1
00:00:01,010 --> 00:00:08,090
So we've seen how we can do some simple sequel, injection rescue, oil injection, to use an overstatement

2
00:00:08,600 --> 00:00:12,020
to make all of the users true for a equals.

3
00:00:12,360 --> 00:00:21,020
So if their username, if their user ID is one or their or the value A is equal to A, then we're going

4
00:00:21,020 --> 00:00:23,160
to get their user information.

5
00:00:23,490 --> 00:00:25,820
Let's take that one step further.

6
00:00:26,300 --> 00:00:32,830
Let's see if we could get the passwords for each one of these users added in to this query.

7
00:00:33,260 --> 00:00:42,560
So instead of one or let's do a union select union is the way that we join two queries or two tables

8
00:00:42,560 --> 00:00:45,220
or even two databases together we can union.

9
00:00:45,590 --> 00:00:48,920
So we'll do a search for all the users where the user ID equals one.

10
00:00:49,980 --> 00:00:59,790
And then we'll also do a select few are actually typing in some skill here, select user comma password

11
00:01:00,810 --> 00:01:04,320
from users, we just have to know a few things about the table.

12
00:01:04,320 --> 00:01:06,870
You can dig in to find some of those things.

13
00:01:06,870 --> 00:01:13,260
In fact, you can find a good tutorial on Just Devoir, where you can spend hours researching and you

14
00:01:13,260 --> 00:01:16,560
can dig through each one of these little capabilities piece by piece.

15
00:01:16,960 --> 00:01:24,960
But we'll come back, we'll say one quote, Space Union Space Select and we're going to select the user

16
00:01:24,960 --> 00:01:31,200
I.D. or the user name, comma, the password from users.

17
00:01:31,600 --> 00:01:38,310
This is going to give us the password hash that we can then use on any website to look those up and

18
00:01:38,310 --> 00:01:43,680
then we'll add a hash tag at the end just in case there are other things off the end of this query.

19
00:01:44,430 --> 00:01:45,810
And let's click submit.

20
00:01:46,320 --> 00:01:54,780
We got one single spaced union select user comma password from users hash tag and that put anything

21
00:01:54,780 --> 00:01:56,890
else is a comment if it was at the end of the line.

22
00:01:57,390 --> 00:02:00,780
Well let's see what this user comma password did.

23
00:02:01,350 --> 00:02:07,950
Oh, we got our first user user ID one admin and admin, but look what we got next admin.

24
00:02:07,950 --> 00:02:11,010
And instead of a surname, we've got a password.

25
00:02:11,010 --> 00:02:18,000
So we get the username and password for Gordon, for admin for Pablo and Smithee.

26
00:02:18,600 --> 00:02:25,440
So instead of the user name, instead of the first name and last name, we've got the username and password.

27
00:02:25,950 --> 00:02:28,320
So you know what we can do with this password hash?

28
00:02:28,320 --> 00:02:29,610
We copy one of these.

29
00:02:30,610 --> 00:02:37,240
We come to any of the harsh cracking sites, we can go to harsh killer, we can go to MI5 five online,

30
00:02:37,930 --> 00:02:41,350
we paste the hash and click decrypt.

31
00:02:41,770 --> 00:02:43,840
And of course, that was the hash, a password.

32
00:02:43,840 --> 00:02:46,150
We knew that because it means password was password.

33
00:02:46,590 --> 00:02:50,860
We can pick a different hash killer like crack station.

34
00:02:53,000 --> 00:02:59,260
Come back to Devoir and let's select Gordon Beeb's password hash, we copy that.

35
00:02:59,710 --> 00:03:00,250
Pardon me.

36
00:03:01,840 --> 00:03:07,660
Of course, there's another MDVIP decoder dog and we can see that it's ABC one, two, three, just

37
00:03:07,660 --> 00:03:12,270
from doing a Google search so that one turns out to be ABC one, two, three.

38
00:03:12,280 --> 00:03:15,430
But let's choose one of our other users, Pablo Picasso.

39
00:03:16,360 --> 00:03:22,610
Let's see how hard his password is, copy it will come to crack station and paste it and we have to

40
00:03:22,610 --> 00:03:23,750
do another capture.

41
00:03:24,290 --> 00:03:33,140
And that took just a quick second and says that that hash is let me in so we could use Pablo and let

42
00:03:33,140 --> 00:03:36,220
me in as the password if we log in to Devoir.

43
00:03:36,230 --> 00:03:42,350
So I'll open it up in another browser, go to ten dot dot three top five.

44
00:03:43,040 --> 00:03:44,420
Come to Devoir.

45
00:03:46,260 --> 00:03:53,280
And let's go back and see that username that was Pablo and his password is let me in, so let's try

46
00:03:53,280 --> 00:03:57,570
it, Pablo and let me in.

47
00:03:58,560 --> 00:04:04,580
And I am in to our darn vulnerable Web app as Pablo.

48
00:04:05,100 --> 00:04:05,850
Wow.

49
00:04:06,180 --> 00:04:13,800
So a little bit of Eskil injection allowed us to give the usernames and passwords.

50
00:04:14,370 --> 00:04:21,600
And you can see because these are just maybe five hashed passwords, they're pretty fast and easy to

51
00:04:21,600 --> 00:04:22,000
crack.

52
00:04:22,020 --> 00:04:27,190
In fact, you can probably tell what Smithy's password is just by comparing it to the admin password.

53
00:04:27,630 --> 00:04:30,930
Notice the modified hash of both of those is the same.

54
00:04:31,290 --> 00:04:39,150
That means we could log in as Smithie, log out and come in a smithing news password.

55
00:04:40,050 --> 00:04:40,980
We're logged in.

56
00:04:42,340 --> 00:04:48,750
As Smithey So we've already seen that these two main attacks cross site scripting and sequel injection,

57
00:04:48,760 --> 00:04:51,880
both give us way too much power as an attacker.

58
00:04:52,600 --> 00:04:57,670
In the last lesson we're going to see in the final lesson of this section, we're going to see how to

59
00:04:57,670 --> 00:05:01,540
protect our Web server from those types of attacks.

60
00:05:02,350 --> 00:05:04,600
I'll go ahead and mention one other thing here.

61
00:05:04,690 --> 00:05:11,190
If we had a really insecure database, we might even be able to do something like this one semicolon,

62
00:05:11,200 --> 00:05:16,780
quote, semicolon, drop table users.

63
00:05:17,290 --> 00:05:23,080
And this will not work on Devoir, I don't believe, but it will allow us on a really insecure database

64
00:05:23,080 --> 00:05:28,570
is called a stacked query, where we have one query, semicolon, another query.

65
00:05:29,140 --> 00:05:33,670
So if I drop table users and let me put a hash tag at the end, just in case there's any extra stuff

66
00:05:33,670 --> 00:05:40,180
at the end of that MySQL command and click submit, we can say is we still able to pull admin in of

67
00:05:40,180 --> 00:05:41,710
minutes of drop table users.

68
00:05:41,710 --> 00:05:42,450
Probably didn't work.

69
00:05:42,460 --> 00:05:45,490
We can check just by clicking another user ID C three.

70
00:05:45,850 --> 00:05:48,700
So drop table users did not work in this case.

71
00:05:49,030 --> 00:05:54,250
But that is really destructive thing that can happen on a Web server if we're not looking for it.

72
00:05:54,850 --> 00:05:59,980
Like I said, we'll see how to protect against cross site scripting and sequel injection in the next

73
00:05:59,980 --> 00:06:00,460
lesson.