1
00:00:12,100 --> 00:00:17,230
Hey, guys, welcome back to another episode on How to Hack, so we'll be continuing from the previous

2
00:00:17,230 --> 00:00:18,430
tutorial on Web.

3
00:00:18,630 --> 00:00:24,750
SWEPCO is a vulnerable Web application system and we actually stop at lesson number four.

4
00:00:24,820 --> 00:00:28,580
So look, move on into lesson number five of SQL injection intro.

5
00:00:28,750 --> 00:00:30,280
So go in and click on number five.

6
00:00:30,940 --> 00:00:31,190
All right.

7
00:00:31,250 --> 00:00:34,020
Over here we have what we call data control language.

8
00:00:34,240 --> 00:00:40,930
So it is used to create privileges to allow users to access and manipulate different parts of the database.

9
00:00:41,320 --> 00:00:47,830
Of course, over here we have SQL injection that could help us do, for example, granting of user accesses

10
00:00:47,860 --> 00:00:54,850
to different parts of the database, revoking certain privileges of the user using the revoke command.

11
00:00:55,000 --> 00:00:55,300
All right.

12
00:00:55,310 --> 00:01:01,580
So, of course, over here we have an example of grand create table to a specific operator.

13
00:01:01,870 --> 00:01:05,830
So this allows the operator to create tables inside the database system.

14
00:01:06,400 --> 00:01:11,230
And, of course, here what we're going to do as an exercise to grand to use a group, an authorized

15
00:01:11,230 --> 00:01:14,110
user, the right to alter tables.

16
00:01:14,710 --> 00:01:18,140
So there is such an instruction it allow us to do so.

17
00:01:18,640 --> 00:01:25,940
So over here we have what we call grand alter table to unauthorized users are going to paste it here.

18
00:01:26,410 --> 00:01:33,760
So what we do is we are granting the right to privilege to alter tables in site de database system and

19
00:01:33,760 --> 00:01:37,580
we are providing this authority to an authorized user.

20
00:01:38,170 --> 00:01:41,320
So go ahead and click submit and we would have congratulations.

21
00:01:41,560 --> 00:01:41,760
All right.

22
00:01:41,810 --> 00:01:42,460
Congratulations.

23
00:01:42,460 --> 00:01:44,320
We have successfully completed the assignment.

24
00:01:44,470 --> 00:01:51,430
OK, so this is granting of the privileges to users to different parts of the database or to different

25
00:01:51,430 --> 00:01:53,110
commands, issuance of commands.

26
00:01:53,980 --> 00:01:55,900
So going to lesson number six.

27
00:01:55,900 --> 00:02:01,750
So now we have understood about what are some fundamental structured query language instructions.

28
00:02:01,750 --> 00:02:04,600
We can now move on to Ezekial injection.

29
00:02:05,140 --> 00:02:11,530
OK, and this is what we are trying to do here as part of the tutorial is how can we bypass the boolean

30
00:02:11,530 --> 00:02:15,340
operators, the logic of the database system and try to gain access.

31
00:02:15,670 --> 00:02:16,000
All right.

32
00:02:16,000 --> 00:02:23,500
Into the database pool of specific records, pull out the entire table of information and so on when

33
00:02:23,710 --> 00:02:26,160
this happens, when input on not sanitized.

34
00:02:26,320 --> 00:02:35,410
So allowing hackers to bypass the original intention of those applications that are used for input forms

35
00:02:35,410 --> 00:02:38,430
that are used to do searching authentication.

36
00:02:38,890 --> 00:02:41,100
So we have examples of SQL injection over here.

37
00:02:41,950 --> 00:02:46,040
So we have the skill query to retrieve user information from the database.

38
00:02:46,060 --> 00:02:49,080
Okay, so this is how I'll write.

39
00:02:49,090 --> 00:02:55,660
A Web application server would call the database to retrieve information so we have select or from users

40
00:02:56,050 --> 00:02:57,240
where a name equal.

41
00:02:57,250 --> 00:03:02,440
So this will allow them to enter, for example, the user name and then after which the user name is

42
00:03:02,440 --> 00:03:08,650
inserted from the browser into the Web application server and into the database to retrieve those records.

43
00:03:09,130 --> 00:03:11,950
And for example, over here we have the variable username.

44
00:03:12,070 --> 00:03:15,210
Holst's input from the client injects it into the query.

45
00:03:15,850 --> 00:03:20,810
So we have select from users where a name is specifically over here.

46
00:03:21,190 --> 00:03:22,290
So, for example.

47
00:03:22,420 --> 00:03:22,620
All right.

48
00:03:22,660 --> 00:03:28,540
So this is a really a wonderful instruction and demonstration of how it looks like, OK, so if we enter,

49
00:03:28,540 --> 00:03:29,590
for example, Smith.

50
00:03:30,460 --> 00:03:30,890
All right.

51
00:03:30,890 --> 00:03:36,520
To actually help us fill in the information here and we can see select all from users when name is equal

52
00:03:36,520 --> 00:03:37,030
to Smith.

53
00:03:37,030 --> 00:03:42,380
So immediately we'll be able to pool information for this particular role and over here.

54
00:03:42,500 --> 00:03:48,790
OK, so what the hackers can do is they can perform further information, attack into the input form.

55
00:03:49,210 --> 00:03:52,770
So here, for example, we have Smith and we have a single quote.

56
00:03:52,930 --> 00:03:55,200
So this ends the instruction here.

57
00:03:55,570 --> 00:04:02,080
And what happens is we can enter or fill by single code one, equal single code one.

58
00:04:02,730 --> 00:04:04,390
So this ends the instruction.

59
00:04:04,450 --> 00:04:11,330
OK, so over here, select all from users when name is equal to Smith or one is equal to one.

60
00:04:11,350 --> 00:04:12,250
So what does this mean?

61
00:04:12,820 --> 00:04:13,060
All right.

62
00:04:13,090 --> 00:04:15,430
So this will return all entries from the user's table.

63
00:04:15,460 --> 00:04:15,880
Why?

64
00:04:16,360 --> 00:04:19,810
Because or want equal one will always be true.

65
00:04:20,020 --> 00:04:25,150
And if it is always true, it means that we will always get a result back coming in from the system.

66
00:04:25,510 --> 00:04:29,970
OK, so over here, like once again, OK, we have a second one, right.

67
00:04:30,040 --> 00:04:30,870
Smith All right.

68
00:04:30,940 --> 00:04:36,170
Or one equal one followed by semicolon and double double dash.

69
00:04:36,220 --> 00:04:36,490
All right.

70
00:04:36,500 --> 00:04:42,910
So what this means is that we will actually also help return us all forms of entries from the user's

71
00:04:42,910 --> 00:04:47,440
table and the second the last one over here to put one Smith.

72
00:04:47,440 --> 00:04:53,030
And we end the school query and we open up a new query drawer table uses.

73
00:04:53,080 --> 00:04:56,680
OK, so this would delete away all those user database.

74
00:04:57,010 --> 00:04:57,380
All right.

75
00:04:57,400 --> 00:04:58,940
All the users table.

76
00:04:59,170 --> 00:05:04,400
And finally, we have truncate or det lock followed by double dash again and again, the purpose of

77
00:05:04,400 --> 00:05:09,730
the double dashes to command every other query instructions that come off.

78
00:05:10,270 --> 00:05:11,860
All right, the semicolon.

79
00:05:11,920 --> 00:05:13,650
All right, so that's the whole idea of double dash.

80
00:05:14,170 --> 00:05:19,810
OK, so this again, help us change multiple SQL commands and deletes the user's table, as well as

81
00:05:19,810 --> 00:05:20,890
entries from all the lock.

82
00:05:20,920 --> 00:05:25,270
OK, so now that is go ahead and move on to lesson number seven.

83
00:05:25,370 --> 00:05:27,550
OK, so consequences of SQL injection.

84
00:05:27,550 --> 00:05:27,850
All right.

85
00:05:28,510 --> 00:05:29,470
A sequel injection.

86
00:05:29,470 --> 00:05:36,760
Once it manages to bypass the intended use of these SQL query, well-structured query, who can help

87
00:05:36,760 --> 00:05:44,920
us shut down the database, pull our records at users, do all sorts of data manipulation, revoking

88
00:05:44,920 --> 00:05:51,310
of user granting of permissions and so on, and so they can spoof data, tamper of existing data and

89
00:05:51,310 --> 00:05:56,650
all these things that they could literally take control of the database itself so we can go to lessen

90
00:05:56,650 --> 00:06:00,790
it now and severity or severity of sequel injection.

91
00:06:00,970 --> 00:06:02,410
So how can we control it?

92
00:06:02,520 --> 00:06:02,630
All right.

93
00:06:02,650 --> 00:06:04,770
So it depends on the attack scale.

94
00:06:04,780 --> 00:06:12,130
So a lot of times if you look at the previous tutorials and we were targeting the most likeable as well

95
00:06:12,130 --> 00:06:19,240
as a we were able to input all this injection and SQL injection works not just for Web application systems.

96
00:06:19,240 --> 00:06:21,520
You could also work for mobile applications.

97
00:06:21,520 --> 00:06:28,390
Ultimately, mobile applications have to connect to some sort of database system or a application server

98
00:06:28,390 --> 00:06:32,480
via application programming interfaces that will then connect to a database system.

99
00:06:32,500 --> 00:06:39,070
So either way, we still have to hurry into a database system, pull our records, cross check records,

100
00:06:39,370 --> 00:06:43,570
and they can also be subjected to sexual attacks, equal injection attacks.

101
00:06:44,260 --> 00:06:47,340
And of course, we also have different types of databases.

102
00:06:47,340 --> 00:06:52,480
So you have Microsoft Access, MySQL, Oracle databases, Microsoft SQL databases.

103
00:06:52,870 --> 00:06:58,930
And what we can do is, of course, depending on a database type, we will also need to man and adjust

104
00:06:59,110 --> 00:07:04,070
our instructions accordingly as we put into sequel injection into these systems.

105
00:07:04,090 --> 00:07:04,390
All right.

106
00:07:04,780 --> 00:07:11,140
And it can also be more common in system classic ASPE confusion in some of the older languages where

107
00:07:11,140 --> 00:07:17,320
they do not try to sanitized input or have some form of protection against those type of attacks.

108
00:07:17,370 --> 00:07:18,940
OK, all right.

109
00:07:18,940 --> 00:07:20,990
So moving on to lesson number nine.

110
00:07:21,730 --> 00:07:22,090
All right.

111
00:07:22,090 --> 00:07:24,940
So we are going to do a string SQL injection.

112
00:07:24,970 --> 00:07:29,950
OK, so over here we have the idea of how the squat queries run, right.

113
00:07:29,980 --> 00:07:34,820
So we have select all from user data where first name is John and last name.

114
00:07:35,050 --> 00:07:37,230
OK, so the user will input a last name.

115
00:07:37,270 --> 00:07:42,730
So this is the input box that would come in from the attacker or from the user.

116
00:07:42,790 --> 00:07:43,070
All right.

117
00:07:43,100 --> 00:07:45,980
So over here we have select all from user.

118
00:07:46,040 --> 00:07:47,740
OK, so John and we have Smith.

119
00:07:48,220 --> 00:07:50,980
So what we are trying to do is to pull out all those records.

120
00:07:51,430 --> 00:07:55,270
So if I click on get account info says no results match.

121
00:07:55,270 --> 00:08:00,420
So we have to find out in what ways are we able to get those details.

122
00:08:00,420 --> 00:08:04,410
So right over here already create it and save those details for us.

123
00:08:04,450 --> 00:08:09,550
So we have a Smith followed by a single KUAT or one equal one.

124
00:08:10,040 --> 00:08:12,530
OK, so over here, Smith with a single code.

125
00:08:12,560 --> 00:08:15,010
So what this does is that it ends all right.

126
00:08:15,020 --> 00:08:20,380
It ends the structured query language here and then over here with or one equal one.

127
00:08:20,410 --> 00:08:24,370
So what we got to do is to have single code for one equal single code one.

128
00:08:24,410 --> 00:08:24,640
All right.

129
00:08:24,640 --> 00:08:26,770
So go ahead and click get account info.

130
00:08:26,770 --> 00:08:32,440
And once you do so, all right, we'll be able to get details of the of all of the quarry.

131
00:08:32,860 --> 00:08:34,450
OK, so over here, this is the one.

132
00:08:34,450 --> 00:08:35,890
So get accounted info.

133
00:08:36,160 --> 00:08:37,200
You have succeeded.

134
00:08:37,480 --> 00:08:42,840
User ID, first name, last name, credit card number, credit card type cookies and log in.

135
00:08:43,150 --> 00:08:46,660
All these details are being pulled out immediately once you run the attack.

136
00:08:46,730 --> 00:08:49,450
OK, so over here on the left side, we have to use your ID.

137
00:08:49,480 --> 00:08:55,030
So again, as mentioned earlier in a previous tutorial behind every Web application system, mobile

138
00:08:55,030 --> 00:08:58,180
application you have, like a Excel sheet is running.

139
00:08:58,210 --> 00:08:58,440
All right.

140
00:08:58,450 --> 00:09:02,750
So Studi Roman columns and we can see all of those details over here.

141
00:09:02,800 --> 00:09:03,130
All right.

142
00:09:04,570 --> 00:09:07,190
So moving on to lesson number ten, OK?

143
00:09:07,210 --> 00:09:08,000
In less than ten.

144
00:09:08,290 --> 00:09:10,810
So we have numeric SQL injection.

145
00:09:11,050 --> 00:09:13,500
Can numeric SQL injection in this case.

146
00:09:13,510 --> 00:09:13,780
All right.

147
00:09:13,810 --> 00:09:15,100
It gives us a warning.

148
00:09:15,800 --> 00:09:18,850
So, of course, the ultimate goal is to retrieve all the data from the user's table.

149
00:09:19,120 --> 00:09:23,410
And we're wanting only one of these views is susceptible to school injection.

150
00:09:23,410 --> 00:09:29,620
You need to find out which to successfully retrieve all the data and count so I can enter, for example,

151
00:09:29,620 --> 00:09:33,340
one and then followed by user ID one and click get account info.

152
00:09:33,350 --> 00:09:39,460
So we just testing out what is the normal expected behavior from the Web application system as we inject

153
00:09:39,460 --> 00:09:40,480
different kind of payloads.

154
00:09:40,730 --> 00:09:40,910
All right.

155
00:09:40,960 --> 00:09:45,540
So this is important as a as a startup, but understanding what the purpose of the input form.

156
00:09:45,570 --> 00:09:47,320
OK, and moving on.

157
00:09:47,380 --> 00:09:47,650
All right.

158
00:09:47,650 --> 00:09:51,410
So we can see over here all this is what we call numeric SQL injection.

159
00:09:51,440 --> 00:09:53,140
OK, so what can we do next?

160
00:09:53,410 --> 00:09:54,920
So I've really created Paillot here.

161
00:09:55,540 --> 00:09:55,890
All right.

162
00:09:55,910 --> 00:10:05,260
So we have, for example, one or OK, single one, single equal single one, followed by seeing a code

163
00:10:05,260 --> 00:10:05,490
again.

164
00:10:05,500 --> 00:10:05,670
All right.

165
00:10:05,710 --> 00:10:07,920
So let's copy this details.

166
00:10:07,930 --> 00:10:08,170
All right.

167
00:10:08,170 --> 00:10:09,610
A payload and the.

168
00:10:09,620 --> 00:10:14,210
The idea is we are trying to check, all right, which of this is actually vulnerable, is it a log

169
00:10:14,210 --> 00:10:16,370
income or is it a user I.D.?

170
00:10:16,370 --> 00:10:17,810
So we got to input forms.

171
00:10:17,990 --> 00:10:20,600
So we need to test which one of them is susceptible.

172
00:10:20,600 --> 00:10:24,790
So go in and get account info could not pass.

173
00:10:24,800 --> 00:10:28,820
And if I do on the second user ID get account info.

174
00:10:29,210 --> 00:10:29,480
All right.

175
00:10:29,480 --> 00:10:31,090
So we got an error message.

176
00:10:31,130 --> 00:10:36,440
So error messages are also very important as part of the response coming in from your payloads.

177
00:10:37,000 --> 00:10:41,000
Please get injected and it could show us whether they are vulnerable or not.

178
00:10:41,090 --> 00:10:48,080
OK, so taking account of the error messages is going to be important as part of validating whether

179
00:10:48,260 --> 00:10:49,640
this sequel injection will work or not.

180
00:10:49,700 --> 00:10:50,020
All right.

181
00:10:50,480 --> 00:10:53,840
So now we can go ahead and enter the following and click get account info.

182
00:10:54,020 --> 00:10:54,270
All right.

183
00:10:54,290 --> 00:11:00,050
So we have identified, of course, user ID is the one that is susceptible to a sequel injection.

184
00:11:00,050 --> 00:11:06,920
So which is why we put our payload into the user ID, whereas login count, we continue to place a proper

185
00:11:07,400 --> 00:11:11,560
input into the login card, which is not susceptible to attack.

186
00:11:11,690 --> 00:11:11,930
All right.

187
00:11:11,930 --> 00:11:17,000
So over here, immediately we are able to get the whole table, our user ID, first name, last name,

188
00:11:17,000 --> 00:11:21,440
credit card, number of credit card type, kookie login count, all this different data points.

189
00:11:21,620 --> 00:11:25,370
OK, so all this the entire table of information has been retrieved.

190
00:11:25,850 --> 00:11:26,230
All right.

191
00:11:26,960 --> 00:11:31,940
So we've done we're going to pass here and we will continue with this tutorial in the subsequent video.

192
00:11:32,000 --> 00:11:34,730
OK, so once again, I hope you've learned something valuable.

193
00:11:35,090 --> 00:11:39,470
And if you like what we've just watched him to, like, share and subscribe to channel so that you can

194
00:11:39,470 --> 00:11:41,600
be kept abreast of the latest cyber security.

195
00:11:42,050 --> 00:11:43,400
Thank you so much once again for watching.