1
00:00:00,150 --> 00:00:03,120
OK, so now let's talk about fuel injection.

2
00:00:03,150 --> 00:00:10,410
This one is big, so escarole injection takes advantage of input that is used in an oil query that's

3
00:00:10,410 --> 00:00:11,660
not being sanitized.

4
00:00:11,940 --> 00:00:18,390
So the result allows the user to execute any escudo command that they want to.

5
00:00:18,570 --> 00:00:24,330
And typically, this will allow an attacker to dump the contents of the database that the application

6
00:00:24,330 --> 00:00:25,440
actually connects to.

7
00:00:25,620 --> 00:00:29,030
And if they you know, if they're able to send in the correct commands.

8
00:00:29,190 --> 00:00:32,870
OK, so let's go over some basics of aspro injection.

9
00:00:33,030 --> 00:00:35,810
So the typical rescue you in pretty much looks like this.

10
00:00:35,820 --> 00:00:40,670
So select user name from users where ID equals zero.

11
00:00:40,680 --> 00:00:43,050
We kind of went over some basics of escudo before.

12
00:00:43,260 --> 00:00:51,230
So this selects a specific user name from the user's table where the ID is equal to one.

13
00:00:51,900 --> 00:00:57,480
So that's typically like something that you will see like in an application and some code that would

14
00:00:57,480 --> 00:01:01,610
actually collect the data to actually do this query would look like this.

15
00:01:01,620 --> 00:01:06,540
So it was going to say, like, you know, it's going to make an ID variable and B and it's going to

16
00:01:06,540 --> 00:01:10,770
make it the equivalent to the ID.

17
00:01:10,770 --> 00:01:16,500
That variable has passed in from the get request and then it's going to make an I.D. variable and it's

18
00:01:16,500 --> 00:01:18,380
going to say select username.

19
00:01:18,630 --> 00:01:21,770
So from users where ID equals the idea.

20
00:01:22,800 --> 00:01:27,120
So this is pretty much exactly what we just did.

21
00:01:27,150 --> 00:01:28,590
So we just talked about.

22
00:01:28,600 --> 00:01:35,250
So if we could take advantage of how all interprets the input and the fact that the application doesn't

23
00:01:35,250 --> 00:01:42,300
sanitize, you know, what it's giving, then we can actually use the ID field that we were able to

24
00:01:42,300 --> 00:01:43,980
execute whatever commands that we want.

25
00:01:44,190 --> 00:01:49,980
So I want you to take note of those single quotes that are around the ID variable.

26
00:01:49,990 --> 00:01:55,480
And so those those single quotes actually start in an actual string.

27
00:01:55,830 --> 00:02:01,310
So if we do this so knowing that we can actually use that to test for one injection.

28
00:02:01,320 --> 00:02:04,110
So let's actually go over to the map and try this out.

29
00:02:04,200 --> 00:02:06,060
So we're back in our politics machine.

30
00:02:06,060 --> 00:02:07,800
We're about this some esquibel injection.

31
00:02:07,800 --> 00:02:10,900
So we're going to do it manually and then we're going to do an automated version of it.

32
00:02:11,610 --> 00:02:15,900
So right here, the tool that is vulnerable to injection.

33
00:02:15,910 --> 00:02:19,530
So let's actually start to type in some stuff.

34
00:02:19,530 --> 00:02:21,060
So the user I do this, try one.

35
00:02:21,360 --> 00:02:22,980
OK, that says admin.

36
00:02:23,040 --> 00:02:23,910
OK, two.

37
00:02:24,900 --> 00:02:26,670
Gordon Brown three.

38
00:02:27,700 --> 00:02:29,660
Hack me, don't worry, I'm going to.

39
00:02:29,920 --> 00:02:36,310
So it looks like it's just taking numbers and pulling the names for the uses that correspond to those

40
00:02:36,310 --> 00:02:36,640
numbers.

41
00:02:36,640 --> 00:02:37,750
So let's look at the source.

42
00:02:38,500 --> 00:02:40,120
Check it out, see what's going on.

43
00:02:40,130 --> 00:02:49,090
So is getting the I.D. this passed in from the get requires setting this Quarrie equal to the corrida

44
00:02:49,090 --> 00:02:51,340
we had, you know, that showed you guys before.

45
00:02:51,580 --> 00:02:56,350
And then what I want you to pay attention to right here is the key variable that is sitting right here

46
00:02:56,980 --> 00:03:04,510
in these single quotes around these quotes in school, start and stop a Marsico string so we could potentially

47
00:03:04,510 --> 00:03:10,820
take advantage of that because it looks like the code doesn't sanitize anything at all.

48
00:03:10,840 --> 00:03:16,950
So what we can do is actually try to test this out to see if it's vulnerable to escarole injection.

49
00:03:17,290 --> 00:03:18,580
So let's go back to it.

50
00:03:18,750 --> 00:03:23,310
And this is the single quote, and that kind of breaks the query a little bit.

51
00:03:23,320 --> 00:03:24,690
So it gave us an error.

52
00:03:24,700 --> 00:03:25,960
So it says is an error.

53
00:03:26,260 --> 00:03:29,300
And now we know if we didn't know before, this is my SQL Server.

54
00:03:29,300 --> 00:03:34,600
It is important for like Syntex stuff and specific characters that you would use for the commands like

55
00:03:34,600 --> 00:03:35,300
it was Mariotte.

56
00:03:35,320 --> 00:03:38,270
Maria DB would be different, like commands somewhat.

57
00:03:39,370 --> 00:03:43,590
So now we know that it might be injection might be possible.

58
00:03:43,630 --> 00:03:45,640
So just really quick, this will mess you up.

59
00:03:45,850 --> 00:03:50,950
If you didn't set the security back too low for the app, go back to Devoir security at the security

60
00:03:50,960 --> 00:03:51,400
low.

61
00:03:51,640 --> 00:03:53,140
We're not going to go to meeting them just yet.

62
00:03:53,710 --> 00:03:55,540
So let's see user ID.

63
00:03:55,660 --> 00:04:03,880
So let's try to actually put in one and then a single quote and then put a space or one equals one and

64
00:04:03,880 --> 00:04:04,670
then a pounce on.

65
00:04:05,070 --> 00:04:13,200
So this is going to do it saying, you know, if you look at the query is grabbing the usernames where

66
00:04:13,200 --> 00:04:15,370
it equals this ID that's given.

67
00:04:15,380 --> 00:04:25,000
So where equals one or so since we broke out of the query with this single quote and then we did or

68
00:04:25,000 --> 00:04:28,960
come command, which is also, you know, something in my school, one equals one.

69
00:04:28,960 --> 00:04:32,820
So that's always going to be going to evaluate out the truth.

70
00:04:33,070 --> 00:04:41,260
So this is going to pull users that whether ID equals one or one equals one, which is always true.

71
00:04:41,290 --> 00:04:44,410
So it's in my cycle and it's just going to pull everything in.

72
00:04:44,410 --> 00:04:47,200
This Palsson actually starts a comment in my school.

73
00:04:47,410 --> 00:04:52,900
So it's going to cancel out any other any comments after this and just have it as a comment so we have

74
00:04:52,900 --> 00:04:53,760
complete control.

75
00:04:54,040 --> 00:05:01,130
So if we submit, we just dismiss you all injections and now we got it to list out all of the different

76
00:05:01,130 --> 00:05:02,610
like uses that are in there.

77
00:05:03,160 --> 00:05:05,290
So now we know that these users exist.

78
00:05:05,290 --> 00:05:09,310
We know that we can actually inject, you know, as you well.

79
00:05:09,790 --> 00:05:18,490
So let's actually try to actually do a different ask you welcome in and actually try to pull out the

80
00:05:18,880 --> 00:05:20,500
different like passwords.

81
00:05:20,530 --> 00:05:24,970
OK, so here are the command that's actually going to allow us to pull out the passwords.

82
00:05:24,970 --> 00:05:27,730
So we have the one and then the single quote.

83
00:05:27,730 --> 00:05:31,600
This allows the break out of the query and start our own query.

84
00:05:31,810 --> 00:05:33,520
Then we have or one equals one.

85
00:05:33,530 --> 00:05:35,380
So this is going to just pull everything.

86
00:05:35,380 --> 00:05:42,190
So I was going to evaluate the true we have a union select sort of unique command which combines the

87
00:05:42,190 --> 00:05:44,890
results from multiple select segments.

88
00:05:45,190 --> 00:05:49,390
So we have unions' select user common passwords.

89
00:05:49,390 --> 00:05:54,480
So we're going to look for the username and the password from the user's table.

90
00:05:54,820 --> 00:06:01,840
So knowing that, then we also have the pound sign, which, as you know, creates a comment and prevents,

91
00:06:02,230 --> 00:06:05,730
you know, any of the commands from running and allows have complete control.

92
00:06:05,740 --> 00:06:07,570
So we actually submit this one.

93
00:06:08,380 --> 00:06:09,700
Oh, crap, look at this.

94
00:06:09,710 --> 00:06:16,300
So now enlisted all the user names and then also a list of the user names in their hashes.

95
00:06:16,570 --> 00:06:17,470
So that's pretty neat.

96
00:06:17,500 --> 00:06:19,460
So now we know there's a user admin.

97
00:06:19,690 --> 00:06:24,710
It has Gordon B, that's the user name one three three seven.

98
00:06:24,730 --> 00:06:26,640
So we have the hashes here as well.

99
00:06:26,980 --> 00:06:32,860
We can actually do is actually take these hashes and put them into a worry list and actually crack them

100
00:06:32,860 --> 00:06:34,030
with like something like John.

101
00:06:34,270 --> 00:06:35,480
So let's go do that really quickly.

102
00:06:35,530 --> 00:06:38,250
OK, so I have my hashes into a file.

103
00:06:38,260 --> 00:06:43,270
I see them as hashes Devoir hashes in the home directory.

104
00:06:43,480 --> 00:06:44,380
So I'm going to go over here.

105
00:06:44,380 --> 00:06:50,050
And now we're going to ask you this, John, in so doing, pseudo John Dash as wordlist and now we're

106
00:06:50,050 --> 00:06:51,710
going to feel it in the Rocky Datsyuk.

107
00:06:51,720 --> 00:06:56,790
See where Liz has located and slash user share slash wireless directory.

108
00:06:56,800 --> 00:07:01,510
And this is pretty much a gigantic worry list that has passwords and all kinds of like database leaks

109
00:07:02,200 --> 00:07:04,740
and most of the time will crack passwords for you.

110
00:07:05,180 --> 00:07:10,510
Then we're also going to tell it the format of the hashes, which is going to be raw and D5.

111
00:07:10,510 --> 00:07:17,470
So we do a dash dash format equals raw dash and B five I don't believe is case sensitive, but you can

112
00:07:17,470 --> 00:07:23,260
type like this exactly if you want to, and then we're going to feed it in the password hash file that

113
00:07:23,260 --> 00:07:26,950
we created, which for me is debatably hash is.

114
00:07:27,270 --> 00:07:32,460
And that's going to hit inhered, so I've already cracked this hash before, so it already has done

115
00:07:32,460 --> 00:07:32,550
it.

116
00:07:32,580 --> 00:07:37,010
So what we can do is actually a pseudo John Dash.

117
00:07:37,200 --> 00:07:40,230
So and then does this format.

118
00:07:42,390 --> 00:07:49,280
Equals four and five, and then we'll get to a DV debate, hashes enter.

119
00:07:49,320 --> 00:07:53,750
So now I was going to tell us what the passwords actually found to be.

120
00:07:54,450 --> 00:07:56,970
So the admin password is hacked.

121
00:07:57,340 --> 00:08:02,850
As you can see, I didn't put the usernames on here, but the first one was admin.

122
00:08:02,850 --> 00:08:04,110
So their password hacked.

123
00:08:04,410 --> 00:08:08,550
Going to be as ABC one, two, three one three three seven.

124
00:08:08,550 --> 00:08:10,530
Their password is going to be Charlie.

125
00:08:10,830 --> 00:08:12,600
The next one is going to be let me in.

126
00:08:12,600 --> 00:08:14,240
The next one is password.

127
00:08:15,030 --> 00:08:16,140
So that's pretty neat.

128
00:08:16,170 --> 00:08:19,040
So let's try this, just try one of these just to prove that it works.

129
00:08:19,500 --> 00:08:20,750
So let's see.

130
00:08:20,760 --> 00:08:22,560
Let me in is the fourth one.

131
00:08:22,570 --> 00:08:23,730
So this a back here.

132
00:08:24,180 --> 00:08:25,680
Pablos So let me in.

133
00:08:26,370 --> 00:08:33,960
Let me and Pablo Pablo let me in and we're able to log in.

134
00:08:33,980 --> 00:08:34,680
Hang in.

135
00:08:34,680 --> 00:08:38,120
Pablo actually, you know, as own specific picture that comes up.

136
00:08:38,130 --> 00:08:38,760
So it's very neat.

137
00:08:39,000 --> 00:08:44,860
Now we know, you know, how to go from escarole injection to getting hashes to cracking those hashes.

138
00:08:45,270 --> 00:08:50,370
OK, so we did the fuel injection manually.

139
00:08:50,370 --> 00:08:56,550
So now I'm going to see how you can actually do all of that very, very quickly automated using secure

140
00:08:56,550 --> 00:08:56,850
map.

141
00:08:56,850 --> 00:08:58,190
And it's not too complicated.

142
00:08:58,200 --> 00:09:00,500
So we're just going to use this camera right here.

143
00:09:00,510 --> 00:09:02,800
I'm going to walk you through it before we execute it.

144
00:09:03,030 --> 00:09:08,760
So are you going to do is first you going to press as you our map and then you're going to type in dash

145
00:09:08,760 --> 00:09:12,700
you and then this is where you're going to put the host, the target host.

146
00:09:12,960 --> 00:09:20,580
So right here, we have our address to our Twitter machine and it links out to the school page, which

147
00:09:20,580 --> 00:09:23,400
is this page right here to ask you all injection page.

148
00:09:24,640 --> 00:09:31,210
And then we have our arguments that we're passing in our variables that we pass in any URL, so I'd

149
00:09:31,210 --> 00:09:36,310
equals one and somebody will submit this is giving the information that it needs to actually be able

150
00:09:36,310 --> 00:09:37,930
to, you know, test for injection.

151
00:09:38,110 --> 00:09:43,120
And then we're going to pass in our cookies because remember, we need our cookie to be able to authenticate

152
00:09:43,120 --> 00:09:48,930
and get actually out to this page without this cookie argument is not going to work.

153
00:09:49,090 --> 00:09:51,580
So we're going to do Dasht as cookie equals.

154
00:09:51,580 --> 00:09:56,280
And then you can just come to the Web browser, you can do control shift.

155
00:09:56,290 --> 00:10:05,350
OK, this is going to come up just like before document cookie and it will give you that and you can

156
00:10:05,360 --> 00:10:07,420
just copy and paste that into here.

157
00:10:07,990 --> 00:10:16,660
So it has our recession I.D. and security equals low and then we do dash b dash dash current dash divi

158
00:10:16,840 --> 00:10:19,810
dash dash current dash user and then dash.

159
00:10:19,810 --> 00:10:20,700
That's done so well.

160
00:10:20,710 --> 00:10:24,970
This is going to do as humans go through tests for injection.

161
00:10:25,120 --> 00:10:28,000
That's going to tell us what the current database is like.

162
00:10:28,000 --> 00:10:34,360
If my school is a very D.V. that's going to tell us the current database user and then is going to dump

163
00:10:35,320 --> 00:10:37,320
data from the from the table.

164
00:10:37,510 --> 00:10:40,630
So let's go ahead and execute this and see what we can get.

165
00:10:43,260 --> 00:10:47,980
So once we execute, it is asking us this says we got to drill on redirect.

166
00:10:48,660 --> 00:10:51,990
This is the euro we actually wanted to redirect us to.

167
00:10:51,990 --> 00:10:52,900
That's where we want to go.

168
00:10:53,100 --> 00:11:01,050
So just hit enter and then now is actually going through and testing, you know, for fuel injection

169
00:11:01,050 --> 00:11:03,390
and everything, and especially the database.

170
00:11:03,400 --> 00:11:11,340
So it's actually see you can see that it found the database, W8 and especially the tables, is fetching

171
00:11:11,820 --> 00:11:18,330
the uses table inside of that and is asking us now if you want to store the hashes, you know, it's

172
00:11:18,400 --> 00:11:19,530
a temporary file.

173
00:11:19,530 --> 00:11:20,960
So we just had no right here.

174
00:11:21,990 --> 00:11:27,270
And then it's also going to ask us, you know, if we want to crack them via like a dictionary based

175
00:11:27,270 --> 00:11:29,170
attack so we can actually ask you.

176
00:11:29,330 --> 00:11:30,030
I do it for us.

177
00:11:30,030 --> 00:11:30,960
So you said yes.

178
00:11:31,230 --> 00:11:39,030
And now we printed out a nice pretty table and less than probably a minute the user's their password

179
00:11:39,030 --> 00:11:42,730
hashes and the cracked version of those hash.

180
00:11:42,760 --> 00:11:48,630
So we actually ask you what actually went through, automate the entire process very, very quickly.

181
00:11:48,960 --> 00:11:57,150
Found actual injection, extracted out the hashes, cracked the hashes and gave it to us in a very nice

182
00:11:57,150 --> 00:11:58,640
and pretty format in the table.

183
00:11:58,860 --> 00:11:59,860
So that's pretty neat.

184
00:11:59,880 --> 00:12:06,600
So that's the power of escudo map and that's how you can kind of automate as Google injection process.

185
00:12:06,900 --> 00:12:09,500
OK, so now we're going to do blind escalon injection.

186
00:12:09,510 --> 00:12:13,230
So when you don't ask all the action, it's not always going to output errors.

187
00:12:13,480 --> 00:12:15,210
We look at the source code for this one.

188
00:12:15,540 --> 00:12:17,130
We're going to see that as a little bit different.

189
00:12:17,140 --> 00:12:18,690
They took out the dye come in.

190
00:12:18,990 --> 00:12:24,010
That actually put the well here is out there so that they suppressed it.

191
00:12:24,050 --> 00:12:29,100
This actually decent practice it because you don't want to show users of applications of errors because

192
00:12:29,250 --> 00:12:32,180
it can lead to L.A., for example.

193
00:12:32,820 --> 00:12:33,870
So this was suppressed.

194
00:12:34,200 --> 00:12:36,480
So we can still use the application like normal.

195
00:12:36,750 --> 00:12:39,920
So we know that the queries enter before anyone.

196
00:12:40,140 --> 00:12:44,180
So you start with why, you know, two, it still works as normal.

197
00:12:44,260 --> 00:12:48,180
If we type in this single, though, like before, we're not going to get an error.

198
00:12:48,180 --> 00:12:50,670
It's just going to reload the page.

199
00:12:51,720 --> 00:12:56,840
So now we need to figure out of the way, you know, if our query is actually, you know, going through

200
00:12:56,850 --> 00:12:57,210
and such.

201
00:12:57,900 --> 00:13:00,420
So what we can do is do a true and false test.

202
00:13:00,720 --> 00:13:10,640
So like before what we did have one, then the single quote, then we did or one equals one and a pound

203
00:13:10,650 --> 00:13:11,130
sign.

204
00:13:12,000 --> 00:13:12,990
This works.

205
00:13:12,990 --> 00:13:18,810
So we know that that command is is actually executing and then we can also try a false condition.

206
00:13:18,810 --> 00:13:26,850
So we do one and then or one equals two and we just put the panels on again just to keep maintain control

207
00:13:27,060 --> 00:13:31,990
over the query and only execute what we want to execute it.

208
00:13:32,520 --> 00:13:37,050
So now we know that since we did that, it did a false condition.

209
00:13:37,050 --> 00:13:41,220
So it only grabbed the idea, the user with the line.

210
00:13:41,520 --> 00:13:43,470
So before us, this one equals one.

211
00:13:43,470 --> 00:13:47,610
He grabbed everything but says we put one equals two is a false condition.

212
00:13:47,910 --> 00:13:53,430
So it just did the it just pull the user with the ID of one.

213
00:13:53,820 --> 00:14:00,360
So we know that, you know, our queries are actually running since these pages are, you know, show

214
00:14:00,370 --> 00:14:01,160
different output.

215
00:14:01,890 --> 00:14:08,310
So there's something called the MySQL sleep function that we can actually use and a pretty much a way

216
00:14:08,310 --> 00:14:11,850
to kind of like delay, you know, execution.

217
00:14:11,850 --> 00:14:16,250
And if that works, then we know that our ejection is possible.

218
00:14:16,260 --> 00:14:25,170
So we do one apostrophe that we could put it in and command and then sleep and let's put it inside of

219
00:14:25,170 --> 00:14:26,810
here at the pass in an argument.

220
00:14:27,450 --> 00:14:28,700
So this past tense.

221
00:14:28,700 --> 00:14:33,480
So this is going to make it wait ten seconds, let's put on a pound sign and this is not allow us to

222
00:14:33,480 --> 00:14:34,340
maintain control.

223
00:14:34,500 --> 00:14:38,150
So it's a comment if we submit and then it's going.

224
00:14:38,160 --> 00:14:43,350
So remember, before it was pretty instantaneous, but now it's actually taking time.

225
00:14:43,350 --> 00:14:48,430
So it's waiting ten seconds and then is going to execute the actual command.

226
00:14:48,460 --> 00:14:57,030
So now we know that our, you know, ask you all query is actually being executed and blind as to all

227
00:14:57,030 --> 00:14:58,360
the injection is possible.

228
00:14:58,380 --> 00:15:05,970
So in order to pull data out of here, we're going to have to use the escudo order by.

229
00:15:06,840 --> 00:15:10,800
So we're going to want to do is the one apostrophe.

230
00:15:10,800 --> 00:15:12,000
And then this is going to break.

231
00:15:12,000 --> 00:15:14,640
This is sort of the single call Bergsten's out.

232
00:15:14,910 --> 00:15:18,960
So let's do an order by and then one.

233
00:15:21,390 --> 00:15:26,190
So this is what we're going to do is just slowly increment this number.

234
00:15:26,370 --> 00:15:31,710
This is going to show us how many columns there are in the table for us to be able to actually pull

235
00:15:31,710 --> 00:15:34,780
out data accurately without, you know, running into some type error.

236
00:15:35,130 --> 00:15:45,450
So let's do the exact same command, but then let's put to one single call or two by two and then put

237
00:15:45,450 --> 00:15:46,030
a price on it.

238
00:15:46,950 --> 00:15:49,050
So now we know that that one works right there.

239
00:15:49,060 --> 00:15:50,550
So there's at least two columns.

240
00:15:50,760 --> 00:15:55,780
So let's do one more order by and then let's put three.

241
00:15:57,630 --> 00:15:59,540
So nothing came back this time.

242
00:15:59,550 --> 00:16:06,100
So we know that there are at least two columns in this in this table since.

243
00:16:06,110 --> 00:16:08,100
So now we know that there are two columns.

244
00:16:08,440 --> 00:16:12,470
The next step is to actually dump the database table names.

245
00:16:12,780 --> 00:16:15,530
We can do this using a unique command.

246
00:16:15,720 --> 00:16:17,610
So I have the command typed in here.

247
00:16:17,620 --> 00:16:21,570
So we're going to do a one single quote to break this out of the query and then we're going to do a

248
00:16:21,570 --> 00:16:28,110
union all select would it do one and then comma group, OK, and then put table name in there.

249
00:16:28,140 --> 00:16:34,720
So this is going to pretty much concatenate the table names that it finds inside of the.

250
00:16:34,740 --> 00:16:41,610
So the next step is from information schema that tables where tables go schema equals database.

251
00:16:42,210 --> 00:16:47,950
So this is very much going to take the group names and patni them together and put it back out to us.

252
00:16:47,960 --> 00:16:52,610
So now we're going to be able to see, you know, what tables are actually in this database.

253
00:16:52,650 --> 00:16:54,780
So if we submit this command.

254
00:16:57,030 --> 00:17:04,860
So now you can see, as our command put it right there, but what's interesting is that right here in

255
00:17:04,860 --> 00:17:09,920
the second one under his surname, it says Guestbook and users.

256
00:17:09,930 --> 00:17:14,160
So now we know that these two are different tables.

257
00:17:14,310 --> 00:17:18,860
So we know guestbook is a table and we know users is a table.

258
00:17:18,870 --> 00:17:27,180
So using that information, we can do something similar and actually use the same type of command and

259
00:17:27,510 --> 00:17:30,750
actually pull out the username and password from the user's table.

260
00:17:30,780 --> 00:17:36,420
So now that we know that the user that the user's table exists, we can actually dump, you know, the

261
00:17:36,420 --> 00:17:38,480
username and password from that table.

262
00:17:38,760 --> 00:17:41,180
So let's actually just do a similar command.

263
00:17:41,190 --> 00:17:46,920
So we're going to use our one and then single quote to break out of the query that we're going to union

264
00:17:46,920 --> 00:17:48,000
all select.

265
00:17:48,360 --> 00:17:52,560
We're going to put one comma, we're going to do group concat again.

266
00:17:52,560 --> 00:17:58,020
But this time we're going to need the username and password and then we're going to grab it from the

267
00:17:58,020 --> 00:17:58,800
user's table.

268
00:17:58,860 --> 00:18:02,460
We're going to put this pounce on and start the comments so we maintain complete control.

269
00:18:02,850 --> 00:18:06,300
If we submit it gives us background information.

270
00:18:06,300 --> 00:18:09,540
And now we have the admin username right here.

271
00:18:09,990 --> 00:18:14,400
And then we have actually the password hash right here.

272
00:18:14,640 --> 00:18:16,470
And it's just the same as before.

273
00:18:16,500 --> 00:18:20,790
Same here has all the users and their hashes patinated together.

274
00:18:20,910 --> 00:18:23,670
And you can format this a little bit better to play with the commands.

275
00:18:23,670 --> 00:18:28,410
And so I actually recommend and challenge you to go do that, make this a little bit pretty open, but

276
00:18:28,830 --> 00:18:32,160
that is typically how you can conduct on escapology.