1 00:00:00,810 --> 00:00:07,290 Now is seen how to extract data using unskilled injection you can increase the security to level one 2 00:00:07,830 --> 00:00:13,360 but you can exploit this exactly the same way that you exploited level zero. 3 00:00:13,710 --> 00:00:19,230 And if you increased the security level to five it's actually very secure it's going to be as secure 4 00:00:19,650 --> 00:00:26,980 as the web log in that we've seen in the log in bypass or uses the my Eskew I'll escape real escapes 5 00:00:26,990 --> 00:00:30,500 strength combined with single quotes and double quotes. 6 00:00:30,510 --> 00:00:32,620 So it's pretty much on injectable. 7 00:00:32,730 --> 00:00:38,730 What I want to show you in this lecture is a trickier a skill injection and I'm going to show you that 8 00:00:38,790 --> 00:00:42,130 in the VW instead of Matilda. 9 00:00:42,540 --> 00:00:44,160 So I'm going to close this 10 00:00:47,460 --> 00:00:53,550 and we're here on DVD anyway and I'm just going to go down to the security level and I'll make sure 11 00:00:53,550 --> 00:00:55,890 that that's set too low. 12 00:00:56,460 --> 00:01:00,930 Now I'm actually interested in the medium level but I'm going to show you how to exploit this in the 13 00:01:00,930 --> 00:01:04,940 low level just so that the information flows properly. 14 00:01:04,980 --> 00:01:08,910 So I'm going to go to the skill injection. 15 00:01:08,990 --> 00:01:13,400 I'm just going to put number one in here. 16 00:01:13,540 --> 00:01:18,880 Now as you can see we get to vanish valid page giving us the first name and the surname of the user 17 00:01:18,880 --> 00:01:20,390 ID that we give given. 18 00:01:20,530 --> 00:01:25,330 Now I can inject this in the post in the box or here and then you're out and I'm going to inject it 19 00:01:25,330 --> 00:01:29,360 into the R L and I'm going to put a single quote here. 20 00:01:30,950 --> 00:01:36,050 And as you can see we get an error telling us that there is an error in the statement which means that 21 00:01:36,050 --> 00:01:42,470 there is an ACL injection here we can verify it by adding a true statement saying and one is equal to 22 00:01:42,470 --> 00:01:45,350 1 which should give me. 23 00:01:45,470 --> 00:01:47,420 I actually forgot to add my comment here. 24 00:01:47,420 --> 00:01:53,570 So we're just going to add the comment so the true statements would actually give me a normal valid 25 00:01:53,570 --> 00:01:55,950 web page like we see here. 26 00:01:55,970 --> 00:01:59,170 So it's given us the first name and the second name properly. 27 00:01:59,330 --> 00:02:04,070 Now if I say one is equal to zero which is an invalid should give me an invalid page. 28 00:02:04,100 --> 00:02:10,160 And here we go again in an invalid page with which means that the ID parameter here is ingestible and 29 00:02:10,160 --> 00:02:13,190 the page is doing what we're asking him to do. 30 00:02:13,190 --> 00:02:20,350 We can also verify this using the order by one and then we can say are there by a very large number 31 00:02:20,360 --> 00:02:22,530 and it should give us an invalid page. 32 00:02:24,220 --> 00:02:29,920 And here we go that dummy is this web page is definitely vulnerable to us kill injections. 33 00:02:29,920 --> 00:02:33,060 Now I'm going to try to determine the number of columns and then up with three. 34 00:02:33,280 --> 00:02:35,690 And this is TELL mass on an unknown column. 35 00:02:35,770 --> 00:02:40,300 Let's try to put two on the page is valid. 36 00:02:40,320 --> 00:02:45,660 So that means we have two columns in this page so we can build our union select statement. 37 00:02:45,660 --> 00:02:50,050 Now you can see I'm actually I actually have them built already and I'm able to select everything. 38 00:02:50,170 --> 00:02:51,940 But I just want to show it to you again. 39 00:02:53,560 --> 00:02:59,380 So I'm just going to have the union select statement with you actually here so I'm just going to say 40 00:02:59,380 --> 00:03:09,870 you and then select one to and we can see that we can display stuff and one in into. 41 00:03:09,980 --> 00:03:12,770 So I'm going to select the database in one 42 00:03:17,620 --> 00:03:21,630 and we can see that my database name is DPW. 43 00:03:22,210 --> 00:03:30,160 So I can go ahead and try to select all the tables using my information scheme other tables so the query 44 00:03:30,160 --> 00:03:35,770 is going to be very similar to the query we're on here with DVDA when you say and the only difference 45 00:03:35,770 --> 00:03:44,710 is that the table schema is going to be set to DPW instead of Austan so I'm going to paste that here. 46 00:03:44,710 --> 00:03:50,850 And as you can see I can get my tables which is guestbook and users. 47 00:03:51,040 --> 00:03:57,070 Now we can go ahead and try to select and find the columns for each of these tables using the same statement 48 00:03:57,070 --> 00:03:59,110 that we use in the previous lecture. 49 00:03:59,110 --> 00:04:01,660 I'm not going to run it now because I've already run it. 50 00:04:01,990 --> 00:04:07,020 And if the if the table statements right then the columns table is going to run. 51 00:04:07,240 --> 00:04:13,360 So I've already found that there is a user username and password column in the Users table and I'm just 52 00:04:13,360 --> 00:04:20,050 going to run this statement to select the username and password just to show you what's going to happen. 53 00:04:22,690 --> 00:04:28,180 And as you can see we can select the usernames and passwords for all the users that we have in the Users 54 00:04:28,180 --> 00:04:28,840 table. 55 00:04:29,890 --> 00:04:34,600 Now I'm actually not interested into any of this because we've done all of that before with Mattel day. 56 00:04:34,770 --> 00:04:39,770 Well I want to show you is how to run these statements with the medium security level. 57 00:04:39,850 --> 00:04:43,220 So I just wanted to do this to show you how it works on the low. 58 00:04:43,220 --> 00:04:51,570 And now I'm going to go ahead and change the security level to medium. 59 00:04:51,810 --> 00:04:53,280 And now I can go to. 60 00:04:53,290 --> 00:04:56,140 Q injection OK. 61 00:04:56,160 --> 00:04:59,250 And we're going to try to discover it the same way that we did before. 62 00:04:59,340 --> 00:05:03,800 So I'm going to go with number one first to see a valid page and this is about that page. 63 00:05:03,870 --> 00:05:10,300 Now I'm going to try to put a single quote after the one as you can see now we're getting an error about 64 00:05:10,310 --> 00:05:11,390 this error is different. 65 00:05:11,390 --> 00:05:16,460 It's actually complaining about the existence of the single quote. 66 00:05:16,470 --> 00:05:22,660 So let's try to put an end to what I do and is equal to one like we did before. 67 00:05:25,140 --> 00:05:32,420 And close it with our comment and this should actually show us a valid page as you can see now it's 68 00:05:32,420 --> 00:05:33,940 not showing us about page. 69 00:05:33,980 --> 00:05:39,380 It's actually still giving us an invalid page even though we said one is equal to one which it shouldn't 70 00:05:39,380 --> 00:05:43,140 affect our statement or our query. 71 00:05:43,190 --> 00:05:47,350 So let's try to put the hash ETP code for the quote. 72 00:05:47,390 --> 00:05:53,650 Instead of using a quote so I'm going to put percentage 27 and see if that will bypass any security 73 00:05:53,660 --> 00:05:59,660 maybe they're using and again I'm still getting the same or same problem still complaining about the 74 00:05:59,660 --> 00:06:01,190 quote. 75 00:06:01,210 --> 00:06:03,850 So let's try and play more with this. 76 00:06:03,850 --> 00:06:09,370 Now as I said explosion skill injections can vary from website to website depending on the way it's 77 00:06:09,370 --> 00:06:10,540 implemented. 78 00:06:10,540 --> 00:06:13,090 So there is a lot of trial and error in this. 79 00:06:13,360 --> 00:06:19,590 So let's try and remove the quote and see if that'll actually fix our problem and make it injectable 80 00:06:22,210 --> 00:06:22,560 great. 81 00:06:22,570 --> 00:06:24,870 Now this has given us a valid phage. 82 00:06:24,880 --> 00:06:29,980 Now let's try to change it and say one is equal to two and see what happens. 83 00:06:31,740 --> 00:06:34,190 And yet this has given us an invalid page. 84 00:06:34,350 --> 00:06:37,470 So the website is responding to what we are saying. 85 00:06:37,470 --> 00:06:43,260 The only difference now is that we're not using the quote We're just injecting it straight away after 86 00:06:43,260 --> 00:06:46,510 the ID after the number OK. 87 00:06:46,520 --> 00:06:49,840 So let's go ahead and try to build our union select. 88 00:06:49,850 --> 00:06:59,250 So I'm going to type in union select one to on Yep that looks like we can write stuff in number one 89 00:06:59,310 --> 00:07:00,960 and number two. 90 00:07:00,960 --> 00:07:04,110 So let's try to select a table name 91 00:07:07,840 --> 00:07:13,440 from information schema tables like we always do just to get all the tables that we need. 92 00:07:15,670 --> 00:07:16,500 And here we go. 93 00:07:16,510 --> 00:07:19,990 We're getting all the tables just like we got them before.