by one. 78 78 00:03:21,410 --> 00:03:25,580 So this, if the injection exists, 79 79 00:03:25,580 --> 00:03:26,700 this should work 80 80 00:03:26,700 --> 00:03:29,180 because in each select statement, 81 81 00:03:29,180 --> 00:03:32,410 there should be at least one column is being selected. 82 82 00:03:32,410 --> 00:03:34,290 Therefore when we say order by one, 83 83 00:03:34,290 --> 00:03:37,100 we're saying I want to order the results based 84 84 00:03:37,100 --> 00:03:38,450 on the first column, 85 85 00:03:38,450 --> 00:03:41,490 therefore, this should always be acceptable 86 86 00:03:41,490 --> 00:03:43,070 by the database. 87 87 00:03:43,070 --> 00:03:45,963 And return a true or something that we expect. 88 88 00:03:47,210 --> 00:03:49,210 We also need to add the comment in here 89 89 00:03:50,160 --> 00:03:51,960 and execute this code. 90 90 00:03:51,960 --> 00:03:53,560 So it's exactly like before. 91 91 00:03:53,560 --> 00:03:55,060 So when we're doing this, 92 92 00:03:55,060 --> 00:03:59,320 basically this is our URL 93 93 00:03:59,320 --> 00:04:01,290 and what's gonna happen on the database, 94 94 00:04:01,290 --> 00:04:03,050 so this is the code that's being executed 95 95 00:04:03,050 --> 00:04:06,253 on the database, it's going to look like this. 96 96 00:04:13,370 --> 00:04:15,610 So it's gonna be select star from accounts 97 97 00:04:15,610 --> 00:04:17,730 where username is equal to zaid 98 98 00:04:17,730 --> 00:04:20,690 and note how this is closing the quote 99 99 00:04:20,690 --> 00:04:25,230 and we're gonna do an order by one 100 100 00:04:25,230 --> 00:04:27,590 and there shouldn't be this code for the and, 101 101 00:04:27,590 --> 00:04:32,250 and this comment will tell the SQL interpreter 102 102 00:04:32,250 --> 00:04:34,240 to ignore anything that comes in after it 103 103 00:04:34,240 --> 00:04:36,163 so all of this is going to be ignored. 104 104 00:04:39,750 --> 00:04:41,283 So I'm copying this. 105 105 00:04:45,970 --> 00:04:48,670 So you can actually paste this injection 106 106 00:04:48,670 --> 00:04:50,520 for zaid order by one 107 107 00:04:50,520 --> 00:04:53,280 into the name right here and that's gonna work 108 108 00:04:53,280 --> 00:04:55,540 but again, I just wanna show you a different way 109 109 00:04:55,540 --> 00:04:58,320 of doing it by injecting it through the browser. 110 110 00:04:58,320 --> 00:05:00,000 Another thing that I want you to note 111 111 00:05:00,000 --> 00:05:01,230 is when you're injecting stuff 112 112 00:05:01,230 --> 00:05:06,230 into the browser, the browser, the code should be encoded. 113 113 00:05:06,480 --> 00:05:09,290 So for example, this sign usually, 114 114 00:05:09,290 --> 00:05:10,930 when you put it on the URL, 115 115 00:05:10,930 --> 00:05:13,063 it should be written as %23. 116 116 00:05:13,970 --> 00:05:17,230 Spaces, for example, get converted to %20 117 117 00:05:17,230 --> 00:05:22,060 and %23 is the comment that we're using. 118 118 00:05:22,060 --> 00:05:25,763 So I'm gonna copy that and replace my comment sign with it. 119 119 00:05:27,770 --> 00:05:29,690 Now, you can google HTTP Encoder 120 120 00:05:29,690 --> 00:05:31,590 and you'll see online there's online tools 121 121 00:05:31,590 --> 00:05:33,730 that'll just convert this for you. 122 122 00:05:33,730 --> 00:05:36,730 For me now I know that the hashtag 123 123 00:05:36,730 --> 00:05:39,200 can be converted to %20. 124 124 00:05:39,200 --> 00:05:41,260 So that's why I'm using it there. 125 125 00:05:41,260 --> 00:05:42,893 And I'm gonna hit Enter. 126 126 00:05:44,700 --> 00:05:45,590 And as you can see now, 127 127 00:05:45,590 --> 00:05:47,653 we're seeing something that's acceptable. 128 128 00:05:50,200 --> 00:05:53,040 Nothing wrong and then it's showing me the information 129 129 00:05:53,040 --> 00:05:56,340 about zaid 123456 and showing me the signature. 130 130 00:05:56,340 --> 00:05:58,000 So it is ignoring the password, 131 131 00:05:58,000 --> 00:05:59,640 so the injection worked 132 132 00:05:59,640 --> 00:06:01,440 and it's ordering by one 133 133 00:06:01,440 --> 00:06:03,570 so it's not showing me anything wrong. 134 134 00:06:03,570 --> 00:06:06,760 Let's try to make this number one a very large number, 135 135 00:06:06,760 --> 00:06:09,980 so I'll put in 10,000 or 100,000 now. 136 136 00:06:09,980 --> 00:06:11,200 So what we're saying right now 137 137 00:06:11,200 --> 00:06:13,520 is I want you to order the results 138 138 00:06:13,520 --> 00:06:16,890 that will be returned by the current select statement 139 139 00:06:16,890 --> 00:06:19,460 based on column 100,000. 140 140 00:06:19,460 --> 00:06:22,970 Now chances are there aren't 100,000 columns used 141 141 00:06:22,970 --> 00:06:24,760 in this select statement 142 142 00:06:24,760 --> 00:06:27,640 and therefore this should return an error. 143 143 00:06:27,640 --> 00:06:29,270 So when I execute this, 144 144 00:06:29,270 --> 00:06:31,300 you'll see that there is an error. 145 145 00:06:31,300 --> 00:06:33,563 And the error is in the order close. 146 146 00:06:34,710 --> 00:06:39,090 And still there is an Unknown column for 100,000 147 147 00:06:39,090 --> 00:06:40,913 and this is great 'cause now we know 148 148 00:06:40,913 --> 00:06:43,560 that the database is executing what we want. 149 149 00:06:43,560 --> 00:06:45,770 So when we told it to order the results based 150 150 00:06:45,770 --> 00:06:48,450 on the first column, it showed us results. 151 151 00:06:48,450 --> 00:06:50,590 So it followed what we told it 152 152 00:06:50,590 --> 00:06:51,770 and then when we told it 153 153 00:06:51,770 --> 00:06:54,910 to order the results based on a column 154 154 00:06:54,910 --> 00:06:57,870 that does not exist, it gave us an error. 155 155 00:06:57,870 --> 00:07:01,173 So it's obviously vulnerable to SQL injections.