1
00:00:10,240 --> 00:00:16,540
Let us continue with masculinization practicals in the previous two videos, you saw different types

2
00:00:16,540 --> 00:00:22,390
of injections and from this video will start Manil its continuation practical.

3
00:00:22,810 --> 00:00:26,250
Now in this video, we are going to use different types of Eskil command.

4
00:00:26,560 --> 00:00:30,880
So and this is going to be a long video of about 10 to 15 minutes.

5
00:00:31,270 --> 00:00:37,000
So be patient till you get the result and carefully observe all the commands that I'm going to use.

6
00:00:37,360 --> 00:00:39,700
Now, again, I'm going to use the ESKIL commands.

7
00:00:39,700 --> 00:00:45,400
If you do not have the knowledge of excl commands or database management, you can refer to database

8
00:00:45,400 --> 00:00:46,330
management systems.

9
00:00:46,330 --> 00:00:50,680
And we have also attached a few links to your school books.

10
00:00:50,680 --> 00:00:52,980
You can download and refer to them.

11
00:00:53,170 --> 00:00:55,830
So let us get started before starting.

12
00:00:55,840 --> 00:00:59,500
Make sure you're logged in into Akali Machine and BBWAA.

13
00:00:59,500 --> 00:01:00,630
That is demonstrated.

14
00:01:00,670 --> 00:01:02,730
Their application is also turned on.

15
00:01:03,250 --> 00:01:03,970
Let's start.

16
00:01:07,420 --> 00:01:14,380
So right now, I am doing cardio machine and I will open the Firefox browser and then I will connect

17
00:01:14,560 --> 00:01:18,220
to them vulnerable application to perform a skill injection.

18
00:01:20,640 --> 00:01:27,150
So let us type the IP address of my vulnerable machine, that is ten point to ten point zero point two

19
00:01:27,150 --> 00:01:29,680
point sixteen and then we'll hit enter.

20
00:01:30,900 --> 00:01:39,900
So let us go to debatably and login with the default user interface admin and password that is admin.

21
00:01:43,960 --> 00:01:53,110
I'm sorry, the password is password, so first let us go to DPW security and said the security to be

22
00:01:53,110 --> 00:01:59,350
low, we won't be showing no indication on medium and high because it is a very tedious process.

23
00:01:59,710 --> 00:02:05,860
And instead of that, we'll just show you a tool which will easily get you the database and passwords

24
00:02:05,860 --> 00:02:06,550
and everything.

25
00:02:07,330 --> 00:02:09,160
So first, go to a school injection.

26
00:02:11,220 --> 00:02:16,620
And in this video, we are going to show you a single injection and not the blind one will just see

27
00:02:16,620 --> 00:02:23,130
the normal injection, so it is asking for user I.D. So just for type one and let us see what we can

28
00:02:23,130 --> 00:02:23,400
get.

29
00:02:23,910 --> 00:02:24,390
OK.

30
00:02:25,350 --> 00:02:28,110
It has shown the first name and the surname.

31
00:02:28,680 --> 00:02:34,420
Now, what do you have to do is in in the text box you have to type percent.

32
00:02:37,440 --> 00:02:40,290
Single court space or.

33
00:02:42,510 --> 00:02:51,090
Single code zero single code clause is equal to single code zero.

34
00:02:52,550 --> 00:02:54,350
And then hit enter.

35
00:02:55,870 --> 00:03:03,670
Well, we've got something we have got, but we have got all the usernames and the current first name

36
00:03:03,670 --> 00:03:11,830
and the surname now, which means that the query which we had just inserted is the query which exploits

37
00:03:11,830 --> 00:03:16,690
this vulnerability and tells us that that is clinician present here.

38
00:03:18,170 --> 00:03:22,480
So what we have got is first name and last name, but that is not a critical letter.

39
00:03:22,730 --> 00:03:29,930
But why did we got this now when we entered, the person did sign and the code after that, it told

40
00:03:30,080 --> 00:03:38,720
the server that, OK, the user has entered person as the user ID and after the person symbol is our

41
00:03:38,720 --> 00:03:41,120
statement, which is a boolean SQL injection.

42
00:03:41,390 --> 00:03:47,470
And in the order we can see that the zero is equal to zero, which is always true.

43
00:03:47,780 --> 00:03:54,920
And if you know the basic boolean algebra or boolean logic, if one of the queries of the OR equivalence

44
00:03:54,920 --> 00:03:57,820
is true, then the entire statements become true.

45
00:03:58,190 --> 00:04:05,360
And in our case, even if the user 80 percent, which is an error or false, the other statement was

46
00:04:05,360 --> 00:04:11,890
true and hence the server replied with all available usernames and surnames.

47
00:04:12,140 --> 00:04:13,930
But again, this is not critical data.

48
00:04:14,120 --> 00:04:16,220
We need to find something else.

49
00:04:17,030 --> 00:04:21,890
So now let us use union query to find out different data.

50
00:04:22,100 --> 00:04:28,820
So again, type person single code or zero is equal to zero.

51
00:04:28,830 --> 00:04:32,330
Do not write a single code here because it is.

52
00:04:32,450 --> 00:04:35,860
In the last case we used zero as a character.

53
00:04:36,110 --> 00:04:43,910
Here we are using zero as an integer and then after zero space and type union select.

54
00:04:48,320 --> 00:04:48,830
No.

55
00:04:50,600 --> 00:04:52,430
Comma, user.

56
00:04:55,440 --> 00:04:59,670
Comma, user bracket, double brackets.

57
00:05:04,600 --> 00:05:05,440
And Husch.

58
00:05:09,140 --> 00:05:10,610
And then hit enter.

59
00:05:13,550 --> 00:05:20,960
You can see that you have an actual error syntax now, which means now what is telling you to observe

60
00:05:20,960 --> 00:05:21,660
it closely?

61
00:05:21,660 --> 00:05:26,960
I persistently show that you have to show you the error for this thing.

62
00:05:27,280 --> 00:05:31,450
Now, check the manual that corresponds to MySQL server version.

63
00:05:31,700 --> 00:05:38,310
And it it has told that we deliberately used hash which wasn't allowed.

64
00:05:39,500 --> 00:05:42,990
So let us try to insert another query.

65
00:05:43,460 --> 00:05:46,760
So what was the error in the last query?

66
00:05:46,760 --> 00:05:51,170
I had entered the bracket similarly, so I got an error.

67
00:05:51,170 --> 00:05:52,220
And why I did that?

68
00:05:52,220 --> 00:05:58,940
Because I wanted to show you the deliberately the descriptive error which normally applications show.

69
00:05:58,940 --> 00:06:03,740
And from the descriptor errors, you can actually get a lot of information.

70
00:06:03,770 --> 00:06:10,040
So again, we have typed the same query, but here I have just entered the user and brackets in a proper

71
00:06:10,040 --> 00:06:11,730
way and then we will hit submit.

72
00:06:12,680 --> 00:06:17,710
You can see what we have got in the last surname section.

73
00:06:17,720 --> 00:06:20,180
You can see the local host route.

74
00:06:20,180 --> 00:06:23,770
Aderet localhost is what we are looking for.

75
00:06:25,700 --> 00:06:32,530
So what will this is the name of the database user that executed the behind the scenes because basically

76
00:06:32,530 --> 00:06:35,250
the route executed and we got the output.

77
00:06:35,690 --> 00:06:39,390
Our next step is now to enter the following things.

78
00:06:39,390 --> 00:06:41,360
So again, enter percent.

79
00:06:43,480 --> 00:06:50,500
Single code or zero is equal to zero union select null comma.

80
00:06:52,870 --> 00:06:53,770
Database.

81
00:06:56,270 --> 00:07:05,930
Brackets and hashtag now before hitting the submit button in the last, we had executory user, and

82
00:07:05,930 --> 00:07:09,350
that is why we got the username that is Ruth Aderet localhost.

83
00:07:09,620 --> 00:07:13,580
Hopefully after executing this query, you will get the name of the database.

84
00:07:13,790 --> 00:07:14,390
Let us see.

85
00:07:16,240 --> 00:07:24,460
So function DeeVee, W8 or database does not exist while we got this error, there might be some error

86
00:07:24,460 --> 00:07:26,680
in the query that we had inserted.

87
00:07:26,710 --> 00:07:33,270
So let us go back and check what was our error I had by mistakenly misspelled the database name.

88
00:07:34,420 --> 00:07:38,320
So let us again hit submit and there you go.

89
00:07:38,620 --> 00:07:43,170
At the bottom, we have got the database name that is Divi w e.

90
00:07:43,510 --> 00:07:49,990
Now if you scroll up and see the query we had written null common database.

91
00:07:49,990 --> 00:07:50,170
No.

92
00:07:50,170 --> 00:07:50,470
Why?

93
00:07:50,830 --> 00:07:53,990
Because the first query is returning to fields.

94
00:07:54,070 --> 00:07:56,590
That is first name and username.

95
00:07:56,830 --> 00:08:03,640
And therefore the rule of the union query is that both the fields that is in the first query and the

96
00:08:03,640 --> 00:08:05,020
second query should match.

97
00:08:05,230 --> 00:08:11,670
Since there are two fields in the first query, first name and surname, we should also write to Fields

98
00:08:11,680 --> 00:08:14,590
in the second query and then use the union function.

99
00:08:14,860 --> 00:08:18,210
And that is why we wrote NULL Commodity's.

100
00:08:18,490 --> 00:08:25,030
If we again write the same query and do union database common database, we will get the name twice.

101
00:08:25,240 --> 00:08:26,590
Let us see the same.

102
00:08:28,590 --> 00:08:38,730
So percent single quote, yes, just click the query, so instead of null, write user brackets, common

103
00:08:38,730 --> 00:08:48,510
database brackets, hopefully we will get the user name and the database name and hash and then click

104
00:08:48,510 --> 00:08:49,020
submit.

105
00:08:49,530 --> 00:08:55,620
So if you can see at the first name, we have got the root name and the surname, you have got the database

106
00:08:55,620 --> 00:08:55,840
name.

107
00:08:56,160 --> 00:09:01,850
This is the main reason many inclination to do is do not explain why did we use Nelsa?

108
00:09:01,850 --> 00:09:05,550
So this was the basic explanation why we had used none.

109
00:09:06,480 --> 00:09:13,560
Now, since we have got the name of the database, we will not stop there of a next job is to actually

110
00:09:13,560 --> 00:09:16,410
find out what is inside that database.

111
00:09:16,620 --> 00:09:19,310
So let us execute the next query.

112
00:09:19,620 --> 00:09:28,200
So type person single code and one is equal to zero

113
00:09:30,870 --> 00:09:31,680
union.

114
00:09:34,250 --> 00:09:35,030
Select.

115
00:09:37,000 --> 00:09:37,540
NUL.

116
00:09:38,760 --> 00:09:42,420
Coma table, underscore name.

117
00:09:44,840 --> 00:09:50,870
From information underscore schema.

118
00:09:55,560 --> 00:09:57,090
Not tables.

119
00:10:02,540 --> 00:10:03,530
And then hash.

120
00:10:05,640 --> 00:10:12,810
Before entering, if you come down here, I'll just show you why did we write and one equal to zero,

121
00:10:12,990 --> 00:10:20,220
if we had written or one equal to zero zero zero, we would have got the result of the first query as

122
00:10:20,220 --> 00:10:21,740
well as the result of the second query.

123
00:10:21,750 --> 00:10:26,790
But here we do not actually need the result of the first query because we already know the database

124
00:10:26,790 --> 00:10:27,270
values.

125
00:10:27,540 --> 00:10:29,580
So we are interested in the table names.

126
00:10:29,700 --> 00:10:31,140
So just hit submit.

127
00:10:32,540 --> 00:10:40,400
And there we go, we have got the table names, character, sex, coalitions, columns, privileges,

128
00:10:40,700 --> 00:10:45,800
Parola things, routine's schemata, statistics, tables.

129
00:10:46,010 --> 00:10:46,700
There you go.

130
00:10:46,730 --> 00:10:49,270
We have got the tables now.

131
00:10:49,620 --> 00:10:53,030
Our next job is to get the names of the tables.

132
00:10:55,790 --> 00:11:05,150
We have also got the user table, the DBI, the funk, etc. Now let us hit the next query.

133
00:11:06,950 --> 00:11:14,050
Now, since we are interested in that user table, we will get the contents from that user table.

134
00:11:14,390 --> 00:11:18,740
So let us write the query to retrieve the contents from that user table.

135
00:11:18,980 --> 00:11:19,330
Right.

136
00:11:19,340 --> 00:11:24,020
Percent single code and one is equal to zero

137
00:11:26,660 --> 00:11:27,890
unión select.

138
00:11:30,460 --> 00:11:35,230
No, comma, people underscore name.

139
00:11:37,160 --> 00:11:40,370
From information underscore schema.

140
00:11:54,270 --> 00:12:03,900
Not tables there, no vivir because we're interested in their user table, their table underscore name

141
00:12:05,130 --> 00:12:05,850
like.

142
00:12:09,390 --> 00:12:11,190
Single court user.

143
00:12:13,420 --> 00:12:15,090
Percent single code.

144
00:12:17,550 --> 00:12:18,090
Hash.

145
00:12:19,510 --> 00:12:27,910
Now, this query will show all the tables which have the word user in them so you can see user privileges,

146
00:12:28,090 --> 00:12:37,600
users, user user groups, user objective permissions, etc. Now we have got the result, which shows

147
00:12:37,600 --> 00:12:41,710
that these are the tables which are actually related to the users.

148
00:12:42,400 --> 00:12:47,280
Our next job is to find the details of the user's table.

149
00:12:47,620 --> 00:12:57,730
So just take the query person single code and one is equal to zero union.

150
00:12:59,760 --> 00:13:01,140
Select nul.

151
00:13:06,710 --> 00:13:08,590
Coma contact.

152
00:13:10,780 --> 00:13:15,070
Bracket, open table, underscore name.

153
00:13:17,560 --> 00:13:22,770
Now we want to break the line, we will have to input on new lines, we just type the hexadecimal for

154
00:13:22,780 --> 00:13:26,830
Brick Lane that is comma zero zero A.

155
00:13:30,330 --> 00:13:30,930
Colma.

156
00:13:37,550 --> 00:13:39,290
Column, underscore name.

157
00:13:41,540 --> 00:13:45,990
But I could complete from information underscore schema.

158
00:13:48,130 --> 00:13:49,390
Got columns.

159
00:13:54,730 --> 00:13:57,160
Their table underscore name.

160
00:13:59,100 --> 00:14:03,930
Is equal to users in single courts.

161
00:14:09,740 --> 00:14:10,760
And then hash.

162
00:14:11,970 --> 00:14:20,190
Hit enter, so you can see we have got all the names of the columns that is user I.D., first name,

163
00:14:20,340 --> 00:14:24,220
last name, user password and after.

164
00:14:24,960 --> 00:14:27,570
Now we are interested in password.

165
00:14:27,870 --> 00:14:30,000
So let us type the following query.

166
00:14:32,920 --> 00:14:42,610
Ampersand, oh, I'm sorry, percentage single quotes and one is equal to zero unión select null.

167
00:14:45,160 --> 00:14:51,520
Guma concat in bracket, first underscore name.

168
00:14:53,380 --> 00:14:57,160
Comma zero zero eight, which means on a new line.

169
00:14:58,150 --> 00:15:00,850
Goma last underscore name.

170
00:15:03,040 --> 00:15:04,930
Comma zero zero eight.

171
00:15:05,080 --> 00:15:06,490
That is again on the new line.

172
00:15:07,820 --> 00:15:13,970
My user karma zero zero e karma password.

173
00:15:15,940 --> 00:15:22,870
But I could complete from users and hash.

174
00:15:23,850 --> 00:15:27,780
This is the syntax of finding the data.

175
00:15:27,990 --> 00:15:28,870
There you go.

176
00:15:28,890 --> 00:15:34,600
We have got first name, surname, that is admin, admin and the password.

177
00:15:34,630 --> 00:15:36,090
Now, this is not the actual password.

178
00:15:36,120 --> 00:15:38,450
This is the modified hashed password.

179
00:15:38,790 --> 00:15:41,880
You can use various modified hash or breaking tools.

180
00:15:42,900 --> 00:15:46,710
Hopefully we will see one of the tools in the next upcoming months.

181
00:15:46,710 --> 00:15:48,560
We are going to update the contents.

182
00:15:48,570 --> 00:15:53,550
We are going to keep updating the contents and we will see different types of hashing tools.

183
00:15:53,820 --> 00:15:58,260
But for now, we are successfully able to compromise the database.

184
00:15:58,260 --> 00:16:01,100
And we have finally got the data.

185
00:16:01,110 --> 00:16:11,040
We have got the so name that is Hack, then MI 137, that is the user ID and the password, etc. So

186
00:16:11,040 --> 00:16:17,430
you can see how long it is to actually retrieve the data manually from the database.

187
00:16:17,730 --> 00:16:20,100
So this is spoiler alert for you.

188
00:16:20,100 --> 00:16:24,090
In the next lecture we are going to just use four commands.

189
00:16:25,370 --> 00:16:32,960
Just use four commands by typing only five to eight letters in each command and boom entire database

190
00:16:32,960 --> 00:16:35,850
in a good graphical view, will be in front of you.

191
00:16:36,200 --> 00:16:40,190
So let us start with automation of fiscal injection.