1
00:00:00,150 --> 00:00:01,680
All right now we're here.

2
00:00:01,680 --> 00:00:05,910
We're going to do our first web app attack of sequel injection.

3
00:00:05,950 --> 00:00:10,290
Now we have the account log in page make sure you navigate to that.

4
00:00:10,510 --> 00:00:15,910
And that's kind of where the hint came from on the scoreboard and said hey we're going to utilize the

5
00:00:16,000 --> 00:00:19,630
logging feature to kind of attack sequel.

6
00:00:19,720 --> 00:00:24,910
So I kind of want to go over this and talk about what we're we're expecting here.

7
00:00:25,630 --> 00:00:26,860
So let's say that we log in.

8
00:00:26,860 --> 00:00:30,870
Let's turn to intercept on and let's say that we log in and we say test test.

9
00:00:30,900 --> 00:00:31,190
Right.

10
00:00:32,380 --> 00:00:38,680
And we log in we'll intercept that request and we can for this one we're looking for the username password.

11
00:00:38,680 --> 00:00:39,100
Here we go.

12
00:00:39,100 --> 00:00:41,120
So we got e-mail password here.

13
00:00:41,530 --> 00:00:49,290
And let's go ahead and just right click and send that to repeater and if we try to log in it says invalid

14
00:00:49,320 --> 00:00:50,400
email password.

15
00:00:50,520 --> 00:00:50,880
OK.

16
00:00:50,880 --> 00:00:53,270
That's fine.

17
00:00:53,370 --> 00:01:00,630
What happens though if we try to throw something in here malicious and let's back up just a second I

18
00:01:00,630 --> 00:01:03,480
want to cover what's going on behind the scenes.

19
00:01:03,600 --> 00:01:04,790
So what's going on.

20
00:01:04,800 --> 00:01:09,010
Let's open up a notepad.

21
00:01:09,230 --> 00:01:09,460
OK.

22
00:01:09,490 --> 00:01:11,980
So we have this input right.

23
00:01:11,990 --> 00:01:14,020
We're putting in the e-mail field.

24
00:01:14,030 --> 00:01:22,030
We're putting an input of test and what's happening behind the scenes say we have a sequel injection.

25
00:01:22,040 --> 00:01:22,830
All right.

26
00:01:23,060 --> 00:01:26,400
The sequel injection is trying to grab that.

27
00:01:26,420 --> 00:01:38,010
It might be grabbing something along the lines of select star from users where e mail equals test.

28
00:01:38,750 --> 00:01:39,220
OK.

29
00:01:40,040 --> 00:01:45,110
So what it's doing is it's saying hey I want to select everything from users where the e mail is equal

30
00:01:45,110 --> 00:01:47,110
to this test.

31
00:01:47,120 --> 00:01:49,490
What we just input into here.

32
00:01:49,620 --> 00:01:54,040
Now if we have sequel injection let's copy this.

33
00:01:54,070 --> 00:02:02,370
I'm going to paste it let's say instead we put you know a single quote in here well that single quote

34
00:02:02,370 --> 00:02:06,110
is going to come in and it's going to add into that.

35
00:02:06,120 --> 00:02:06,390
Right.

36
00:02:06,420 --> 00:02:12,510
So we're saying hey from test here and guess what this completes the statement.

37
00:02:12,690 --> 00:02:19,050
And now this little other single quote that's left over is going to throw an error because there's no

38
00:02:19,050 --> 00:02:20,700
end to the second quote.

39
00:02:20,760 --> 00:02:21,090
Right.

40
00:02:21,150 --> 00:02:24,030
So this isn't logically correct.

41
00:02:24,160 --> 00:02:30,630
And because of that we could cause injection if this is allowing us to inject this single quote here

42
00:02:31,110 --> 00:02:32,780
that we might run into issues.

43
00:02:32,850 --> 00:02:34,860
So let's take a look at repeater.

44
00:02:34,890 --> 00:02:40,570
Let's say we put in the e-mail here we put a single quote and we send it.

45
00:02:40,740 --> 00:02:41,950
Oh look what happened.

46
00:02:42,780 --> 00:02:51,390
So we got a 500 Internal Server Error and from that we have got a sequel I air.

47
00:02:51,430 --> 00:02:52,480
All this is so good.

48
00:02:52,480 --> 00:02:54,130
What is this telling us.

49
00:02:54,130 --> 00:02:55,930
Well this is telling us one.

50
00:02:55,930 --> 00:02:59,700
This is a sequel I database so that gives us some information.

51
00:02:59,950 --> 00:03:03,510
And if we come through here we're seeing that there's a database error.

52
00:03:03,520 --> 00:03:06,900
And when we get an error like this this means we have some sort of injection.

53
00:03:06,910 --> 00:03:07,150
OK.

54
00:03:07,150 --> 00:03:13,900
This is a a big sign that injection exists and something I actually have never really seen before.

55
00:03:13,900 --> 00:03:17,130
When you come down here it tells you the sequel what's happening.

56
00:03:17,200 --> 00:03:23,140
So the sequel of what's happening here is it saying hey select star from users where email equals test.

57
00:03:23,140 --> 00:03:25,440
So we guessed that right actually.

58
00:03:25,570 --> 00:03:28,480
And again there's an AND condition here.

59
00:03:28,480 --> 00:03:30,370
Password is equal to.

60
00:03:30,490 --> 00:03:36,140
And it looks like it's just hashing that password of test and then is putting in here and delete app

61
00:03:36,260 --> 00:03:37,440
is null.

62
00:03:37,460 --> 00:03:41,480
So if the account was deleted if it's no then it wasn't deleted.

63
00:03:41,480 --> 00:03:41,830
Right.

64
00:03:41,840 --> 00:03:45,260
So it's saying hey this account still exists.

65
00:03:45,260 --> 00:03:50,020
It matches this password and it matches this email address.

66
00:03:50,080 --> 00:03:50,680
Perfect.

67
00:03:50,680 --> 00:03:54,310
So how can we improve upon this.

68
00:03:54,310 --> 00:03:57,370
Well let's take a look back at our our notes here.

69
00:03:57,370 --> 00:04:08,610
So we've got a notepad let's make one more of these so what if I made a situation like this I said test

70
00:04:09,540 --> 00:04:10,170
or

71
00:04:12,850 --> 00:04:16,660
one equals one dash dash.

72
00:04:16,900 --> 00:04:17,760
And what's that going to do.

73
00:04:18,190 --> 00:04:28,770
That's going to come into here and that's going to say or one he goes one and the statement dash dash.

74
00:04:29,730 --> 00:04:30,700
OK.

75
00:04:30,840 --> 00:04:32,760
So what is his doing.

76
00:04:32,880 --> 00:04:36,300
Well first let's focus on this part right here.

77
00:04:36,300 --> 00:04:38,520
We're closing out this e-mail.

78
00:04:38,520 --> 00:04:40,220
It says test and then we close it out.

79
00:04:40,210 --> 00:04:41,100
Right.

80
00:04:41,340 --> 00:04:47,480
Then we're adding condition and we're gonna say or so this email doesn't exist.

81
00:04:47,480 --> 00:04:47,780
Right.

82
00:04:47,790 --> 00:04:52,950
Because we're it could exist but it's going to say hey where it matches this or this is true.

83
00:04:52,970 --> 00:04:55,140
Well guess what one is equal to one.

84
00:04:55,140 --> 00:05:02,680
So this is true making this entire statement true we add a ending here OK.

85
00:05:02,790 --> 00:05:05,700
We add our Ender and then we put in a comment.

86
00:05:05,700 --> 00:05:07,770
Now what happens with the comet.

87
00:05:07,770 --> 00:05:11,580
Everything after that comet no longer exists.

88
00:05:11,580 --> 00:05:15,150
So if we put that into here and we put the common in guess what.

89
00:05:15,150 --> 00:05:20,700
We don't have to check for a password we don't have to check for and delete it is no it doesn't care

90
00:05:21,770 --> 00:05:28,130
what's going to happen here is it's going to allow us to log in with this statement and it's going to

91
00:05:28,130 --> 00:05:31,210
allow us to log in as the admin user.

92
00:05:31,310 --> 00:05:32,690
Why is that.

93
00:05:32,690 --> 00:05:37,700
Well if you recall the users we had we had like I.D. of one two three four or five.

94
00:05:37,700 --> 00:05:45,350
We had Frank Castle at the top typically I.D. number one is your admin user OK.

95
00:05:45,350 --> 00:05:50,720
So if we were going to log in as the first user in the database this is going to pull back the first

96
00:05:50,720 --> 00:05:51,200
user.

97
00:05:51,440 --> 00:05:56,630
Typically if you're avid user so we're going to utilize common sequel injection here.

98
00:05:56,690 --> 00:05:57,470
We can do.

99
00:05:57,490 --> 00:06:03,750
We can copy this entire statement if we want and just paste this in you can put anything you want in

100
00:06:03,750 --> 00:06:11,300
the password and then attempt to log in I'm going to undo the proxy here and that actually solve the

101
00:06:11,300 --> 00:06:11,950
challenge for us.

102
00:06:11,960 --> 00:06:16,730
We wanted to generate an error and I could show you that really quick if we tried to log in with this

103
00:06:16,910 --> 00:06:21,870
you can object Object error which is another indicator that something's going on on this side.

104
00:06:22,160 --> 00:06:26,300
But this is why look at what this shows you compared to what repeater shows your computer shows you

105
00:06:26,300 --> 00:06:28,250
a lot more information.

106
00:06:28,250 --> 00:06:30,840
So I always like to run my testing through Peter.

107
00:06:30,960 --> 00:06:37,370
So let's go ahead then and try this and log in with it and guess what.

108
00:06:37,370 --> 00:06:41,830
We are logged in successfully log into the admin account.

109
00:06:42,160 --> 00:06:49,560
All right so here let's talk about some more things we've completed the challenge and that's great.

110
00:06:49,600 --> 00:06:58,540
But let's also focus on what we're seeing here what we're seeing here is SQL injection.

111
00:06:58,600 --> 00:07:02,180
And this is classic sequel injection.

112
00:07:02,190 --> 00:07:09,880
Now there's a possibility that we have sequel injection and we aren't able to see it at all and that

113
00:07:09,880 --> 00:07:11,890
is called Blind sequel injection.

114
00:07:11,890 --> 00:07:18,040
That becomes a little bit more complex and to talk about this because it may show up in an interview

115
00:07:19,130 --> 00:07:25,310
blind sequel injection if you're trying to test for it you might have something like this and let's

116
00:07:25,310 --> 00:07:29,660
go ahead and pull up our little notepad again.

117
00:07:29,660 --> 00:07:38,180
So you might have a command in here where you say we'll just make up a fake injection Don't worry how

118
00:07:38,180 --> 00:07:42,540
it plays into the sequel statement but you might say something like sleep five.

119
00:07:42,650 --> 00:07:42,950
Right.

120
00:07:42,950 --> 00:07:47,890
And it depends on the the sequel database you're using.

121
00:07:47,890 --> 00:07:50,220
So the sleep term changes in how you enter it.

122
00:07:50,240 --> 00:07:52,140
So I'm just making this up right here.

123
00:07:52,310 --> 00:07:58,310
But you're going to say Hey sleep five and what's going to happen is the Web site is not going to respond

124
00:07:58,310 --> 00:08:04,190
to you for five seconds and then you're gonna say Hey sleep 10 and then the Web site's not going to

125
00:08:04,190 --> 00:08:06,680
respond to you for 10 seconds.

126
00:08:06,710 --> 00:08:09,170
Well that's how you can determine that.

127
00:08:09,170 --> 00:08:12,950
You know even though you can't see an error code like this like when we see this error code we know

128
00:08:12,950 --> 00:08:15,770
we have sequel injection this is bad OK.

129
00:08:15,770 --> 00:08:20,210
It's only a matter of time to figure out how the sequel injection works.

130
00:08:20,210 --> 00:08:22,620
And then we can kind of go from there and pull it off.

131
00:08:22,910 --> 00:08:28,250
But when we inject this and nothing comes back it just comes back as like a normal log in screen and

132
00:08:28,250 --> 00:08:30,000
we just have no idea.

133
00:08:30,560 --> 00:08:35,420
Well then we could start throwing in like these sleep patterns in these testing to go with it and seeing

134
00:08:35,420 --> 00:08:41,240
if the page responds back or doesn't respond back and burp active scanners actually really good at doing

135
00:08:41,240 --> 00:08:45,820
that and at least trying to pick up on these it'll send sleep commands and see what the responses are

136
00:08:45,830 --> 00:08:48,790
and kind of help try to identify some of that.

137
00:08:48,950 --> 00:08:51,470
So that is it for this video.

138
00:08:51,620 --> 00:08:58,850
My challenge to you is to go into your injection here remember injection look at the different challenges

139
00:08:58,850 --> 00:09:01,720
that are available to you and play around with them.

140
00:09:01,970 --> 00:09:08,000
Make juice shop your friend and understand these if you go through all of these challenges you don't

141
00:09:08,000 --> 00:09:09,660
have to know how to solve them.

142
00:09:09,680 --> 00:09:12,020
That's that's not necessarily the point here.

143
00:09:12,020 --> 00:09:16,810
The point is to go through the challenges and even work through them in order of difficulty.

144
00:09:16,850 --> 00:09:21,770
So you just did a two star challenge maybe you'll look at the three star challenges and see how you

145
00:09:21,770 --> 00:09:27,110
can take those the Christmas special is actually a really good one and you can keep going through this

146
00:09:27,170 --> 00:09:30,520
and you can learn a lot about different injection here.

147
00:09:30,590 --> 00:09:34,020
And again you don't have to know how to do this.

148
00:09:34,100 --> 00:09:38,300
Go to the challenge solutions read the challenge solution and follow it along.

149
00:09:38,300 --> 00:09:41,510
Take notes understand what's going on and why it's going on.

150
00:09:41,540 --> 00:09:43,730
So now you know what sequel injection is.

151
00:09:43,730 --> 00:09:49,340
You understand that hey we're we're getting injection here you know and we're putting it into a statement

152
00:09:49,760 --> 00:09:53,960
and we're modifying that statement to make something happen in our favor.

153
00:09:53,960 --> 00:09:54,880
That's all it is.

154
00:09:54,950 --> 00:09:58,130
We can get very malicious with this very quick.

155
00:09:58,130 --> 00:10:03,380
So from here we're gonna go ahead and talk about how to defend against sequel injection.

156
00:10:03,380 --> 00:10:05,090
So I'll see you over in the next video.