1 1 00:00:01,730 --> 00:00:02,580 Okay. 2 2 00:00:02,580 --> 00:00:05,110 So now let's try and determine 3 3 00:00:05,110 --> 00:00:07,460 how many columns are being selected 4 4 00:00:07,460 --> 00:00:09,705 into this page so how much information 5 5 00:00:09,705 --> 00:00:13,920 are being selected and displayed on this page? 6 6 00:00:13,920 --> 00:00:17,210 So to do that, we're going to use the order by command. 7 7 00:00:17,210 --> 00:00:18,740 So we did order by one 8 8 00:00:18,740 --> 00:00:21,690 and that returned something that was acceptable 9 9 00:00:21,690 --> 00:00:24,380 and order by 100,000 gave us an error. 10 10 00:00:24,380 --> 00:00:26,623 So let's try and do order by 10. 11 11 00:00:28,120 --> 00:00:29,870 And we still get an error. 12 12 00:00:29,870 --> 00:00:32,413 So I'm gonna do an order by five. 13 13 00:00:33,500 --> 00:00:34,890 And that works. 14 14 00:00:34,890 --> 00:00:38,550 So let's try to do an order by six 15 15 00:00:38,550 --> 00:00:39,790 and that gives an error. 16 16 00:00:39,790 --> 00:00:41,550 So by doing this, 17 17 00:00:41,550 --> 00:00:43,624 we know that there is five columns 18 18 00:00:43,624 --> 00:00:47,440 or are being selected from a certain table 19 19 00:00:47,440 --> 00:00:48,840 and it's the accounts table 20 20 00:00:50,810 --> 00:00:52,683 and displayed on this page. 21 21 00:00:53,620 --> 00:00:57,360 So let's try and build our own select statement 22 22 00:00:57,360 --> 00:01:00,403 and get it to be executed on the target computer. 23 23 00:01:01,740 --> 00:01:04,330 So let's come here and try to build it there. 24 24 00:01:04,330 --> 00:01:06,380 So at the moment, the statement 25 25 00:01:06,380 --> 00:01:08,540 is select star from accounts 26 26 00:01:08,540 --> 00:01:12,740 where username is equal to zaid 27 27 00:01:12,740 --> 00:01:14,730 and we're doing an order by one. 28 28 00:01:14,730 --> 00:01:17,270 So let's see if we can fix that 29 29 00:01:17,270 --> 00:01:19,733 and get it to select something that we like. 30 30 00:01:21,560 --> 00:01:23,670 So the normal way to select stuff 31 31 00:01:23,670 --> 00:01:25,323 is using this format. 32 32 00:01:26,620 --> 00:01:29,740 But because we're trying to do multiple selects 33 33 00:01:29,740 --> 00:01:31,920 and we're trying to do it from the URL, 34 34 00:01:31,920 --> 00:01:35,100 we're gonna have to use a union first 35 35 00:01:35,100 --> 00:01:36,943 and then we're gonna say select. 36 36 00:01:38,610 --> 00:01:41,010 Then we need to imagine what's happening 37 37 00:01:41,010 --> 00:01:42,230 on this application. 38 38 00:01:42,230 --> 00:01:43,920 So in this web application, 39 39 00:01:43,920 --> 00:01:47,130 we know that there are five records being selected. 40 40 00:01:47,130 --> 00:01:50,150 So there are five columns that are being selected. 41 41 00:01:50,150 --> 00:01:51,880 So we're doing one, 42 42 00:01:51,880 --> 00:01:54,620 two, three, four, five 43 43 00:01:54,620 --> 00:01:57,560 and we got that by the order by command. 44 44 00:01:57,560 --> 00:01:59,380 So let's run this 45 45 00:01:59,380 --> 00:02:00,430 and see what happens. 46 46 00:02:12,030 --> 00:02:13,973 And I spelled union wrong. 47 47 00:02:25,020 --> 00:02:27,860 And as you can see now, the selection was right 48 48 00:02:27,860 --> 00:02:29,270 and we got the first selection 49 49 00:02:29,270 --> 00:02:33,030 so the first selection that this line does 50 50 00:02:33,030 --> 00:02:37,250 has been done and then it did the union 51 51 00:02:37,250 --> 00:02:41,160 so it combined that selection with another selection 52 52 00:02:41,160 --> 00:02:42,510 and it showed us something else 53 53 00:02:42,510 --> 00:02:43,610 and as you can see here, 54 54 00:02:43,610 --> 00:02:46,100 we're only seeing two, three and four. 55 55 00:02:46,100 --> 00:02:49,280 And what means is whatever value you put in number two, 56 56 00:02:49,280 --> 00:02:50,980 or three or four, 57 57 00:02:50,980 --> 00:02:52,530 whatever you want to select, 58 58 00:02:52,530 --> 00:02:55,540 if you put it in there, it's going to be displayed 59 59 00:02:55,540 --> 00:02:58,720 in this page in this particular location. 60 60 00:02:58,720 --> 00:03:00,510 And you can see here you have results 61 61 00:03:00,510 --> 00:03:02,420 for two so whenever you put in two 62 62 00:03:02,420 --> 00:03:05,123 will also be shown in here. 63 63 00:03:07,800 --> 00:03:10,530 So let's try to see our database 64 64 00:03:10,530 --> 00:03:11,590 so instead of number two, 65 65 00:03:11,590 --> 00:03:13,343 I'm gonna say database, 66 66 00:03:15,180 --> 00:03:18,070 and instead of number three, I'm gonna say username 67 67 00:03:20,320 --> 00:03:23,520 or user and instead of number four, 68 68 00:03:23,520 --> 00:03:24,763 I'm gonna do version. 69 69 00:03:25,600 --> 00:03:28,572 And this will select the current database, 70 70 00:03:28,572 --> 00:03:32,160 the current user privileges that we have 71 71 00:03:32,160 --> 00:03:35,040 and the version of the database. 72 72 00:03:35,040 --> 00:03:36,890 So let's see if this gets executed 73 73 00:03:36,890 --> 00:03:38,340 and then we'll talk about it. 74 74 00:03:44,830 --> 00:03:49,150 Okay, cool so the username is showing up as owasp10 75 75 00:03:49,150 --> 00:03:50,960 and that was number two 76 76 00:03:50,960 --> 00:03:54,753 so that is the database that we're looking for. 77 77 00:03:54,753 --> 00:03:57,940 So the database is owasp10. 78 78 00:03:57,940 --> 00:04:01,870 The current user that we're logged in as is root@localhost 79 79 00:04:01,870 --> 00:04:03,720 so we're the root user 80 80 00:04:03,720 --> 00:04:06,260 and in the signature, so these stuff 81 81 00:04:07,168 --> 00:04:08,001 are actually dominating. 82 82 00:04:08,001 --> 00:04:09,110 We're only concerned about this 83 83 00:04:09,110 --> 00:04:10,640 and what we injected. 84 84 00:04:10,640 --> 00:04:11,920 And we injected the version 85 85 00:04:11,920 --> 00:04:16,920 and we can see this is the version of MySQL, so it's 5.0.51. 86 86 00:04:17,030 --> 00:04:19,760 So at the moment, we know that our database 87 87 00:04:19,760 --> 00:04:22,330 that we're connected to is owasp10. 88 88 00:04:22,330 --> 00:04:25,326 Usually in most real-life scenarios, 89 89 00:04:25,326 --> 00:04:28,680 each database is assigned to a certain user. 90 90 00:04:28,680 --> 00:04:31,810 So usually you're only able to select stuff, 91 91 00:04:31,810 --> 00:04:34,710 tables, columns, data that is located 92 92 00:04:34,710 --> 00:04:36,433 in this current database. 93 93 00:04:37,480 --> 00:04:39,610 At the moment we're logged in as root 94 94 00:04:39,610 --> 00:04:41,710 so this web application 95 95 00:04:41,710 --> 00:04:43,830 has been connected to the database 96 96 00:04:43,830 --> 00:04:48,010 as root so therefore we can actually access other databases 97 97 00:04:48,010 --> 00:04:50,690 but this doesn't really happen in real-life scenarios. 98 98 00:04:50,690 --> 00:04:55,690 Usually each user has their own database. 99 99 00:04:55,800 --> 00:04:59,360 So when they connect a web application to a database, 100 100 00:04:59,360 --> 00:05:01,430 they're connected to one database 101 101 00:05:01,430 --> 00:05:04,310 and therefore you won't be able to access other databases. 102 102 00:05:04,310 --> 00:05:05,490 So we're gonna consider that. 103 103 00:05:05,490 --> 00:05:08,860 We're gonna assume that we only have access 104 104 00:05:08,860 --> 00:05:12,720 to owasp10 which is our current database 105 105 00:05:12,720 --> 00:05:14,172 for this current website. 106 106 00:05:14,172 --> 00:05:17,773 And that the username is root@localhost. 107 107 00:05:19,409 --> 00:05:20,360 In the next videos, 108 108 00:05:20,360 --> 00:05:23,030 we'll see how we can further exploit this 109 109 00:05:23,030 --> 00:05:26,143 and do more powerful select statements.