1
00:00:12,580 --> 00:00:15,110
Hey, guys, welcome back to another episode on How to Hack.

2
00:00:15,610 --> 00:00:17,410
So here we are, a beautiful day, too.

3
00:00:17,590 --> 00:00:21,010
All right, so this is the open web application security project.

4
00:00:21,010 --> 00:00:25,170
Mutability to Help helped us learn about Web application vulnerabilities.

5
00:00:25,540 --> 00:00:31,670
So in today's story, we're going to look at how we can actually pull out information from the database.

6
00:00:31,990 --> 00:00:35,290
So over here, we can go in and click under log and register.

7
00:00:35,540 --> 00:00:35,980
All right.

8
00:00:36,190 --> 00:00:39,370
And we can go ahead and click under please register here.

9
00:00:39,640 --> 00:00:44,750
And I want to highlight some really important points when we're trying to pull information from a database.

10
00:00:44,950 --> 00:00:51,700
So not all the times are you able to do, for example, do a search warrant where you can then do an

11
00:00:51,700 --> 00:00:53,230
injection of your payloads.

12
00:00:53,920 --> 00:01:01,480
So sometimes a lot of Web application servers or services allow us to create user accounts on the website.

13
00:01:02,050 --> 00:01:06,520
So in this case, we have to use a name for you, which is usually static.

14
00:01:06,730 --> 00:01:12,430
So user name don't change in your password for you, which is usually injected and only updated on the

15
00:01:12,430 --> 00:01:12,880
database.

16
00:01:12,930 --> 00:01:16,550
And so, again, you may not be able to retrieve the password at all.

17
00:01:16,570 --> 00:01:20,640
So it's just a insert into and it just verifying at a back end.

18
00:01:20,650 --> 00:01:24,100
So you have no idea and have no way of retrieving back to password.

19
00:01:24,370 --> 00:01:24,790
All right.

20
00:01:25,060 --> 00:01:30,820
But one really important way that you could utilize is to look at what kind of data is usually quarried

21
00:01:31,390 --> 00:01:36,490
from the database back to the Web application server and then being displayed for the user.

22
00:01:36,550 --> 00:01:42,300
So in this case, we have these signature few, sort of signature few is usually dynamic.

23
00:01:42,340 --> 00:01:48,310
So users are allowed to change the signature, which is an insert into query into the database.

24
00:01:48,790 --> 00:01:54,670
And at the same time, when a user views your profile, it will be able to do a select from signature

25
00:01:54,700 --> 00:01:58,900
so that you will then be able to retrieve those data as a result of that.

26
00:01:59,200 --> 00:01:59,530
All right.

27
00:01:59,530 --> 00:02:06,070
The signature for you is going to be a very important for us to be able to get certain values data out

28
00:02:06,460 --> 00:02:08,200
of the database or information.

29
00:02:08,330 --> 00:02:14,590
OK, so what we can do is the first thing is to try all sorts of palest to see how and what are you

30
00:02:14,590 --> 00:02:19,840
able to bypass the mechanisms that are used to protect the registration page.

31
00:02:19,870 --> 00:02:25,510
So it could be a Web application firewall doing the filtering, it could be security mechanisms on the

32
00:02:25,510 --> 00:02:26,320
application server.

33
00:02:26,320 --> 00:02:32,690
And so we can go and enter like single code hacks, double slash dash and so on.

34
00:02:32,690 --> 00:02:32,820
Right.

35
00:02:32,830 --> 00:02:40,240
So we drill all this different kind of payloads to bypass de database, bypass the logic in order to

36
00:02:40,240 --> 00:02:42,550
gain access into a database.

37
00:02:42,580 --> 00:02:44,010
So go ahead, click create account.

38
00:02:44,920 --> 00:02:46,990
And of course, we have the error message here.

39
00:02:47,050 --> 00:02:47,300
All right.

40
00:02:47,390 --> 00:02:53,470
Stays the following error number one zero six for you have an error in a sequel, syntax and so on.

41
00:02:54,010 --> 00:02:59,260
And of course, the best part is for your learning is that it even showcase to us what kind of query

42
00:02:59,260 --> 00:03:03,430
is being injected from the Web application server into the database.

43
00:03:03,610 --> 00:03:09,310
So this is very helpful in helping us understand what kind of glory is sent from the Web application

44
00:03:09,310 --> 00:03:14,500
server and into the database over here, hearsays insert into account.

45
00:03:14,500 --> 00:03:16,540
So they are inserting a new role.

46
00:03:16,720 --> 00:03:16,960
All right.

47
00:03:17,020 --> 00:03:21,880
With the following values into the following columns, which is the user name column, the password

48
00:03:21,880 --> 00:03:23,850
column and my signature column.

49
00:03:23,860 --> 00:03:25,240
So all these are columns, names.

50
00:03:25,840 --> 00:03:26,140
All right.

51
00:03:26,150 --> 00:03:33,610
So what we can do next is to copy, to copy and paste it into, say, a notepad or a mouse pat.

52
00:03:34,330 --> 00:03:39,190
So another thing I want to highlight is that majority of the time in the real world, when you're doing

53
00:03:39,190 --> 00:03:45,430
a bug bounty and a Web application penetration testing, you're not going to get that kind of details

54
00:03:45,430 --> 00:03:46,600
in terms of error messages.

55
00:03:46,960 --> 00:03:47,710
What are you going to get?

56
00:03:47,830 --> 00:03:52,020
State is chances are just an error message and error page.

57
00:03:52,070 --> 00:03:52,800
OK, and that's it.

58
00:03:53,050 --> 00:03:54,940
So then how can we prefer to test it out?

59
00:03:54,950 --> 00:03:55,750
Paperless working.

60
00:03:56,140 --> 00:04:01,240
So you use one very common method, which is to put the database to sleep.

61
00:04:01,660 --> 00:04:04,080
So you let a database sleep for, say, five seconds.

62
00:04:04,450 --> 00:04:04,810
All right.

63
00:04:04,990 --> 00:04:09,880
And when a response really comes back to you after five seconds in Nienstedt, your payload is working.

64
00:04:10,090 --> 00:04:11,930
You have access, right?

65
00:04:11,950 --> 00:04:15,490
You managed to bypass these protection mechanisms.

66
00:04:15,520 --> 00:04:16,420
All right, man.

67
00:04:16,420 --> 00:04:18,820
To Futter to sanitize the input.

68
00:04:18,880 --> 00:04:23,290
OK, so what we can do next is we can go ahead and copy the following payload.

69
00:04:23,290 --> 00:04:25,980
And let me explain to you what all the palace me.

70
00:04:26,020 --> 00:04:26,380
All right.

71
00:04:26,830 --> 00:04:30,040
So we can go ahead and copy the payload into username for you.

72
00:04:30,220 --> 00:04:33,520
So we have the following X, X and database.

73
00:04:33,880 --> 00:04:39,960
So we have access to username and password and database to be inserted into the signature for you.

74
00:04:39,980 --> 00:04:44,680
So go ahead and click critical and it stays the following account.

75
00:04:44,680 --> 00:04:47,720
Create it one role in sort of one roaster.

76
00:04:47,760 --> 00:04:48,050
Right.

77
00:04:48,520 --> 00:04:52,120
So go to Ops twenty seventeen, a one injection sequel.

78
00:04:52,120 --> 00:04:59,500
I extract data, click onto user info sequel rights to go ahead enter to name as well as the password

79
00:04:59,500 --> 00:05:01,330
and click view account details.

80
00:05:01,510 --> 00:05:01,870
All right.

81
00:05:02,380 --> 00:05:07,210
So right here, we can find out now the database name is Mutilates.

82
00:05:07,720 --> 00:05:08,110
All right.

83
00:05:08,470 --> 00:05:09,870
So what else can we do?

84
00:05:10,530 --> 00:05:16,350
So going back to please register here, we can also do the following so we can insert a following to

85
00:05:16,350 --> 00:05:18,350
get the version of the database.

86
00:05:18,720 --> 00:05:25,050
So go ahead and enter the following exit username and password and version.

87
00:05:25,060 --> 00:05:27,510
OK, and at the back, as you can see here.

88
00:05:27,540 --> 00:05:27,810
All right.

89
00:05:27,810 --> 00:05:30,390
We have a double dash followed by Spazzed Dash.

90
00:05:30,590 --> 00:05:36,060
So, again, we can add a sequel, Quarrie with depending on what kind of database version if you're

91
00:05:36,060 --> 00:05:38,630
running, it could be a semicolon, for example.

92
00:05:38,670 --> 00:05:38,970
Here we go.

93
00:05:38,970 --> 00:05:41,160
Double dash, lullabye, spazz dash.

94
00:05:41,490 --> 00:05:43,690
It could be a double slash and so on.

95
00:05:43,710 --> 00:05:47,060
So all those are different ways for us to end the scoring.

96
00:05:47,340 --> 00:05:49,020
So go in and click on the create account.

97
00:05:49,620 --> 00:05:54,000
So in this case, we states we see the following account created one row and set it.

98
00:05:54,210 --> 00:05:59,780
So go to Olofsson twenty seventeen, a one injection sequel, extract data, click onto user info.

99
00:06:00,570 --> 00:06:05,190
So right here again I can enter X, Gulabi X and view account details.

100
00:06:05,400 --> 00:06:07,110
So right here we can see the following.

101
00:06:07,560 --> 00:06:08,580
We have the.

102
00:06:09,920 --> 00:06:14,570
Signature, all right, that actually reflects the version of the database.

103
00:06:14,600 --> 00:06:18,590
All right, or possibly I'll write a version of the operating system.

104
00:06:18,590 --> 00:06:22,430
So, again, depending on what kind of database you're running.

105
00:06:22,460 --> 00:06:22,730
All right.

106
00:06:22,730 --> 00:06:27,800
That will allow us the ability to view those data through the queries.

107
00:06:28,040 --> 00:06:30,740
So, once again, I hope you've learned something valuable in today's tutorial.

108
00:06:30,740 --> 00:06:35,030
And if any questions, feel free to leave a comment below and I'll try my best to answer any questions.

109
00:06:35,060 --> 00:06:39,650
And we'll like the channel so that you can be kept abreast of the latest cybersecurity.

110
00:06:39,680 --> 00:06:41,600
Robert, thank you so much once again for watching.