1
00:00:00,810 --> 00:00:07,290
Now is seen how to extract data using unskilled injection you can increase the security to level one

2
00:00:07,830 --> 00:00:13,360
but you can exploit this exactly the same way that you exploited level zero.

3
00:00:13,710 --> 00:00:19,230
And if you increased the security level to five it's actually very secure it's going to be as secure

4
00:00:19,650 --> 00:00:26,980
as the web log in that we've seen in the log in bypass or uses the my Eskew I'll escape real escapes

5
00:00:26,990 --> 00:00:30,500
strength combined with single quotes and double quotes.

6
00:00:30,510 --> 00:00:32,620
So it's pretty much on injectable.

7
00:00:32,730 --> 00:00:38,730
What I want to show you in this lecture is a trickier a skill injection and I'm going to show you that

8
00:00:38,790 --> 00:00:42,130
in the VW instead of Matilda.

9
00:00:42,540 --> 00:00:44,160
So I'm going to close this

10
00:00:47,460 --> 00:00:53,550
and we're here on DVD anyway and I'm just going to go down to the security level and I'll make sure

11
00:00:53,550 --> 00:00:55,890
that that's set too low.

12
00:00:56,460 --> 00:01:00,930
Now I'm actually interested in the medium level but I'm going to show you how to exploit this in the

13
00:01:00,930 --> 00:01:04,940
low level just so that the information flows properly.

14
00:01:04,980 --> 00:01:08,910
So I'm going to go to the skill injection.

15
00:01:08,990 --> 00:01:13,400
I'm just going to put number one in here.

16
00:01:13,540 --> 00:01:18,880
Now as you can see we get to vanish valid page giving us the first name and the surname of the user

17
00:01:18,880 --> 00:01:20,390
ID that we give given.

18
00:01:20,530 --> 00:01:25,330
Now I can inject this in the post in the box or here and then you're out and I'm going to inject it

19
00:01:25,330 --> 00:01:29,360
into the R L and I'm going to put a single quote here.

20
00:01:30,950 --> 00:01:36,050
And as you can see we get an error telling us that there is an error in the statement which means that

21
00:01:36,050 --> 00:01:42,470
there is an ACL injection here we can verify it by adding a true statement saying and one is equal to

22
00:01:42,470 --> 00:01:45,350
1 which should give me.

23
00:01:45,470 --> 00:01:47,420
I actually forgot to add my comment here.

24
00:01:47,420 --> 00:01:53,570
So we're just going to add the comment so the true statements would actually give me a normal valid

25
00:01:53,570 --> 00:01:55,950
web page like we see here.

26
00:01:55,970 --> 00:01:59,170
So it's given us the first name and the second name properly.

27
00:01:59,330 --> 00:02:04,070
Now if I say one is equal to zero which is an invalid should give me an invalid page.

28
00:02:04,100 --> 00:02:10,160
And here we go again in an invalid page with which means that the ID parameter here is ingestible and

29
00:02:10,160 --> 00:02:13,190
the page is doing what we're asking him to do.

30
00:02:13,190 --> 00:02:20,350
We can also verify this using the order by one and then we can say are there by a very large number

31
00:02:20,360 --> 00:02:22,530
and it should give us an invalid page.

32
00:02:24,220 --> 00:02:29,920
And here we go that dummy is this web page is definitely vulnerable to us kill injections.

33
00:02:29,920 --> 00:02:33,060
Now I'm going to try to determine the number of columns and then up with three.

34
00:02:33,280 --> 00:02:35,690
And this is TELL mass on an unknown column.

35
00:02:35,770 --> 00:02:40,300
Let's try to put two on the page is valid.

36
00:02:40,320 --> 00:02:45,660
So that means we have two columns in this page so we can build our union select statement.

37
00:02:45,660 --> 00:02:50,050
Now you can see I'm actually I actually have them built already and I'm able to select everything.

38
00:02:50,170 --> 00:02:51,940
But I just want to show it to you again.

39
00:02:53,560 --> 00:02:59,380
So I'm just going to have the union select statement with you actually here so I'm just going to say

40
00:02:59,380 --> 00:03:09,870
you and then select one to and we can see that we can display stuff and one in into.

41
00:03:09,980 --> 00:03:12,770
So I'm going to select the database in one

42
00:03:17,620 --> 00:03:21,630
and we can see that my database name is DPW.

43
00:03:22,210 --> 00:03:30,160
So I can go ahead and try to select all the tables using my information scheme other tables so the query

44
00:03:30,160 --> 00:03:35,770
is going to be very similar to the query we're on here with DVDA when you say and the only difference

45
00:03:35,770 --> 00:03:44,710
is that the table schema is going to be set to DPW instead of Austan so I'm going to paste that here.

46
00:03:44,710 --> 00:03:50,850
And as you can see I can get my tables which is guestbook and users.

47
00:03:51,040 --> 00:03:57,070
Now we can go ahead and try to select and find the columns for each of these tables using the same statement

48
00:03:57,070 --> 00:03:59,110
that we use in the previous lecture.

49
00:03:59,110 --> 00:04:01,660
I'm not going to run it now because I've already run it.

50
00:04:01,990 --> 00:04:07,020
And if the if the table statements right then the columns table is going to run.

51
00:04:07,240 --> 00:04:13,360
So I've already found that there is a user username and password column in the Users table and I'm just

52
00:04:13,360 --> 00:04:20,050
going to run this statement to select the username and password just to show you what's going to happen.

53
00:04:22,690 --> 00:04:28,180
And as you can see we can select the usernames and passwords for all the users that we have in the Users

54
00:04:28,180 --> 00:04:28,840
table.

55
00:04:29,890 --> 00:04:34,600
Now I'm actually not interested into any of this because we've done all of that before with Mattel day.

56
00:04:34,770 --> 00:04:39,770
Well I want to show you is how to run these statements with the medium security level.

57
00:04:39,850 --> 00:04:43,220
So I just wanted to do this to show you how it works on the low.

58
00:04:43,220 --> 00:04:51,570
And now I'm going to go ahead and change the security level to medium.

59
00:04:51,810 --> 00:04:53,280
And now I can go to.

60
00:04:53,290 --> 00:04:56,140
Q injection OK.

61
00:04:56,160 --> 00:04:59,250
And we're going to try to discover it the same way that we did before.

62
00:04:59,340 --> 00:05:03,800
So I'm going to go with number one first to see a valid page and this is about that page.

63
00:05:03,870 --> 00:05:10,300
Now I'm going to try to put a single quote after the one as you can see now we're getting an error about

64
00:05:10,310 --> 00:05:11,390
this error is different.

65
00:05:11,390 --> 00:05:16,460
It's actually complaining about the existence of the single quote.

66
00:05:16,470 --> 00:05:22,660
So let's try to put an end to what I do and is equal to one like we did before.

67
00:05:25,140 --> 00:05:32,420
And close it with our comment and this should actually show us a valid page as you can see now it's

68
00:05:32,420 --> 00:05:33,940
not showing us about page.

69
00:05:33,980 --> 00:05:39,380
It's actually still giving us an invalid page even though we said one is equal to one which it shouldn't

70
00:05:39,380 --> 00:05:43,140
affect our statement or our query.

71
00:05:43,190 --> 00:05:47,350
So let's try to put the hash ETP code for the quote.

72
00:05:47,390 --> 00:05:53,650
Instead of using a quote so I'm going to put percentage 27 and see if that will bypass any security

73
00:05:53,660 --> 00:05:59,660
maybe they're using and again I'm still getting the same or same problem still complaining about the

74
00:05:59,660 --> 00:06:01,190
quote.

75
00:06:01,210 --> 00:06:03,850
So let's try and play more with this.

76
00:06:03,850 --> 00:06:09,370
Now as I said explosion skill injections can vary from website to website depending on the way it's

77
00:06:09,370 --> 00:06:10,540
implemented.

78
00:06:10,540 --> 00:06:13,090
So there is a lot of trial and error in this.

79
00:06:13,360 --> 00:06:19,590
So let's try and remove the quote and see if that'll actually fix our problem and make it injectable

80
00:06:22,210 --> 00:06:22,560
great.

81
00:06:22,570 --> 00:06:24,870
Now this has given us a valid phage.

82
00:06:24,880 --> 00:06:29,980
Now let's try to change it and say one is equal to two and see what happens.

83
00:06:31,740 --> 00:06:34,190
And yet this has given us an invalid page.

84
00:06:34,350 --> 00:06:37,470
So the website is responding to what we are saying.

85
00:06:37,470 --> 00:06:43,260
The only difference now is that we're not using the quote We're just injecting it straight away after

86
00:06:43,260 --> 00:06:46,510
the ID after the number OK.

87
00:06:46,520 --> 00:06:49,840
So let's go ahead and try to build our union select.

88
00:06:49,850 --> 00:06:59,250
So I'm going to type in union select one to on Yep that looks like we can write stuff in number one

89
00:06:59,310 --> 00:07:00,960
and number two.

90
00:07:00,960 --> 00:07:04,110
So let's try to select a table name

91
00:07:07,840 --> 00:07:13,440
from information schema tables like we always do just to get all the tables that we need.

92
00:07:15,670 --> 00:07:16,500
And here we go.

93
00:07:16,510 --> 00:07:19,990
We're getting all the tables just like we got them before.