1
00:00:00,990 --> 00:00:07,000
And this lecture I'd like to cover a case that I face in pretty much 50 percent of the websites that

2
00:00:07,000 --> 00:00:09,150
I do penetration testing on.

3
00:00:09,190 --> 00:00:16,000
So let me first just run and exploit the ones I've already seen so we're just going to run this statement

4
00:00:16,000 --> 00:00:20,040
which will select the table name from information schema tables.

5
00:00:20,080 --> 00:00:25,080
So this should list all the tables that exist within our page.

6
00:00:25,330 --> 00:00:30,040
And I have my security set too low at the moment so I'm just going to paste that here.

7
00:00:30,940 --> 00:00:32,970
Remove this extra one and hit enter

8
00:00:35,730 --> 00:00:41,590
as you can see it gets exploited and it shows us the table name here instead of number one.

9
00:00:41,790 --> 00:00:46,650
So we see all the table names that exist within this current database.

10
00:00:48,770 --> 00:00:55,790
Now the case that I'd like to cover is when you actually run the statement so the website will be vulnerable.

11
00:00:55,790 --> 00:01:02,210
And when you run the statement you will only see one result at a time and that's because the page is

12
00:01:02,570 --> 00:01:06,220
programmed in a way to display only one result at a time.

13
00:01:06,410 --> 00:01:12,730
To do this we're actually going to need to modify the code for the low security level for DPW I will

14
00:01:12,740 --> 00:01:15,770
do that now and then we'll come back to exploit it.

15
00:01:15,770 --> 00:01:18,670
So I'm actually just going to modify the code for DVD-Video.

16
00:01:18,680 --> 00:01:20,650
This is not part of the exploitation.

17
00:01:20,780 --> 00:01:24,860
This is just to make this exploit a little bit trickier.

18
00:01:24,960 --> 00:01:33,050
So I've missed Meta's floatable now and I'm going to open the low security level of the SQL Injection

19
00:01:33,050 --> 00:01:33,620
file.

20
00:01:33,890 --> 00:01:41,180
So I'm going to use sudo because the file has root permissions and I'm going to use Nonno as the text

21
00:01:41,180 --> 00:01:43,500
editor.

22
00:01:43,530 --> 00:01:53,570
So this is the program that I will use to modify the file and the file is stored in var w w w w o a

23
00:01:54,530 --> 00:02:02,270
vulnerability is a skill injection source and then lo ph.

24
00:02:02,670 --> 00:02:07,080
So again I'm just going to go through this come and see what we're doing is we're saying we're saying

25
00:02:07,080 --> 00:02:09,850
sudo to run the file in root privileges.

26
00:02:09,850 --> 00:02:12,790
Now what is the program that we're going to open the file with.

27
00:02:12,960 --> 00:02:21,920
And then the file is stored in Varda readable WDW I Woolner abilities as Kulai source Lowder's ph.

28
00:02:22,440 --> 00:02:29,060
I'm going to hit enter and asking me for the admin password now the root password is as admin.

29
00:02:29,060 --> 00:02:35,310
Exactly like the username.

30
00:02:35,490 --> 00:02:37,800
We have the source here for the file.

31
00:02:37,800 --> 00:02:40,910
So I'm going to modify it here I'm actually going to modify this to you.

32
00:02:40,980 --> 00:02:47,460
So what this loop does it actually loops through all the characters all the records that this askew

33
00:02:47,580 --> 00:02:50,110
statement gets right here.

34
00:02:50,250 --> 00:02:52,560
And then it displays them on screen.

35
00:02:52,560 --> 00:02:57,220
So what we want is we want to modify it to only display words of the first result.

36
00:02:57,270 --> 00:03:00,980
So I'm just going to comment this line two forward slashes other comment.

37
00:03:00,990 --> 00:03:08,220
So basically this line will be ignored and I'll also comment this line because it closes the while loop.

38
00:03:08,700 --> 00:03:10,620
So this line will be ignored as well.

39
00:03:11,940 --> 00:03:16,340
Now you really need to care to worry about what this means if you're not a programmer.

40
00:03:16,350 --> 00:03:21,320
It's not very important just come into these lines and we'll see what happens at the client site because

41
00:03:21,320 --> 00:03:26,100
what we're what we're interested in this lecture is not the programming we're interested in to the penetration

42
00:03:26,100 --> 00:03:27,060
testing.

43
00:03:27,090 --> 00:03:29,820
So I'm just going to hit control X to save this.

44
00:03:30,000 --> 00:03:36,170
I'm going to hit Y and enter and that'll quit and save the file.

45
00:03:36,190 --> 00:03:41,170
So we're back here and I'm going to run exactly the same statement so I'm not going to modify it.

46
00:03:41,200 --> 00:03:46,270
So I'm still saying unions select table name from information schema other tables.

47
00:03:47,710 --> 00:03:50,260
I'm actually going to refresh the page.

48
00:03:50,510 --> 00:03:56,140
And as you can see now this is not really working or is it working but it's only shown us the first

49
00:03:56,560 --> 00:04:02,960
the first record that's been selected which is the American So this is not even useful.

50
00:04:03,870 --> 00:04:08,910
So the first thing that I'm going to do is this is bringing us the record because the admin has the

51
00:04:08,910 --> 00:04:11,600
ID of number one.

52
00:04:11,610 --> 00:04:16,410
So what we're going to do now is we're actually just going to give it an invalid ID so I'm going to

53
00:04:16,410 --> 00:04:21,610
give it an A minus one.

54
00:04:21,660 --> 00:04:26,910
And as you can see now the statement works we're getting a table that exists in the information schema

55
00:04:27,030 --> 00:04:29,940
tables but we're all together in one table at a time.

56
00:04:29,940 --> 00:04:32,230
We're not getting the full list of the tables.

57
00:04:32,580 --> 00:04:37,420
And this is because the page is programmed in a way that will only display one result.

58
00:04:37,610 --> 00:04:42,260
And this happened to me a lot with a lot of times when I'm doing penetration testing.

59
00:04:42,300 --> 00:04:50,190
So keep in mind that we can run any all statement that we want on the tape on the server so we can modify

60
00:04:50,190 --> 00:04:56,210
our skill statement to iterate over all the records and display the content.

61
00:04:56,220 --> 00:05:02,970
So what we're going to do is we're going to know obviously can use the word statement to only show database

62
00:05:03,090 --> 00:05:08,070
tables within your current database but at the at the at the moment I want to show you how it how to

63
00:05:08,070 --> 00:05:10,450
iterate over all the tables.

64
00:05:10,710 --> 00:05:18,420
So what we're going to do instead is use the limit keyword to specify which record we want to display.

65
00:05:18,570 --> 00:05:26,190
With the current statement this way we'll be able to iterate over the records one by one and display

66
00:05:26,250 --> 00:05:28,010
all of them.

67
00:05:28,210 --> 00:05:35,830
So the statement is going to be unioned select table name from information schema or tables and we're

68
00:05:35,830 --> 00:05:41,550
going to say I want to limit the limit keyword takes two values.

69
00:05:41,710 --> 00:05:48,740
The first value is the location of the record that we want to start displaying records from.

70
00:05:48,790 --> 00:05:56,800
So where we want to start displaying records so I want to start displaying records from the first record.

71
00:05:56,900 --> 00:06:04,840
So I'm going to put zero because the record numbers start at 0 and the second value that the limit keyword

72
00:06:04,840 --> 00:06:12,250
takes is the number of records that we want to display on screen starting at the value that we specified

73
00:06:12,250 --> 00:06:13,660
in here.

74
00:06:13,660 --> 00:06:19,000
Now we know that this page right here can only show me one record at a time.

75
00:06:19,030 --> 00:06:22,520
So the second value to the limit keyword can only be one.

76
00:06:22,570 --> 00:06:24,110
In this case.

77
00:06:24,160 --> 00:06:30,740
So basically what we're saying is we want to select the table name from the information schema tables.

78
00:06:30,880 --> 00:06:36,250
I only wanted to display one record starting from record 0.

79
00:06:36,250 --> 00:06:40,490
So if I copy this and paste it here

80
00:06:44,270 --> 00:06:51,680
you'll see I'll get the first table right now and then if I want to go to the second table all I have

81
00:06:51,680 --> 00:06:58,430
to do is modify this so like I said this value the first value in here means I want to start at record

82
00:06:58,430 --> 00:06:59,240
0.

83
00:06:59,240 --> 00:07:07,310
So if I want to start at record 1 I'm just going to put one and then I can copy this and paste it up

84
00:07:07,350 --> 00:07:11,220
in here again.

85
00:07:11,340 --> 00:07:13,610
As you can see we got the next table.

86
00:07:13,650 --> 00:07:20,290
Now again if I want to get the table after this all I have to do is modify this and set it to 2.

87
00:07:20,400 --> 00:07:25,440
And that means that I want to start this play in from record to and I only want to start to display

88
00:07:25,440 --> 00:07:26,880
one record.

89
00:07:26,880 --> 00:07:31,610
Again if I hit enter as you can see I'm getting the next table.

90
00:07:31,680 --> 00:07:38,000
I can keep doing this to iterate over all the records manually.

91
00:07:38,020 --> 00:07:41,880
Now we can also enhance the statement by using the workloads.

92
00:07:41,890 --> 00:07:50,140
So before the limit we can say I want to select a table name from information schema tables where table

93
00:07:50,140 --> 00:07:57,370
schema is equal to DV w a.

94
00:07:57,420 --> 00:08:06,240
Now if we paste this in here as you can see this has shown me the users and again I can iterate over

95
00:08:06,390 --> 00:08:13,740
the tables by changing the number here so this is display in the record at offset 1.

96
00:08:13,740 --> 00:08:17,420
I can set this to 0 to display the first record.

97
00:08:17,520 --> 00:08:23,930
And as you can see the first table or the first record is guestbook and that's it.

98
00:08:23,930 --> 00:08:27,830
So just a quick a nice letter to show you how to bypass this problem.

99
00:08:27,920 --> 00:08:35,090
If you face it in pages that would only display one value or one record for you at a time.