1 1 00:00:01,180 --> 00:00:03,160 Now let's see if we can select 2 2 00:00:03,160 --> 00:00:06,310 and get and have a look on all of the accounts 3 3 00:00:06,310 --> 00:00:08,420 that exist within this table. 4 4 00:00:08,420 --> 00:00:11,910 So let's just see if we can create the database 5 5 00:00:11,910 --> 00:00:15,123 and read the information stored in the accounts table. 6 6 00:00:16,750 --> 00:00:20,100 To do that, we're going to first need 7 7 00:00:20,100 --> 00:00:23,060 to know the column names of the columns 8 8 00:00:23,060 --> 00:00:24,670 that exist within this table, 9 9 00:00:24,670 --> 00:00:27,270 'cause if you look at the way we're using our statement, 10 10 00:00:27,270 --> 00:00:31,900 we're doing union select column name from a table. 11 11 00:00:31,900 --> 00:00:35,500 So we still don't know what columns exist in accounts, 12 12 00:00:35,500 --> 00:00:36,740 now we can try and guess 13 13 00:00:36,740 --> 00:00:38,870 that there's a username and a password, 14 14 00:00:38,870 --> 00:00:41,800 but sometimes they could be different names. 15 15 00:00:41,800 --> 00:00:44,500 So I'm gonna show you how you can select the columns 16 16 00:00:44,500 --> 00:00:45,863 for a certain table. 17 17 00:00:47,030 --> 00:00:50,310 The command is gonna be very similar to the table's command 18 18 00:00:52,040 --> 00:00:54,610 and the only difference is instead of table name 19 19 00:00:54,610 --> 00:00:56,010 we're gonna say column name. 20 20 00:00:58,170 --> 00:00:59,550 And instead of selecting it 21 21 00:00:59,550 --> 00:01:02,000 from the information schema.tables, 22 22 00:01:02,000 --> 00:01:05,183 we're gonna select it from information schema.columns. 23 23 00:01:07,980 --> 00:01:10,760 And we're gonna say where the table name 24 24 00:01:13,710 --> 00:01:15,320 is equal to accounts 25 25 00:01:15,320 --> 00:01:17,460 'cause we're interested into the accounts table. 26 26 00:01:17,460 --> 00:01:20,460 If you wanted to get columns for another table, 27 27 00:01:20,460 --> 00:01:22,820 then you just substitute this with the table 28 28 00:01:22,820 --> 00:01:25,720 or with the column that, with the table that you want. 29 29 00:01:25,720 --> 00:01:29,910 So our command is gonna be union select one, column name 30 30 00:01:30,780 --> 00:01:33,540 from the information schema.columns 31 31 00:01:33,540 --> 00:01:36,660 where the table name is the table that we're interested in, 32 32 00:01:36,660 --> 00:01:38,390 which is the accounts. 33 33 00:01:38,390 --> 00:01:40,540 And this should show us all the columns 34 34 00:01:40,540 --> 00:01:44,550 that exist within the accounts table. 35 35 00:01:44,550 --> 00:01:45,953 So let's run this command. 36 36 00:01:56,450 --> 00:01:59,950 And perfect, same columns that we've seen before 37 37 00:01:59,950 --> 00:02:02,940 and its cid, username, password, 38 38 00:02:02,940 --> 00:02:05,163 my signature, and is admin. 39 39 00:02:06,570 --> 00:02:08,630 Now let's take this one step further 40 40 00:02:08,630 --> 00:02:11,010 and select the usernames and passwords 41 41 00:02:11,010 --> 00:02:12,313 from the account table. 42 42 00:02:13,330 --> 00:02:16,650 So again, the command is gonna be very similar 43 43 00:02:16,650 --> 00:02:18,610 to what we're running at the moment. 44 44 00:02:18,610 --> 00:02:20,570 We're gonna be selecting 45 45 00:02:20,570 --> 00:02:22,473 and we're gonna select username. 46 46 00:02:27,210 --> 00:02:31,620 And I'm gonna select the password for number two 47 47 00:02:31,620 --> 00:02:35,933 and for number three you are going to select the is admin. 48 48 00:02:37,240 --> 00:02:40,390 Now remember I can't select anything instead of number one 49 49 00:02:40,390 --> 00:02:44,790 and number five because they're never displayed 50 50 00:02:44,790 --> 00:02:46,520 for me on screen. 51 51 00:02:46,520 --> 00:02:49,870 The only thing that I see was number two, three, and four 52 52 00:02:49,870 --> 00:02:52,320 which were displayed here two, three, and four. 53 53 00:02:52,320 --> 00:02:55,070 So therefore I'm only substituting values 54 54 00:02:55,070 --> 00:02:57,163 for two, three, and four. 55 55 00:02:58,520 --> 00:03:00,620 And we're gonna select that from accounts. 56 56 00:03:03,030 --> 00:03:04,650 And we're not gonna need the where, 57 57 00:03:04,650 --> 00:03:06,150 so I'm gonna delete the where. 58 58 00:03:07,460 --> 00:03:10,660 So very simple statement, we're selecting username, 59 59 00:03:10,660 --> 00:03:14,590 password, is admin from the accounts. 60 60 00:03:14,590 --> 00:03:17,370 And this should return all the usernames and passwords 61 61 00:03:17,370 --> 00:03:19,713 that exist within the current table, 62 62 00:03:20,740 --> 00:03:22,783 that exist in the accounts table. 63 63 00:03:32,090 --> 00:03:34,873 And I have an extra quote here I'm gonna delete. 64 64 00:03:37,150 --> 00:03:40,380 And as you can see we got all the usernames and passwords, 65 65 00:03:40,380 --> 00:03:43,230 we have the admin and their password is adminpass. 66 66 00:03:43,230 --> 00:03:46,310 We have other users and we have their passwords 67 67 00:03:46,310 --> 00:03:49,243 and it's also telling us whether they are admins or not. 68 68 00:03:50,560 --> 00:03:53,120 This is very useful because in most websites 69 69 00:03:53,120 --> 00:03:54,500 when you log in as admin 70 70 00:03:54,500 --> 00:03:57,450 you have so much more privileges than a normal person. 71 71 00:03:57,450 --> 00:04:00,610 And then you'd be able to upload PHV shells, 72 72 00:04:00,610 --> 00:04:03,770 or backdoors, viruses, whatever you wanna do really 73 73 00:04:03,770 --> 00:04:05,733 and then further exploit the system. 74 74 00:04:07,330 --> 00:04:09,140 So at the moment I can actually log in 75 75 00:04:09,140 --> 00:04:13,223 with the username admin and a password adminpass. 76 76 00:04:14,870 --> 00:04:17,743 And it's gonna accept that because it's correct. 77 77 00:04:20,750 --> 00:04:23,500 So no matter how complicated the password was, 78 78 00:04:23,500 --> 00:04:25,400 we're just gonna be able to read it 79 79 00:04:25,400 --> 00:04:28,283 because we're are reading it straight from the database.