1
00:00:00,120 --> 00:00:02,010
All right, so welcome back, everyone.

2
00:00:02,040 --> 00:00:10,370
This is Rick's List, and we have reached out to one of the very, very important section.

3
00:00:10,800 --> 00:00:16,130
This is about a secure injection, widely popular.

4
00:00:16,470 --> 00:00:21,060
Still, many of the websites are vulnerable to this attack.

5
00:00:21,890 --> 00:00:31,980
OK, and if you if you even recall what we have learned in the last best practices, security testing,

6
00:00:31,980 --> 00:00:36,900
best practices, the first was information gathering, then the input output manipulation.

7
00:00:37,620 --> 00:00:37,970
All right.

8
00:00:38,400 --> 00:00:47,430
So input on foot manipulation, as I said earlier, than when the attacker compromised, when I thought

9
00:00:47,430 --> 00:00:55,130
I could exploit the server by sending the data, by sending the data into the server.

10
00:00:55,680 --> 00:01:04,850
And if the server is not performing any sort of standardization, it can actually compromises that we're

11
00:01:05,070 --> 00:01:05,510
OK.

12
00:01:05,910 --> 00:01:14,260
So the in case of a skill injection, it is all about the data coming in to the databases.

13
00:01:14,310 --> 00:01:17,820
OK, Eskil is the squaddie language.

14
00:01:18,450 --> 00:01:20,970
It does the query language for the database.

15
00:01:21,360 --> 00:01:28,620
So whatever we send of whatever the request, we send it to a website or web application on the backend.

16
00:01:28,620 --> 00:01:35,880
The Web application then forwarded to the database and that's where the compromises and all the vulnerabilities

17
00:01:35,880 --> 00:01:36,930
really arising.

18
00:01:37,510 --> 00:01:44,070
If the database is not performing any kind of sanitation or the Web application in the whole not performing

19
00:01:44,070 --> 00:01:51,360
any kind of input check sort of thing and check if it is not doing this and attack it on malicious user

20
00:01:51,360 --> 00:01:56,700
can send any sort of data which he cannot generally able to see.

21
00:01:56,940 --> 00:01:57,270
Right.

22
00:01:57,870 --> 00:01:59,950
That's what we are actually going to learn here.

23
00:02:00,810 --> 00:02:02,460
So that's a good indication.

24
00:02:02,820 --> 00:02:08,550
It's the first thing is in order to understand it, of course, it's a Web security vulnerability where

25
00:02:08,550 --> 00:02:17,790
and the attacker compromises the vulnerability we're sending make use make use of a vulnerability in

26
00:02:17,790 --> 00:02:18,390
the server.

27
00:02:18,390 --> 00:02:25,020
If the server is not performing any kind of input check by sending in a script, great, OK, by sending

28
00:02:25,020 --> 00:02:31,830
a database query to the server directly and then allow the attacker to retrieve the information, which

29
00:02:31,830 --> 00:02:39,110
he generally can't see, which he generally won't be able to retrieve.

30
00:02:39,150 --> 00:02:39,400
Right.

31
00:02:39,750 --> 00:02:46,320
So information like customer information, credit card information, personal information, it could

32
00:02:46,320 --> 00:02:51,000
be even password credentials hash a combination sasebo.

33
00:02:51,180 --> 00:02:51,600
Right.

34
00:02:52,200 --> 00:03:00,210
And in case of a successful Escorial injection, if the attacker is able to make any privileged escalation,

35
00:03:00,450 --> 00:03:10,020
it can even follow or you can even perform the denial of service attack where it can prevent the genuine

36
00:03:10,020 --> 00:03:17,400
user to get the access from these to get solved by the server where in the dummy or dummy traffic will

37
00:03:17,400 --> 00:03:25,170
be available to the server and then the normal user won't be able to get this service from the server.

38
00:03:25,180 --> 00:03:26,940
So that would do so.

39
00:03:26,940 --> 00:03:29,790
It could be a complete destruction in that situation.

40
00:03:30,840 --> 00:03:33,080
It can even be make you meet.

41
00:03:33,090 --> 00:03:39,420
It can even be useful in case of long term optimization, like advanced persistent threat.

42
00:03:39,420 --> 00:03:45,960
If the skill injection is that powerful at all, depends on how strong you are.

43
00:03:46,390 --> 00:03:47,660
The greatest.

44
00:03:47,700 --> 00:03:55,530
OK, at school, Curis has been made for better purpose, for managing their databases, for standardizing

45
00:03:55,530 --> 00:03:58,230
the way the databases are getting structured.

46
00:03:58,890 --> 00:04:03,570
But before you really understand the skullcandy remember this.

47
00:04:03,930 --> 00:04:10,280
The purpose of B2B is to have a systematic, systematic arrangement of information.

48
00:04:10,860 --> 00:04:14,610
Of course, you have on the one side you understand the storage, right?

49
00:04:14,610 --> 00:04:16,140
Just like your hard disk.

50
00:04:16,380 --> 00:04:19,710
You can just keep on storing your information the way you want it.

51
00:04:20,010 --> 00:04:27,270
But imagine in a situation where you have a lot of random information, username, password of address,

52
00:04:27,270 --> 00:04:35,100
location, interest, all those feet you need sort of mechanism, sort of schema wherein you can store

53
00:04:35,100 --> 00:04:41,250
the information in a search or get or, you know, you can organize the information so that whenever

54
00:04:41,250 --> 00:04:44,580
you want it, you can record the information in a faster way.

55
00:04:44,820 --> 00:04:50,510
So that was the major purpose of standardizing the databases by making Escorial grace.

56
00:04:50,640 --> 00:04:56,870
OK, but it can even be make you it can even be made used for the malicious purposes one.

57
00:04:57,390 --> 00:04:59,610
And let's see how so.

58
00:05:00,010 --> 00:05:06,880
And the normal scrutiny, I'll tell you how exactly the critic looks, so I will be understanding in

59
00:05:06,880 --> 00:05:13,600
much more detail in the photo session, but even better, I'll even teach you how to deploy the bases,

60
00:05:13,600 --> 00:05:20,760
then create the tables, then even make an individual entry into the in the individual room as well,

61
00:05:20,770 --> 00:05:23,280
and then assigning the rights to the individual user.

62
00:05:23,500 --> 00:05:27,100
So we'll be doing that step by step in the fourth position.

63
00:05:27,320 --> 00:05:31,190
For now, you will be understanding the fundamentals of do it right.

64
00:05:31,690 --> 00:05:32,950
So let's get started.

65
00:05:33,340 --> 00:05:34,400
Let's get started.

66
00:05:35,230 --> 00:05:41,050
The first thing is we have user and web server and the databases.

67
00:05:41,050 --> 00:05:47,720
So I understand this one user for the from the user point of view, just a website.

68
00:05:47,950 --> 00:05:55,270
OK, but that server is needed to store the information in the back and the purpose of Web server is

69
00:05:55,270 --> 00:05:58,600
to serve very fast enough and efficiently.

70
00:05:58,690 --> 00:06:06,430
OK, but the information is usually stored in the back and database and the database store the information

71
00:06:06,430 --> 00:06:07,590
in table format.

72
00:06:07,870 --> 00:06:13,360
So in our case, the stable name is student and it has got multiple columns.

73
00:06:13,360 --> 00:06:13,870
Right.

74
00:06:13,900 --> 00:06:17,090
I.T. first name, last name Emin's.

75
00:06:17,260 --> 00:06:23,830
So these are all the columns and the user is might be interested in retrieving the 81.

76
00:06:24,310 --> 00:06:31,870
The data corresponds to Idy one, which is for our Nalu and there are some information available for

77
00:06:31,870 --> 00:06:32,080
him.

78
00:06:32,380 --> 00:06:36,010
So he might mind on the he might go into the browser.

79
00:06:36,310 --> 00:06:38,510
This information might be available on the website.

80
00:06:38,540 --> 00:06:38,820
Right.

81
00:06:39,040 --> 00:06:45,490
So the Web server is having a Web site on the back and he is storing the information user.

82
00:06:45,760 --> 00:06:52,570
Just log into a site, maybe example, dot com and that's where it is asking for information.

83
00:06:52,570 --> 00:07:01,330
Say if you see example, dot com is the Web site, then it goes to a certain maybe, maybe a tab, maybe

84
00:07:01,600 --> 00:07:04,270
tap on the on the top and the tab.

85
00:07:04,270 --> 00:07:06,490
He wanted to select the item number one.

86
00:07:07,240 --> 00:07:10,990
That's where he get the information about it number when he just click on it.

87
00:07:11,320 --> 00:07:13,100
This information goes to the Web server.

88
00:07:13,120 --> 00:07:18,520
Now, Web server was just about getting the data and give it back.

89
00:07:18,640 --> 00:07:21,640
You know, it is all about

90
00:07:24,220 --> 00:07:27,310
handling the request and the response request and the response.

91
00:07:27,640 --> 00:07:34,810
So on the moment he get the request from the user, it is as a part of you are if you if you are following

92
00:07:34,810 --> 00:07:37,030
me correctly, it is a request.

93
00:07:37,030 --> 00:07:37,450
Right.

94
00:07:37,450 --> 00:07:39,440
And he needs a response against it.

95
00:07:40,180 --> 00:07:46,720
Now, this would be forwarded to the database and in a different format, and that's database form.

96
00:07:46,720 --> 00:07:48,140
And that's the query.

97
00:07:48,630 --> 00:07:49,140
It's good.

98
00:07:49,150 --> 00:07:55,210
Gerti is used to retrieve the information and this is the way it is being used to select information

99
00:07:55,210 --> 00:08:01,000
from students where the ID is like any of them from the table.

100
00:08:01,000 --> 00:08:03,310
Basically their is one.

101
00:08:04,090 --> 00:08:11,740
It means the first information flows through will be selected and that will be given to the user and

102
00:08:11,740 --> 00:08:15,920
the user then able to see that information on its browser.

103
00:08:16,900 --> 00:08:26,080
So that's the way it usually works and that's the standard way of working and that's being used from

104
00:08:26,080 --> 00:08:30,450
years and years did, in fact, the way it has been deployed.

105
00:08:30,580 --> 00:08:36,290
Now, let's let's see how the ESKIL injection basically works this time.

106
00:08:36,290 --> 00:08:44,440
We have a malicious user against the same Web server, same Bidvest, same day, but now malicious users,

107
00:08:44,440 --> 00:08:53,650
in spite of sending the normal query, in spite of saying normally he sends a malicious you are like

108
00:08:54,040 --> 00:08:56,320
he know about these students.

109
00:08:56,320 --> 00:08:59,260
He knows about the Nektar student.

110
00:08:59,260 --> 00:09:02,020
But that also adds some value.

111
00:09:02,740 --> 00:09:09,430
This is that value, OK, Iot is equal to one that is that is seems to be very much valid.

112
00:09:09,700 --> 00:09:16,090
If you see example, dot com slash student I t where it is equal to one.

113
00:09:16,090 --> 00:09:19,090
This is pretty, pretty genuine.

114
00:09:19,120 --> 00:09:26,590
This is there's nothing wrong with it, but there's something very special just after it is equal to

115
00:09:26,590 --> 00:09:27,100
one.

116
00:09:27,130 --> 00:09:27,490
Right.

117
00:09:27,820 --> 00:09:34,000
There's a single column column or one is equal to one.

118
00:09:34,360 --> 00:09:46,050
That means so be the data of one or where or information where one is equal to one that mean someone

119
00:09:46,090 --> 00:09:54,040
will be converting to an equal footing and will be giving to the database, will be going in very deep

120
00:09:54,040 --> 00:09:57,970
about what exactly the square you can do in much more detail.

121
00:09:58,150 --> 00:09:59,120
But just under that.

122
00:09:59,140 --> 00:09:59,640
Understand.

123
00:10:00,300 --> 00:10:05,160
One is equal to one, as will be to always forever, right?

124
00:10:05,610 --> 00:10:08,960
So that means I am through about all the entries.

125
00:10:09,240 --> 00:10:12,540
So in that case, show me everything that matches.

126
00:10:12,540 --> 00:10:12,850
Right.

127
00:10:14,010 --> 00:10:20,160
What's going to happen is website one would be sending a query from a table where is equal to one or

128
00:10:20,160 --> 00:10:22,470
one is equal to one and then dash, dash.

129
00:10:22,470 --> 00:10:26,230
That means anything after this will be considered as a common trait.

130
00:10:27,000 --> 00:10:28,170
So that's pretty much OK.

131
00:10:28,180 --> 00:10:30,300
And that's nothing to do with that.

132
00:10:30,300 --> 00:10:31,500
But one is equal to one.

133
00:10:31,500 --> 00:10:41,220
Miss, I need just like I'm OK with all the information and do show me all the data where one is equal

134
00:10:41,220 --> 00:10:43,280
to one where all the entries are true.

135
00:10:43,440 --> 00:10:50,130
Yes, it is not just one is equal to it's equal to one but entries which are true.

136
00:10:50,400 --> 00:10:53,940
So that means in all the situation, entries will be true.

137
00:10:54,210 --> 00:11:01,190
That's why the entire information in our database will be forwarded through the malicious user.

138
00:11:01,530 --> 00:11:09,750
And that's how the ESKIL injection basically works, because you inject your malicious code into the

139
00:11:10,420 --> 00:11:11,010
query.

140
00:11:11,400 --> 00:11:13,860
And that's exactly the malicious code.

141
00:11:14,370 --> 00:11:17,300
The code is or one is equal to one.

142
00:11:17,310 --> 00:11:21,110
But you can think of is it really malicious code?

143
00:11:21,150 --> 00:11:21,570
No.

144
00:11:21,580 --> 00:11:21,880
Right.

145
00:11:22,140 --> 00:11:29,360
But you are making me if you are exploiting the schoolgoing for the malicious intent.

146
00:11:29,390 --> 00:11:29,630
Right.

147
00:11:30,120 --> 00:11:31,530
That's what it is all about.

148
00:11:31,830 --> 00:11:36,420
You need information where all the all the possibility is true.

149
00:11:37,080 --> 00:11:42,120
That's where all the all the rules will become through all the entries become true.

150
00:11:42,360 --> 00:11:45,500
And you are eligible to read all the information.

151
00:11:46,140 --> 00:11:54,930
And this user who is of malicious intent can get the all the information of the database without any

152
00:11:54,930 --> 00:11:56,130
special privileges.

153
00:11:56,680 --> 00:11:58,490
That's the sequel injection.

154
00:11:58,860 --> 00:12:06,270
So if if this information can be user database, personal information, health care records, username

155
00:12:06,270 --> 00:12:09,720
and password, this could be seen for all the user.

156
00:12:09,990 --> 00:12:17,310
And I just saw you actually on a real on our target website, how we can retrieve all the information

157
00:12:17,640 --> 00:12:25,260
and we can how we can get access to a website without even knowing the login log in it and the password.

158
00:12:25,500 --> 00:12:29,630
And it's going to work just the way I have shown you.

159
00:12:30,120 --> 00:12:33,070
So this is all about it will get you in the next session.

160
00:12:33,210 --> 00:12:33,750
Thank you.