1
00:00:12,550 --> 00:00:18,580
Hey, guys, welcome back to another episode on How to Hack, so now we'll look into the last Uttara

2
00:00:18,610 --> 00:00:20,120
on SQL injection intro.

3
00:00:20,260 --> 00:00:25,300
OK, so this is about compromising confidentiality with string sequel injection.

4
00:00:25,630 --> 00:00:29,380
OK, so again, we are on Web Good, which is a vulnerable Web application system.

5
00:00:29,900 --> 00:00:33,940
We will try out all this different kind of attacks on so we can see on the left site.

6
00:00:34,210 --> 00:00:38,770
All this are the different stories that we'll be doing as part of a Web application penetration testing

7
00:00:38,770 --> 00:00:39,230
series.

8
00:00:39,940 --> 00:00:43,250
So compromising confidentiality with string SQL injection.

9
00:00:43,270 --> 00:00:43,470
All right.

10
00:00:43,480 --> 00:00:44,840
So what is string string sequel?

11
00:00:45,190 --> 00:00:50,120
So this is the payload that goes in to the input form and we are trying to break into the system.

12
00:00:50,170 --> 00:00:50,410
All right.

13
00:00:50,410 --> 00:00:53,890
So here we have an employee named John Smith.

14
00:00:53,920 --> 00:00:59,970
OK, so they work for a company and we have these current and so teahan is a unique authentication.

15
00:00:59,980 --> 00:01:00,210
All right.

16
00:01:00,220 --> 00:01:05,500
So here you can think of it kind of like a password or a one time password that is sent to a mobile

17
00:01:05,500 --> 00:01:11,770
devices as you authenticate to the different parts of a banking app of a system.

18
00:01:12,010 --> 00:01:12,400
All right.

19
00:01:13,060 --> 00:01:18,640
So over here, we can see the query, the structured query language select all from employees where

20
00:01:18,640 --> 00:01:24,880
last name equal and then they have the input name and then followed by authentication, underscore Tianyun.

21
00:01:24,940 --> 00:01:25,150
All right.

22
00:01:25,160 --> 00:01:27,490
So again, the input information over here.

23
00:01:27,940 --> 00:01:34,210
So, for example, if I enter the last name Smith or I can copy and I can pay Smith over here and then

24
00:01:34,210 --> 00:01:35,280
followed by the tanne.

25
00:01:35,530 --> 00:01:38,440
So go ahead and pass it and we'll get department.

26
00:01:38,650 --> 00:01:38,920
All right.

27
00:01:38,920 --> 00:01:39,880
We are able to see.

28
00:01:40,150 --> 00:01:40,540
All right.

29
00:01:41,050 --> 00:01:46,840
We are getting the user name, the first name to last name, the Department of Salary, phone number

30
00:01:46,840 --> 00:01:47,110
and so on.

31
00:01:47,110 --> 00:01:49,030
So we can get all these different details.

32
00:01:49,030 --> 00:01:49,270
Right.

33
00:01:49,780 --> 00:01:55,350
So what we are trying to do here is to retrieve all employee data from the employee's table.

34
00:01:55,630 --> 00:01:56,740
So how can we do so?

35
00:01:56,880 --> 00:01:57,110
All right.

36
00:01:57,140 --> 00:02:03,280
So over here, OK, once again, going back to the previous tutorial about SQL injection, I really

37
00:02:03,280 --> 00:02:04,390
have to pay look for us.

38
00:02:04,870 --> 00:02:10,450
So all we got to do right is to be able to pull all information and records of the system.

39
00:02:10,630 --> 00:02:13,780
OK, so that's what we can do as part of the attack.

40
00:02:13,810 --> 00:02:15,460
OK, so over here.

41
00:02:15,710 --> 00:02:16,030
All right.

42
00:02:16,030 --> 00:02:20,200
What we will do is to put for example or one equal one, OK?

43
00:02:20,890 --> 00:02:25,270
And this will help us immediately get the whole information out of the system.

44
00:02:25,450 --> 00:02:28,870
So we continue to have the authentication feel over here.

45
00:02:29,200 --> 00:02:31,630
And all I got to do is to enter the following.

46
00:02:31,970 --> 00:02:36,320
OK, I can copy this part, this segment and input into our payload.

47
00:02:36,880 --> 00:02:42,940
So what we are doing is a single code or OK, one equal one followed by semicolons of one equal one

48
00:02:42,970 --> 00:02:43,870
is always true.

49
00:02:43,990 --> 00:02:45,560
So go ahead and click department.

50
00:02:46,330 --> 00:02:46,690
All right.

51
00:02:46,700 --> 00:02:50,310
So we can, for example, get rid of the semicolon.

52
00:02:50,710 --> 00:02:52,170
OK, all the singer code again.

53
00:02:52,570 --> 00:02:52,840
All right.

54
00:02:52,840 --> 00:02:54,040
So he says you have succeeded.

55
00:02:54,400 --> 00:02:59,620
You successfully compromised the confidentiality of data by viewing internal information that you should

56
00:02:59,620 --> 00:03:00,810
not have access to.

57
00:03:00,820 --> 00:03:01,360
Well done.

58
00:03:01,420 --> 00:03:06,430
OK, so once again, we're able to pull the entire table, all the rules of information.

59
00:03:06,430 --> 00:03:12,460
And on one of the previous tutorials on the lessons, we actually added in an extra call on phone.

60
00:03:12,590 --> 00:03:12,880
All right.

61
00:03:12,880 --> 00:03:18,160
Into the database system so we can see the user name to first name, last name, department salary and

62
00:03:18,160 --> 00:03:19,270
all these different details.

63
00:03:19,600 --> 00:03:23,520
OK, so once again, going back to the basics, you have to input forms.

64
00:03:23,530 --> 00:03:30,080
So do test them first for susceptibility to SQL injection or to different kind of payloads.

65
00:03:30,160 --> 00:03:35,710
So you need different kind of panels already available and a lot of these payloads are available out

66
00:03:35,710 --> 00:03:39,400
of the box to get a call and instead you can just input into the system to test.

67
00:03:39,400 --> 00:03:41,800
So whether they're sanitizing to input or not.

68
00:03:41,890 --> 00:03:44,080
OK, so that's how we actually run the attack.

69
00:03:44,140 --> 00:03:44,350
All right.

70
00:03:44,350 --> 00:03:45,310
So we've got the employee.

71
00:03:45,730 --> 00:03:47,070
We go the authentication.

72
00:03:47,110 --> 00:03:47,330
All right.

73
00:03:47,400 --> 00:03:52,390
So and of course, you can mapi back to the structured query language here or you can build it on your

74
00:03:52,390 --> 00:03:52,670
own.

75
00:03:52,690 --> 00:03:58,990
Think about how they are developing the Web application system to actually pull all this different course

76
00:03:58,990 --> 00:04:02,750
and how they check for all this different table information.

77
00:04:02,770 --> 00:04:02,980
All right.

78
00:04:02,990 --> 00:04:07,000
And then after which, you can create your payload to inject into the system.

79
00:04:07,450 --> 00:04:07,750
All right.

80
00:04:07,750 --> 00:04:08,940
So now let us continue.

81
00:04:09,520 --> 00:04:09,970
All right.

82
00:04:10,090 --> 00:04:11,350
Into lesson 12.

83
00:04:11,470 --> 00:04:14,980
OK, so we have compromising integrity with query chaining.

84
00:04:15,460 --> 00:04:22,840
OK, so again, CIA confidentiality, integrity and availability, confidentiality, meaning that can

85
00:04:22,840 --> 00:04:28,000
someone who is unauthorized be able to view confidential data, financial information in which they

86
00:04:28,000 --> 00:04:29,620
have no rights to access to?

87
00:04:29,860 --> 00:04:30,160
All right.

88
00:04:30,160 --> 00:04:32,100
Integrities about changing the data.

89
00:04:32,260 --> 00:04:35,740
How are we monitoring changes to the database system, to the follow systems?

90
00:04:36,040 --> 00:04:37,330
And finally, availability?

91
00:04:37,570 --> 00:04:39,680
Is it subjected to denial of service attack?

92
00:04:39,880 --> 00:04:41,830
Can we shut down the entire system?

93
00:04:42,070 --> 00:04:48,460
So those are the different kind of traits of CIA, which are the fundamentals of cybersecurity.

94
00:04:48,670 --> 00:04:55,990
OK, so Secretary Cheney, allow us at additional instructions into the query.

95
00:04:56,260 --> 00:05:02,770
So rather than just pulling information out, can we do Futter different types of structured query language

96
00:05:02,770 --> 00:05:05,050
to inject into the Web application system?

97
00:05:05,240 --> 00:05:05,450
All right.

98
00:05:05,470 --> 00:05:07,630
So once again, we have Smith.

99
00:05:07,630 --> 00:05:07,990
All right.

100
00:05:08,050 --> 00:05:09,640
I can copy the information here.

101
00:05:09,640 --> 00:05:10,040
And I have.

102
00:05:10,780 --> 00:05:14,700
And which is authentication click get department.

103
00:05:14,770 --> 00:05:18,250
All right, so we are looking again at the normal way of how it works.

104
00:05:18,550 --> 00:05:25,200
And we can see over here we have the user ID, first name, last name, department salary of 10.

105
00:05:25,210 --> 00:05:25,450
All right.

106
00:05:25,470 --> 00:05:30,470
And OK, so we can see all the details of employee name authentication and so on.

107
00:05:30,940 --> 00:05:35,440
So, of course, what we are doing, as you have seen from the previous lesson, OK, what we can do

108
00:05:35,440 --> 00:05:39,220
is we can inject information into the input forms.

109
00:05:39,280 --> 00:05:39,520
All right.

110
00:05:39,520 --> 00:05:40,820
So I really have to payload here.

111
00:05:41,410 --> 00:05:44,440
So what we can do again is to copy the following.

112
00:05:44,800 --> 00:05:49,240
OK, we can copy the following and I can pace it and I'll explain to you what it all means.

113
00:05:50,050 --> 00:05:56,130
So first of all, we are closing OK to password and or one equal one, which is always true.

114
00:05:56,140 --> 00:05:58,300
OK, or you can just close it directly.

115
00:05:58,750 --> 00:06:00,640
And we have the following command.

116
00:06:00,640 --> 00:06:01,330
We have update.

117
00:06:01,430 --> 00:06:01,690
All right.

118
00:06:01,690 --> 00:06:06,130
Which is a structured query language and we have update employees.

119
00:06:06,370 --> 00:06:12,610
So we're updating the table employees and we are setting the salary to a specific number.

120
00:06:12,910 --> 00:06:14,860
So we're setting it to eighty five thousand.

121
00:06:15,030 --> 00:06:22,510
OK, and we have where user ID equal OK to this specific user ID which we have over here.

122
00:06:22,510 --> 00:06:22,810
Right.

123
00:06:23,140 --> 00:06:26,880
So once you have all these different details, you can go in and get department.

124
00:06:27,010 --> 00:06:27,330
Go ahead.

125
00:06:27,340 --> 00:06:34,150
Clicked on that and immediately we're able to firstly pull out all information off the table.

126
00:06:34,150 --> 00:06:36,220
And secondly, we've updated.

127
00:06:36,370 --> 00:06:36,670
All right.

128
00:06:36,670 --> 00:06:39,790
A system with a new Sellery number, as you can see over here.

129
00:06:39,850 --> 00:06:40,120
All right.

130
00:06:40,120 --> 00:06:43,150
So we've updated Smith's salary numbers.

131
00:06:43,150 --> 00:06:47,850
So that's how we are able to violate the integrity section of the CIA.

132
00:06:47,860 --> 00:06:48,310
Try it.

133
00:06:48,370 --> 00:06:54,930
OK, so let's go back up and go into the final lesson, lesson one tree, which is compromising availability,

134
00:06:54,940 --> 00:06:57,760
meaning can we shut down the database system?

135
00:06:57,970 --> 00:07:02,500
Can we drop the table so that no one has access into the system?

136
00:07:02,580 --> 00:07:07,900
OK, so over here, what we are seeing is that now that you're the top earner in your company, but

137
00:07:07,900 --> 00:07:08,650
do you see that?

138
00:07:08,800 --> 00:07:09,100
All right.

139
00:07:09,110 --> 00:07:11,800
There seems to be excess log table.

140
00:07:11,800 --> 00:07:17,620
So excess log actually stores all these different changes to the database and you actually lock down

141
00:07:17,650 --> 00:07:23,050
all those things so that it can be used for audit purposes and to look back at what happened to the

142
00:07:23,050 --> 00:07:24,430
changes in the database system.

143
00:07:25,090 --> 00:07:30,370
So first of all, we have over here drop table access so we can copy this.

144
00:07:30,730 --> 00:07:33,260
And let me explain to you what is payload means, first of all.

145
00:07:33,640 --> 00:07:36,400
OK, so firstly, we're entering a.

146
00:07:37,790 --> 00:07:43,370
Percentage saying, OK, so this would actually help us complete victory, and then after that, we

147
00:07:43,370 --> 00:07:48,260
are ending the instructions here and we have a semicolon and it followed by a new instruction, which

148
00:07:48,260 --> 00:07:52,760
is drop table, and we're dropping to a specific table excess on a score of law.

149
00:07:52,940 --> 00:07:56,660
OK, so this will immediately help us see all those details.

150
00:07:57,060 --> 00:08:03,520
And of course, before I even do drop table, I can actually enter, for example, select all from excess

151
00:08:03,560 --> 00:08:09,620
law to perhaps even view information inside this particular table so we can actually go ahead and enter

152
00:08:09,620 --> 00:08:09,890
that.

153
00:08:10,220 --> 00:08:12,940
And this would help us see some details about the table.

154
00:08:12,950 --> 00:08:18,710
So over here, we can see all of the queries that have been sent into the database system.

155
00:08:18,710 --> 00:08:20,600
So we have select all from employees.

156
00:08:21,000 --> 00:08:24,560
OK, we have all these different details that have been sent over into the system.

157
00:08:24,830 --> 00:08:27,170
And over here we can see this particular lock.

158
00:08:27,170 --> 00:08:27,380
Right.

159
00:08:27,410 --> 00:08:33,470
So we have select or from employees and then there is a updating employees set salary, eighty five

160
00:08:33,470 --> 00:08:34,170
thousand dollars.

161
00:08:34,200 --> 00:08:37,410
OK, so immediately we're able to see the lock fall.

162
00:08:37,460 --> 00:08:43,670
OK, so what we'll do next is to actually just copy the payload and just pass it over here.

163
00:08:43,680 --> 00:08:46,480
So what we are doing instead now is drop paper.

164
00:08:46,520 --> 00:08:52,130
So this would get rid of the entire excess lock table and Afolabi double dash again.

165
00:08:52,850 --> 00:08:57,980
So double dash at the end would actually come in all the rest of the story and allowing us to actually

166
00:08:58,160 --> 00:09:02,750
run the attack against the system immediately because it go ahead and enter such locks.

167
00:09:03,290 --> 00:09:09,440
And now we can see that we have delete it says lock table and we compromised the availability of the

168
00:09:09,440 --> 00:09:09,800
data.

169
00:09:10,610 --> 00:09:15,260
So once again, I hope you've learned something valuable in today's tutorial and we will like, share

170
00:09:15,260 --> 00:09:18,860
and subscribe the channel so that you can be kept abreast of the latest cybersecurity.

171
00:09:19,310 --> 00:09:20,750
Thank you so much once again for watching.