1
00:00:00,180 --> 00:00:08,610
‫We found the SQL injection vulnerability and see the entire table's name and surname values in one go.

2
00:00:08,940 --> 00:00:11,850
‫So if we can do this, what else can we do?

3
00:00:12,530 --> 00:00:19,260
‫As you well, map is a little bit complicated, but a very powerful command line application to exploit

4
00:00:19,260 --> 00:00:21,240
‫as you, well, injection vulnerabilities.

5
00:00:21,630 --> 00:00:28,000
‫You can download and use this free application in any platform, and it's embedded into Kali Linux Askew.

6
00:00:28,000 --> 00:00:34,500
‫You Map has a lot of parameters, so you can use Dash each parameter to learn more.

7
00:00:35,920 --> 00:00:38,530
‫For now, let's build the school map command.

8
00:00:39,570 --> 00:00:41,610
‫The first parameter is the URL.

9
00:00:42,920 --> 00:00:47,120
‫Since the program analyzes all the parameters we don't need to give.

10
00:00:49,560 --> 00:00:52,440
‫But we know that the ID parameter is vulnerable.

11
00:00:53,070 --> 00:00:55,830
‫We can give it as the second parameter.

12
00:00:58,160 --> 00:01:04,610
‫Since we need to have a valid credential to reach the page in -- vulnerable web application, we have

13
00:01:04,610 --> 00:01:07,160
‫to give sequel map a valid cookie.

14
00:01:23,810 --> 00:01:30,170
‫Not necessarily, but it is better to teach a school map when it gets a valid result.

15
00:01:30,260 --> 00:01:38,000
‫In this example, we can give a static part of the valid page, first name and last we have to say what

16
00:01:38,000 --> 00:01:39,980
‫we want from school map.

17
00:01:51,330 --> 00:02:00,690
‫It says the banner is 5.1 Typekit four one three Ubuntu 12.6 underscore lot.

18
00:02:01,260 --> 00:02:03,750
‫Let's ask for the current database at this time.

19
00:02:05,230 --> 00:02:07,060
‫Dash, Dash, current dash.

20
00:02:07,090 --> 00:02:10,810
‫Deb, the current databases DVD A.

21
00:02:13,210 --> 00:02:15,490
‫Let's list the tables of the database.

22
00:02:22,160 --> 00:02:26,300
‫So here we go in deep, let's dump the user's database.

23
00:02:29,900 --> 00:02:36,800
‫It says the database management system is my issue, well, we already know it so we can skip to other

24
00:02:36,800 --> 00:02:39,770
‫database management systems in questions.

25
00:02:39,800 --> 00:02:42,890
‫The default answer is shown in all caps.

26
00:02:43,280 --> 00:02:46,310
‫If you hit enter, the default answer is selected.

27
00:02:46,640 --> 00:02:52,100
‫It says the ID parameter is vulnerable so we can skip other parameters at this point.

28
00:02:52,370 --> 00:02:58,400
‫It found hash values inside the table and asks if we want to save it for further use.

29
00:02:58,850 --> 00:03:06,380
‫Moreover, it offers to crack the hash values, so let's use Sequel Maps Default Dictionary in this

30
00:03:06,380 --> 00:03:06,920
‫example.

31
00:03:12,610 --> 00:03:19,270
‫And finally, we have the dump of the user's table and hash values are cracked.

32
00:03:19,660 --> 00:03:20,200
‫Good job.

33
00:03:21,930 --> 00:03:28,520
‫Blindness fuel injection is used when a Web application is vulnerable to an actual injection.

34
00:03:29,560 --> 00:03:33,050
‫But the results of the injection are not visible to the attacker.

35
00:03:33,610 --> 00:03:41,440
‫The page with the vulnerability may not be one that displays data but will display differently, depending

36
00:03:41,440 --> 00:03:48,970
‫on the results of a logical statement injected into the legitimate SQL statement called for that page.

37
00:03:49,330 --> 00:03:55,990
‫This type of attack has traditionally been considered time intensive because a new statement is needed

38
00:03:55,990 --> 00:04:03,130
‫to be crafted for each bit recovery and depending on its structure, the attack may consist of many

39
00:04:03,130 --> 00:04:04,660
‫unsuccessful requests.

40
00:04:05,050 --> 00:04:09,670
‫Now, thankfully, there are several tools that can automate these attacks.

41
00:04:09,790 --> 00:04:15,490
‫Once the location of the vulnerability and the target information has been established now, we already

42
00:04:15,490 --> 00:04:16,240
‫know one of them.

43
00:04:16,390 --> 00:04:17,710
‫It's a squirrel map.

44
00:04:19,380 --> 00:04:25,680
‫And ask you, Alan Jackson is a well known attack and easily prevented by simple measure, with most

45
00:04:25,680 --> 00:04:28,710
‫development platforms parameter raised queries.

46
00:04:28,980 --> 00:04:35,520
‫Also known as prepared statements that work with parameters can be used instead of embedding user input

47
00:04:35,520 --> 00:04:36,090
‫in the state.

48
00:04:36,660 --> 00:04:46,290
‫A placeholder can only store of value of a given type and not an arbitrary SQL fragment, and the actual

49
00:04:46,290 --> 00:04:52,140
‫injection would simply be treated as a strange and probably invalid parameter value.

50
00:04:52,530 --> 00:04:59,250
‫If the application is developed with an object oriented programming language, using object relational

51
00:04:59,250 --> 00:05:03,120
‫mapping libraries avoids the need to write SQL code.

52
00:05:03,180 --> 00:05:09,750
‫The 000RPM Library, in effect, will generate parameter rised sequel statements from object oriented

53
00:05:09,750 --> 00:05:10,230
‫code.

54
00:05:10,680 --> 00:05:18,420
‫A straightforward, though error prone way to prevent injections is to escape characters that have a

55
00:05:18,420 --> 00:05:20,320
‫special meaning in Eskil.