1
00:00:00,930 --> 00:00:06,110
And this lecture we're going to go and have a look on the high security level and we'll see why it's

2
00:00:06,110 --> 00:00:07,910
an injectable.

3
00:00:07,910 --> 00:00:13,800
So let's go ahead first and said the security level too high.

4
00:00:13,930 --> 00:00:20,200
Now I'm going to go back to my skill injection and let's make sure that the page works first.

5
00:00:20,210 --> 00:00:25,210
I'm just going to put number one like we always did.

6
00:00:25,440 --> 00:00:27,180
And as you can see now the page works.

7
00:00:27,180 --> 00:00:32,670
Now let's try to inject it after the one after the ID parameter like we always did and I'm going to

8
00:00:32,690 --> 00:00:36,450
put and one is equal to one so I'm putting a true statement.

9
00:00:36,660 --> 00:00:39,530
And as you can see now the page doesn't really work.

10
00:00:39,690 --> 00:00:45,470
So let's try to put a single quote here to close it like we did with the low level.

11
00:00:45,480 --> 00:00:50,430
And again this injection doesn't work either even though we're given a true statement that shouldn't

12
00:00:50,430 --> 00:00:53,240
interfere with the current request.

13
00:00:53,280 --> 00:00:58,080
We usually don't look at the code when we're trying to hack but as I said this is an injectable.

14
00:00:58,170 --> 00:01:03,450
So let's have a look at the code and we're going to compare it with the code used for the medium security

15
00:01:03,450 --> 00:01:09,150
level and we'll see what the difference is between the two codes so that we can learn how to secure

16
00:01:09,150 --> 00:01:10,270
our websites.

17
00:01:10,320 --> 00:01:15,210
So I'm going to search and change the security level to medium here just so that we can compare the

18
00:01:15,210 --> 00:01:21,780
two codes and I'm going to go back to the skill injection and I'm going to view the source as well.

19
00:01:23,910 --> 00:01:28,540
And God put them beside each other.

20
00:01:28,730 --> 00:01:36,290
So in here in the medium security level you can see that the idea is being read in here and installed

21
00:01:36,320 --> 00:01:37,690
in the ID variable.

22
00:01:37,880 --> 00:01:42,110
And then there is an app function called my Eskew the real escape.

23
00:01:42,110 --> 00:01:48,290
So what this function does it all go through every character in the ID variable and it'll look for special

24
00:01:48,290 --> 00:01:52,090
characters such as single quotes and double quotes and remove them.

25
00:01:52,260 --> 00:01:59,200
Therefore any quotation marks used or injected in the ID variable will actually be removed at this line

26
00:01:59,900 --> 00:02:03,430
because of the use of my obscure the real escape strain.

27
00:02:03,860 --> 00:02:10,700
Now the thing is once we go down to the skills statement you'll see that we actually don't need to use

28
00:02:10,970 --> 00:02:17,390
any quotes to inject code into the statements our statement is select first name last name from users

29
00:02:17,620 --> 00:02:20,240
where a user ID is equal to ID.

30
00:02:20,570 --> 00:02:23,210
So we actually don't need to close any quotes.

31
00:02:23,210 --> 00:02:26,290
We don't need to inject quotes in the ID variable.

32
00:02:26,300 --> 00:02:32,150
All we have to do is just put any idea like we did in the last video so we can put just number one and

33
00:02:32,150 --> 00:02:35,770
then inject code straight away after the number one.

34
00:02:35,780 --> 00:02:41,900
So when we use this code right here we're basically we we didn't use the quotes in the media.

35
00:02:41,900 --> 00:02:44,710
So we are literally just giving the ID as number one.

36
00:02:44,840 --> 00:02:49,880
And then we're saying Union select column name whatever from information schema tables.

37
00:02:49,880 --> 00:02:56,990
So the code has just been injected straight away after the ID and then the database will read it and

38
00:02:57,020 --> 00:02:58,160
executed.

39
00:02:58,340 --> 00:03:03,980
No need to use quotes again because the code doesn't use any single code so the code just says user

40
00:03:03,980 --> 00:03:06,490
ID is equal to ID.

41
00:03:06,500 --> 00:03:11,720
Now comparing this with the code that we have for the high security level you'll see that it uses the

42
00:03:11,720 --> 00:03:17,320
same function to skip special characters but it's implemented in the right way.

43
00:03:17,570 --> 00:03:25,620
And that's by using single quotes in the Escurial statement around the idea therefore because the code

44
00:03:25,620 --> 00:03:32,070
is keep in the quotes that we put and because they're using quotes in there any code that we try to

45
00:03:32,070 --> 00:03:37,130
inject in here will actually be considered as if it's part of the ID.

46
00:03:37,260 --> 00:03:43,440
So when we use this code right here so if we just use the code as it is without a quote then obviously

47
00:03:43,440 --> 00:03:48,850
it will just be inserted instead of the ID variable between the two single quotes.

48
00:03:48,990 --> 00:03:51,790
So it'll just be considered as the ID.

49
00:03:52,020 --> 00:03:58,290
Whereas if we inject that code in here it'll actually be executed as part of the kill statement.

50
00:03:58,290 --> 00:04:04,320
So let's have a look on what the askew statement will look like when we inject our code in both in the

51
00:04:04,320 --> 00:04:06,840
media and in the high security level.

52
00:04:06,840 --> 00:04:15,170
So I'm just going to bring down the techs here so we have the best statement for the medium here and

53
00:04:15,180 --> 00:04:22,890
the skill statement for the high security level and we'll just try to inject and one is equal to 1 because

54
00:04:22,950 --> 00:04:28,230
as we've seen if you can inject that then you can inject anything you want to really and get it executed

55
00:04:28,260 --> 00:04:29,260
on the database.

56
00:04:30,800 --> 00:04:31,120
OK.

57
00:04:31,130 --> 00:04:37,070
So looking at the medium statement we're going to copy this code.

58
00:04:37,250 --> 00:04:42,850
Now this code will actually go and pass through the my and real escape character.

59
00:04:43,010 --> 00:04:48,590
So it will be removed from any single code that it has but it has nothing and the code will look like

60
00:04:48,590 --> 00:04:49,290
one.

61
00:04:49,640 --> 00:04:51,770
And one is equal to one.

62
00:04:51,830 --> 00:04:56,740
So this statement is valid and wants equal to and will be injected.

63
00:04:56,780 --> 00:05:02,300
Now looking at the high security level notice this use of the single quote which will mean that the

64
00:05:02,370 --> 00:05:05,700
user ID is equal to one and one is equal to one.

65
00:05:05,900 --> 00:05:11,480
So and one is equal to and will not be considered as part of the OR statement but it will be considered

66
00:05:11,540 --> 00:05:15,310
as part of the user ID.

67
00:05:15,310 --> 00:05:21,050
Now let's try to add the single quote and see what effect would that have on the screen or statements.

68
00:05:22,000 --> 00:05:26,740
I'm actually going to get rid of this statement because we managed to inject it and we're only going

69
00:05:26,740 --> 00:05:30,800
to focus on the highs in the statements used in the high security level.

70
00:05:31,240 --> 00:05:36,410
So we're using a single quote here to close it and we're going to copy this.

71
00:05:36,460 --> 00:05:40,930
Now this will actually pass through the screen and will escape strength.

72
00:05:41,200 --> 00:05:45,150
So the single quote that we're using here will actually be removed.

73
00:05:45,430 --> 00:05:52,170
And this line will become one and one is equal to one so it's going to be equal or exactly the same

74
00:05:52,170 --> 00:05:54,890
as the line we used before.

75
00:05:54,900 --> 00:05:59,570
Now one wants this is substituted in here again.

76
00:05:59,700 --> 00:06:06,480
The one and one is equal to and will be considered as part of the Z of the user ID and it won't be considered

77
00:06:06,540 --> 00:06:09,090
as part of the escarole statement.

78
00:06:09,090 --> 00:06:14,190
From this we can see that the use of the my s q r the real escape strength is not enough.

79
00:06:14,240 --> 00:06:20,850
It has to be used with the single quotes right here and combined with that function then this specific

80
00:06:20,850 --> 00:06:24,870
as kill statement becomes an injectable.

81
00:06:24,880 --> 00:06:30,130
Now in future lectures we're actually going to discuss a better way to build web applications so that

82
00:06:30,130 --> 00:06:33,100
they can't be injected with SKM statements.

83
00:06:33,280 --> 00:06:38,710
But if you needed a quick solution then you can go for this until you have time and you can change the

84
00:06:38,710 --> 00:06:41,980
implementation of your website so that it can't be injected.