1 00:00:00,120 --> 00:00:02,010 All right, so welcome back, everyone. 2 00:00:02,040 --> 00:00:10,370 This is Rick's List, and we have reached out to one of the very, very important section. 3 00:00:10,800 --> 00:00:16,130 This is about a secure injection, widely popular. 4 00:00:16,470 --> 00:00:21,060 Still, many of the websites are vulnerable to this attack. 5 00:00:21,890 --> 00:00:31,980 OK, and if you if you even recall what we have learned in the last best practices, security testing, 6 00:00:31,980 --> 00:00:36,900 best practices, the first was information gathering, then the input output manipulation. 7 00:00:37,620 --> 00:00:37,970 All right. 8 00:00:38,400 --> 00:00:47,430 So input on foot manipulation, as I said earlier, than when the attacker compromised, when I thought 9 00:00:47,430 --> 00:00:55,130 I could exploit the server by sending the data, by sending the data into the server. 10 00:00:55,680 --> 00:01:04,850 And if the server is not performing any sort of standardization, it can actually compromises that we're 11 00:01:05,070 --> 00:01:05,510 OK. 12 00:01:05,910 --> 00:01:14,260 So the in case of a skill injection, it is all about the data coming in to the databases. 13 00:01:14,310 --> 00:01:17,820 OK, Eskil is the squaddie language. 14 00:01:18,450 --> 00:01:20,970 It does the query language for the database. 15 00:01:21,360 --> 00:01:28,620 So whatever we send of whatever the request, we send it to a website or web application on the backend. 16 00:01:28,620 --> 00:01:35,880 The Web application then forwarded to the database and that's where the compromises and all the vulnerabilities 17 00:01:35,880 --> 00:01:36,930 really arising. 18 00:01:37,510 --> 00:01:44,070 If the database is not performing any kind of sanitation or the Web application in the whole not performing 19 00:01:44,070 --> 00:01:51,360 any kind of input check sort of thing and check if it is not doing this and attack it on malicious user 20 00:01:51,360 --> 00:01:56,700 can send any sort of data which he cannot generally able to see. 21 00:01:56,940 --> 00:01:57,270 Right. 22 00:01:57,870 --> 00:01:59,950 That's what we are actually going to learn here. 23 00:02:00,810 --> 00:02:02,460 So that's a good indication. 24 00:02:02,820 --> 00:02:08,550 It's the first thing is in order to understand it, of course, it's a Web security vulnerability where 25 00:02:08,550 --> 00:02:17,790 and the attacker compromises the vulnerability we're sending make use make use of a vulnerability in 26 00:02:17,790 --> 00:02:18,390 the server. 27 00:02:18,390 --> 00:02:25,020 If the server is not performing any kind of input check by sending in a script, great, OK, by sending 28 00:02:25,020 --> 00:02:31,830 a database query to the server directly and then allow the attacker to retrieve the information, which 29 00:02:31,830 --> 00:02:39,110 he generally can't see, which he generally won't be able to retrieve. 30 00:02:39,150 --> 00:02:39,400 Right. 31 00:02:39,750 --> 00:02:46,320 So information like customer information, credit card information, personal information, it could 32 00:02:46,320 --> 00:02:51,000 be even password credentials hash a combination sasebo. 33 00:02:51,180 --> 00:02:51,600 Right. 34 00:02:52,200 --> 00:03:00,210 And in case of a successful Escorial injection, if the attacker is able to make any privileged escalation, 35 00:03:00,450 --> 00:03:10,020 it can even follow or you can even perform the denial of service attack where it can prevent the genuine 36 00:03:10,020 --> 00:03:17,400 user to get the access from these to get solved by the server where in the dummy or dummy traffic will 37 00:03:17,400 --> 00:03:25,170 be available to the server and then the normal user won't be able to get this service from the server. 38 00:03:25,180 --> 00:03:26,940 So that would do so. 39 00:03:26,940 --> 00:03:29,790 It could be a complete destruction in that situation. 40 00:03:30,840 --> 00:03:33,080 It can even be make you meet. 41 00:03:33,090 --> 00:03:39,420 It can even be useful in case of long term optimization, like advanced persistent threat. 42 00:03:39,420 --> 00:03:45,960 If the skill injection is that powerful at all, depends on how strong you are. 43 00:03:46,390 --> 00:03:47,660 The greatest. 44 00:03:47,700 --> 00:03:55,530 OK, at school, Curis has been made for better purpose, for managing their databases, for standardizing 45 00:03:55,530 --> 00:03:58,230 the way the databases are getting structured. 46 00:03:58,890 --> 00:04:03,570 But before you really understand the skullcandy remember this. 47 00:04:03,930 --> 00:04:10,280 The purpose of B2B is to have a systematic, systematic arrangement of information. 48 00:04:10,860 --> 00:04:14,610 Of course, you have on the one side you understand the storage, right? 49 00:04:14,610 --> 00:04:16,140 Just like your hard disk. 50 00:04:16,380 --> 00:04:19,710 You can just keep on storing your information the way you want it. 51 00:04:20,010 --> 00:04:27,270 But imagine in a situation where you have a lot of random information, username, password of address, 52 00:04:27,270 --> 00:04:35,100 location, interest, all those feet you need sort of mechanism, sort of schema wherein you can store 53 00:04:35,100 --> 00:04:41,250 the information in a search or get or, you know, you can organize the information so that whenever 54 00:04:41,250 --> 00:04:44,580 you want it, you can record the information in a faster way. 55 00:04:44,820 --> 00:04:50,510 So that was the major purpose of standardizing the databases by making Escorial grace. 56 00:04:50,640 --> 00:04:56,870 OK, but it can even be make you it can even be made used for the malicious purposes one. 57 00:04:57,390 --> 00:04:59,610 And let's see how so. 58 00:05:00,010 --> 00:05:06,880 And the normal scrutiny, I'll tell you how exactly the critic looks, so I will be understanding in 59 00:05:06,880 --> 00:05:13,600 much more detail in the photo session, but even better, I'll even teach you how to deploy the bases, 60 00:05:13,600 --> 00:05:20,760 then create the tables, then even make an individual entry into the in the individual room as well, 61 00:05:20,770 --> 00:05:23,280 and then assigning the rights to the individual user. 62 00:05:23,500 --> 00:05:27,100 So we'll be doing that step by step in the fourth position. 63 00:05:27,320 --> 00:05:31,190 For now, you will be understanding the fundamentals of do it right. 64 00:05:31,690 --> 00:05:32,950 So let's get started. 65 00:05:33,340 --> 00:05:34,400 Let's get started. 66 00:05:35,230 --> 00:05:41,050 The first thing is we have user and web server and the databases. 67 00:05:41,050 --> 00:05:47,720 So I understand this one user for the from the user point of view, just a website. 68 00:05:47,950 --> 00:05:55,270 OK, but that server is needed to store the information in the back and the purpose of Web server is 69 00:05:55,270 --> 00:05:58,600 to serve very fast enough and efficiently. 70 00:05:58,690 --> 00:06:06,430 OK, but the information is usually stored in the back and database and the database store the information 71 00:06:06,430 --> 00:06:07,590 in table format. 72 00:06:07,870 --> 00:06:13,360 So in our case, the stable name is student and it has got multiple columns. 73 00:06:13,360 --> 00:06:13,870 Right. 74 00:06:13,900 --> 00:06:17,090 I.T. first name, last name Emin's. 75 00:06:17,260 --> 00:06:23,830 So these are all the columns and the user is might be interested in retrieving the 81. 76 00:06:24,310 --> 00:06:31,870 The data corresponds to Idy one, which is for our Nalu and there are some information available for 77 00:06:31,870 --> 00:06:32,080 him. 78 00:06:32,380 --> 00:06:36,010 So he might mind on the he might go into the browser. 79 00:06:36,310 --> 00:06:38,510 This information might be available on the website. 80 00:06:38,540 --> 00:06:38,820 Right. 81 00:06:39,040 --> 00:06:45,490 So the Web server is having a Web site on the back and he is storing the information user. 82 00:06:45,760 --> 00:06:52,570 Just log into a site, maybe example, dot com and that's where it is asking for information. 83 00:06:52,570 --> 00:07:01,330 Say if you see example, dot com is the Web site, then it goes to a certain maybe, maybe a tab, maybe 84 00:07:01,600 --> 00:07:04,270 tap on the on the top and the tab. 85 00:07:04,270 --> 00:07:06,490 He wanted to select the item number one. 86 00:07:07,240 --> 00:07:10,990 That's where he get the information about it number when he just click on it. 87 00:07:11,320 --> 00:07:13,100 This information goes to the Web server. 88 00:07:13,120 --> 00:07:18,520 Now, Web server was just about getting the data and give it back. 89 00:07:18,640 --> 00:07:21,640 You know, it is all about 90 00:07:24,220 --> 00:07:27,310 handling the request and the response request and the response. 91 00:07:27,640 --> 00:07:34,810 So on the moment he get the request from the user, it is as a part of you are if you if you are following 92 00:07:34,810 --> 00:07:37,030 me correctly, it is a request. 93 00:07:37,030 --> 00:07:37,450 Right. 94 00:07:37,450 --> 00:07:39,440 And he needs a response against it. 95 00:07:40,180 --> 00:07:46,720 Now, this would be forwarded to the database and in a different format, and that's database form. 96 00:07:46,720 --> 00:07:48,140 And that's the query. 97 00:07:48,630 --> 00:07:49,140 It's good. 98 00:07:49,150 --> 00:07:55,210 Gerti is used to retrieve the information and this is the way it is being used to select information 99 00:07:55,210 --> 00:08:01,000 from students where the ID is like any of them from the table. 100 00:08:01,000 --> 00:08:03,310 Basically their is one. 101 00:08:04,090 --> 00:08:11,740 It means the first information flows through will be selected and that will be given to the user and 102 00:08:11,740 --> 00:08:15,920 the user then able to see that information on its browser. 103 00:08:16,900 --> 00:08:26,080 So that's the way it usually works and that's the standard way of working and that's being used from 104 00:08:26,080 --> 00:08:30,450 years and years did, in fact, the way it has been deployed. 105 00:08:30,580 --> 00:08:36,290 Now, let's let's see how the ESKIL injection basically works this time. 106 00:08:36,290 --> 00:08:44,440 We have a malicious user against the same Web server, same Bidvest, same day, but now malicious users, 107 00:08:44,440 --> 00:08:53,650 in spite of sending the normal query, in spite of saying normally he sends a malicious you are like 108 00:08:54,040 --> 00:08:56,320 he know about these students. 109 00:08:56,320 --> 00:08:59,260 He knows about the Nektar student. 110 00:08:59,260 --> 00:09:02,020 But that also adds some value. 111 00:09:02,740 --> 00:09:09,430 This is that value, OK, Iot is equal to one that is that is seems to be very much valid. 112 00:09:09,700 --> 00:09:16,090 If you see example, dot com slash student I t where it is equal to one. 113 00:09:16,090 --> 00:09:19,090 This is pretty, pretty genuine. 114 00:09:19,120 --> 00:09:26,590 This is there's nothing wrong with it, but there's something very special just after it is equal to 115 00:09:26,590 --> 00:09:27,100 one. 116 00:09:27,130 --> 00:09:27,490 Right. 117 00:09:27,820 --> 00:09:34,000 There's a single column column or one is equal to one. 118 00:09:34,360 --> 00:09:46,050 That means so be the data of one or where or information where one is equal to one that mean someone 119 00:09:46,090 --> 00:09:54,040 will be converting to an equal footing and will be giving to the database, will be going in very deep 120 00:09:54,040 --> 00:09:57,970 about what exactly the square you can do in much more detail. 121 00:09:58,150 --> 00:09:59,120 But just under that. 122 00:09:59,140 --> 00:09:59,640 Understand. 123 00:10:00,300 --> 00:10:05,160 One is equal to one, as will be to always forever, right? 124 00:10:05,610 --> 00:10:08,960 So that means I am through about all the entries. 125 00:10:09,240 --> 00:10:12,540 So in that case, show me everything that matches. 126 00:10:12,540 --> 00:10:12,850 Right. 127 00:10:14,010 --> 00:10:20,160 What's going to happen is website one would be sending a query from a table where is equal to one or 128 00:10:20,160 --> 00:10:22,470 one is equal to one and then dash, dash. 129 00:10:22,470 --> 00:10:26,230 That means anything after this will be considered as a common trait. 130 00:10:27,000 --> 00:10:28,170 So that's pretty much OK. 131 00:10:28,180 --> 00:10:30,300 And that's nothing to do with that. 132 00:10:30,300 --> 00:10:31,500 But one is equal to one. 133 00:10:31,500 --> 00:10:41,220 Miss, I need just like I'm OK with all the information and do show me all the data where one is equal 134 00:10:41,220 --> 00:10:43,280 to one where all the entries are true. 135 00:10:43,440 --> 00:10:50,130 Yes, it is not just one is equal to it's equal to one but entries which are true. 136 00:10:50,400 --> 00:10:53,940 So that means in all the situation, entries will be true. 137 00:10:54,210 --> 00:11:01,190 That's why the entire information in our database will be forwarded through the malicious user. 138 00:11:01,530 --> 00:11:09,750 And that's how the ESKIL injection basically works, because you inject your malicious code into the 139 00:11:10,420 --> 00:11:11,010 query. 140 00:11:11,400 --> 00:11:13,860 And that's exactly the malicious code. 141 00:11:14,370 --> 00:11:17,300 The code is or one is equal to one. 142 00:11:17,310 --> 00:11:21,110 But you can think of is it really malicious code? 143 00:11:21,150 --> 00:11:21,570 No. 144 00:11:21,580 --> 00:11:21,880 Right. 145 00:11:22,140 --> 00:11:29,360 But you are making me if you are exploiting the schoolgoing for the malicious intent. 146 00:11:29,390 --> 00:11:29,630 Right. 147 00:11:30,120 --> 00:11:31,530 That's what it is all about. 148 00:11:31,830 --> 00:11:36,420 You need information where all the all the possibility is true. 149 00:11:37,080 --> 00:11:42,120 That's where all the all the rules will become through all the entries become true. 150 00:11:42,360 --> 00:11:45,500 And you are eligible to read all the information. 151 00:11:46,140 --> 00:11:54,930 And this user who is of malicious intent can get the all the information of the database without any 152 00:11:54,930 --> 00:11:56,130 special privileges. 153 00:11:56,680 --> 00:11:58,490 That's the sequel injection. 154 00:11:58,860 --> 00:12:06,270 So if if this information can be user database, personal information, health care records, username 155 00:12:06,270 --> 00:12:09,720 and password, this could be seen for all the user. 156 00:12:09,990 --> 00:12:17,310 And I just saw you actually on a real on our target website, how we can retrieve all the information 157 00:12:17,640 --> 00:12:25,260 and we can how we can get access to a website without even knowing the login log in it and the password. 158 00:12:25,500 --> 00:12:29,630 And it's going to work just the way I have shown you. 159 00:12:30,120 --> 00:12:33,070 So this is all about it will get you in the next session. 160 00:12:33,210 --> 00:12:33,750 Thank you.