1
00:00:01,520 --> 00:00:06,080
So let's go right here, Log-in, as usual, to our TBWA Page.

2
00:00:09,260 --> 00:00:17,510
And let's first select a security to allow and navigate to the Ezekial injection now, you might notice

3
00:00:17,510 --> 00:00:22,280
that we also have Eskil injection blind and this is something that we are going to talk about later

4
00:00:22,280 --> 00:00:22,510
on.

5
00:00:22,790 --> 00:00:25,940
For now, let's just focus on this Ezekial injection tap.

6
00:00:26,940 --> 00:00:28,680
So what do we have right here?

7
00:00:28,860 --> 00:00:35,120
We have something called user ID and usually we would input something like a number right here.

8
00:00:35,340 --> 00:00:36,780
So let's give it a try.

9
00:00:36,790 --> 00:00:40,680
For example, input number one and click on Submit.

10
00:00:42,230 --> 00:00:49,580
Well, it will tell me that the idea of one is a user with the first name admin and surname admin.

11
00:00:50,530 --> 00:00:57,040
And that user has I'd want what if we type two, for example, we click on Submit?

12
00:00:57,430 --> 00:01:03,760
Well, we got a user ID to his name is Gordon and his last name is Brown.

13
00:01:04,300 --> 00:01:07,480
And we can go for each and every number if we want.

14
00:01:07,480 --> 00:01:11,950
For example, the ID five has first name Bob and last name Smith.

15
00:01:13,510 --> 00:01:22,660
But to search for the Eskild injection, what we can do is we can type some special characters and that

16
00:01:22,660 --> 00:01:31,150
might throw an error if there is an injection, for example, if I type apostrophe or a single quote

17
00:01:31,570 --> 00:01:33,010
and I click on Submit.

18
00:01:34,380 --> 00:01:41,280
Beautiful, throw me this error, it will say you have an error in your Ezekial syntax, check the manual

19
00:01:41,280 --> 00:01:47,180
that corresponds to your MySQL server version for the right syntax to use near line one.

20
00:01:47,820 --> 00:01:55,650
And this already is an indication that we have Eskil injection bug since it interpreted our apostrophe

21
00:01:55,650 --> 00:01:57,660
as a part of Ezekial syntax.

22
00:01:58,530 --> 00:02:02,850
So for now, we know that there is an error because we got the error syntax.

23
00:02:02,850 --> 00:02:07,460
But before we continue, let's first explain why does this give an error?

24
00:02:07,500 --> 00:02:10,020
Why using a single quote gives us an error?

25
00:02:11,030 --> 00:02:14,180
Well, let me show you like this, if I open terminal.

26
00:02:15,430 --> 00:02:18,040
And they open a program called Leaford.

27
00:02:19,640 --> 00:02:24,530
Let me see if leaf bed exists any more in K'NEX, if I type it right here.

28
00:02:26,000 --> 00:02:27,050
OK, never mind.

29
00:02:27,050 --> 00:02:32,300
Let's just go and find a program that will allow us to write text.

30
00:02:33,650 --> 00:02:40,580
And here we got some text editor under the usual applications, I'm going to open that and I'm going

31
00:02:40,580 --> 00:02:43,640
to enlarge it just so we can type something right here.

32
00:02:44,480 --> 00:02:50,180
And now that we open this, let's explain why apostrophe gives an error in Eskil syntax.

33
00:02:50,730 --> 00:02:57,770
But as we already mentioned in our slides, usually we will have an Ezekial syntax or an Eskil query

34
00:02:58,370 --> 00:02:59,870
that will look something like this.

35
00:02:59,900 --> 00:03:05,860
So select and then something from a certain table where some condition is fulfilled.

36
00:03:06,110 --> 00:03:12,710
And for our page right here, if I go back, since we have user I.D., first names and last names,

37
00:03:12,710 --> 00:03:14,710
it could possibly look something like this.

38
00:03:14,720 --> 00:03:22,090
So select name, comma, surname from the table that could be named something like accounts.

39
00:03:22,170 --> 00:03:29,330
We don't know that yet where ID equals and then the ID number goes between single quotes.

40
00:03:29,600 --> 00:03:35,840
So this could possibly be our ESKIL query that we sent to the database and then the database retrieves

41
00:03:36,140 --> 00:03:38,090
the user under the ID to.

42
00:03:39,130 --> 00:03:47,560
But what happens when we type apostrophe is instead of these two and instead of it filtering the apostrophe,

43
00:03:47,830 --> 00:03:54,700
it just writes it between these two single quotes and then we get three single quotes, the opening

44
00:03:54,700 --> 00:03:59,260
single quote, and then our single quoted reinjected becomes the closing single quote.

45
00:03:59,530 --> 00:04:02,980
And then the third one is the single quote that's hanging.

46
00:04:02,980 --> 00:04:04,680
It doesn't belong to anything.

47
00:04:04,690 --> 00:04:10,240
Therefore, the Eskil throws an error that has one single quote more than it should have.

48
00:04:11,140 --> 00:04:18,519
And whenever that happens, you got an injection buck, and this is also called the Aitor based Eskil

49
00:04:18,519 --> 00:04:20,680
injection, because it throws us an error.

50
00:04:21,339 --> 00:04:24,790
On the other hand, we got the blindest injection that doesn't throw an error.

51
00:04:24,820 --> 00:04:29,410
So there are some other methods that we must use for that one in order to figure out whether it exists.

52
00:04:30,340 --> 00:04:36,010
Now that we know that there is an ESKIL injection, what we can do is we can type some other statements

53
00:04:36,010 --> 00:04:36,340
as well.

54
00:04:36,370 --> 00:04:42,460
For example, we can select the ID number two and then close the single quote inside of that Tasco query.

55
00:04:42,880 --> 00:04:49,710
And we can type some logical statements, such as, for example, and one equals one.

56
00:04:50,290 --> 00:04:55,780
And keep in mind that this right here, if I copied and write it down.

57
00:04:58,160 --> 00:05:04,790
Has single quotes between the numbers, and it doesn't have the single quote at the end, because inside

58
00:05:04,790 --> 00:05:08,440
of our equerry we already have a single quote at the end.

59
00:05:08,750 --> 00:05:15,020
So this single quote will cover the last part of this one and this first quote will cover the first

60
00:05:15,020 --> 00:05:15,830
part of this.

61
00:05:16,640 --> 00:05:21,260
So essentially, once added to our Ask Your query, it would look something like this.

62
00:05:22,130 --> 00:05:28,790
Instead of this single quote, we would have this and you can see this opening and closing single quote

63
00:05:28,790 --> 00:05:30,160
fulfills our statement.

64
00:05:30,830 --> 00:05:38,300
Let's give it a try and run this and we'll just get the information about user under the Editta.

65
00:05:39,140 --> 00:05:41,780
And that's because our statement is correct.

66
00:05:41,780 --> 00:05:49,130
So we select the user Editta and we say do that in case one is equal to one and one is equal to one.

67
00:05:49,140 --> 00:05:50,480
So there are no problems.

68
00:05:50,480 --> 00:05:51,740
It just prints the user name.

69
00:05:51,950 --> 00:05:57,680
But if we were to type the same comment, just change one equals two and click on submit.

70
00:05:58,620 --> 00:06:06,150
We wouldn't get any output right here, that is because one is not equal to two, therefore it won't

71
00:06:06,150 --> 00:06:08,700
print the user under the ID to.

72
00:06:09,840 --> 00:06:15,660
That could be another sign that there is an Ezekial injection now that we know for sure that there is

73
00:06:15,660 --> 00:06:19,720
an injection, if we can try some other comments, such as, for example, this one.

74
00:06:19,920 --> 00:06:27,420
So if you go down here and type two single quote, and this is just selecting the ID number two and

75
00:06:27,420 --> 00:06:35,990
then use a statement called Order by one and add dash, dash and space and single quote at the end.

76
00:06:36,750 --> 00:06:38,340
So let's explain this comment.

77
00:06:38,520 --> 00:06:44,250
The reason we have this dash dash space and then single quote is because that is referred to as a comment.

78
00:06:44,280 --> 00:06:45,840
This dash dash is a comment.

79
00:06:46,020 --> 00:06:52,380
And we must add this at the end of our statement, at the end of our query, because otherwise it would

80
00:06:52,380 --> 00:06:53,600
throw us an error.

81
00:06:53,880 --> 00:07:00,450
We must have it so we don't get error when running our ESKIL comments and ordered by one will just check

82
00:07:00,450 --> 00:07:01,620
whether there is column one.

83
00:07:01,800 --> 00:07:05,040
And we are going to do that for two for three as well.

84
00:07:05,040 --> 00:07:08,100
And we're going to see how many columns do we have.

85
00:07:09,180 --> 00:07:10,650
So if I copied this.

86
00:07:13,040 --> 00:07:16,580
And go back to here based this click on Submit.

87
00:07:17,540 --> 00:07:23,680
We'll get an output first name Gordon and surname Brown, that means this is a valid statement.

88
00:07:24,080 --> 00:07:26,420
Let's try with order by two.

89
00:07:26,690 --> 00:07:29,870
So just change from one to two and click on Submit.

90
00:07:30,260 --> 00:07:34,970
And this is also by the statement because we get the first name and surname.

91
00:07:35,420 --> 00:07:39,560
And if we try number three and click on submit.

92
00:07:40,600 --> 00:07:48,190
Well, there is an unknown column three in order class, and that's how we know that we have to columns.

93
00:07:48,690 --> 00:07:51,250
Now, let's see what those two columns are.

94
00:07:51,710 --> 00:08:00,670
If I go and type this comment and I'm going to type it right here, first two as our ID and then unión,

95
00:08:01,090 --> 00:08:03,670
select one and two.

96
00:08:04,000 --> 00:08:09,790
And let's not forget our comment at the end by specifying Dash Dash and then quote if I copy this.

97
00:08:12,230 --> 00:08:14,900
And they paste it right here, click on Submit.

98
00:08:16,360 --> 00:08:22,930
OK, so we get this output right here, the first name for the Editta, and we get the first name one

99
00:08:22,930 --> 00:08:24,100
and surname two.

100
00:08:24,820 --> 00:08:31,180
Now that we know that we have two columns and that we have an injection vulnerability, we're going

101
00:08:31,180 --> 00:08:33,190
to start extracting data.

102
00:08:34,140 --> 00:08:40,950
So we know that we have to output fields, the first name and the surname field, so we're going to

103
00:08:40,950 --> 00:08:44,760
try to extract the database name and the user of the database.

104
00:08:45,330 --> 00:08:54,660
To do that, we can type the command to to select the user I.D. and then union select and we're going

105
00:08:54,660 --> 00:09:01,080
to type database open and close brackets and comma user open close brackets.

106
00:09:01,120 --> 00:09:07,590
At the end we add our comment with a single vote and here we are specifying the functions called database

107
00:09:07,860 --> 00:09:08,940
and user.

108
00:09:09,750 --> 00:09:12,800
These two functions are already defined in my school.

109
00:09:13,470 --> 00:09:19,170
So let's copy this comment just to see the name of the database and the name of the user and type it

110
00:09:19,530 --> 00:09:20,250
right here.

111
00:09:21,870 --> 00:09:30,300
And we get the first name which will store the database name, which is W8 and the surname or the user,

112
00:09:30,330 --> 00:09:33,420
which is going to be viewed at localhost.

113
00:09:34,230 --> 00:09:41,470
Now that we know this, we can try to track the list of the databases by injecting the following comment.

114
00:09:41,820 --> 00:09:49,740
So after this, we once again start with two and then union select and these select statements.

115
00:09:49,740 --> 00:09:51,880
You can also type in capital letters.

116
00:09:51,900 --> 00:09:52,830
It doesn't really matter.

117
00:09:52,830 --> 00:09:55,290
You can type capital or lowercase letters.

118
00:09:55,590 --> 00:09:59,110
What matters is that you type the correct command syntax.

119
00:09:59,580 --> 00:10:12,090
So right now we are going to call for Schimmer underscore name, comma to from information underscore.

120
00:10:12,270 --> 00:10:13,290
And let me just.

121
00:10:14,140 --> 00:10:19,060
And of this, so the entire command can fit to from information underscore Cima.

122
00:10:22,060 --> 00:10:27,670
Dot, Cremata, Dash, Dash, and then close single quote.

123
00:10:28,390 --> 00:10:32,170
OK, so let's just go with this and see what do we get for this comment?

124
00:10:32,410 --> 00:10:37,000
If I copy, go to my page and paste it right here.

125
00:10:38,930 --> 00:10:46,110
Well, we get quite a few results back and we essentially get different databases outputted right here.

126
00:10:46,700 --> 00:10:52,320
We got our TBWA database, we got Mathus per database, MySQL database or WESP 10.

127
00:10:52,700 --> 00:10:59,990
And since we are doing this all inside of the WPA application on our Anticipatable, we would most likely

128
00:10:59,990 --> 00:11:03,610
be interested in this DV a result.

129
00:11:04,040 --> 00:11:07,100
So let's try to extract even more from it.

130
00:11:08,130 --> 00:11:16,380
We can use the following comment, which is I did, too, and then union select table underscore name,

131
00:11:16,920 --> 00:11:21,720
comma two from information underscore Cima.

132
00:11:23,610 --> 00:11:30,740
Not tables, you might be wondering what even are these and this is just regular syntax for the language,

133
00:11:31,140 --> 00:11:36,990
these are just something that you will get used to over time once we type from information shemar that

134
00:11:36,990 --> 00:11:43,380
tables where the table on discourse schema is going to be equal to the one that we want.

135
00:11:43,380 --> 00:11:51,480
And in our case, that is divvied up so we can just type equal open single quote, a close single quote,

136
00:11:51,480 --> 00:11:54,720
and then our comment dash dash quote.

137
00:11:55,900 --> 00:11:56,750
Let's go, P..

138
00:11:57,720 --> 00:11:58,110
This.

139
00:11:59,960 --> 00:12:04,070
Entire command copied and pasted right here.

140
00:12:05,100 --> 00:12:10,620
Now, I'm not sure if I copied in Takamatsu, I'm just going to go back and add what's missing, which

141
00:12:10,620 --> 00:12:14,580
is two and then single quote, and then you click on submit.

142
00:12:15,860 --> 00:12:17,070
And here is the output.

143
00:12:17,210 --> 00:12:24,870
So with this command, we sent a query where we requested names of all the tables inside the W8 database.

144
00:12:25,670 --> 00:12:29,570
We got two results, which is guestbook and users.

145
00:12:30,140 --> 00:12:34,050
And this users right here could be interesting for us.

146
00:12:34,070 --> 00:12:35,880
So let's dive deep into it.

147
00:12:36,170 --> 00:12:40,120
We want to extract columns inside of this user's table.

148
00:12:40,970 --> 00:12:44,450
We can do that by injecting this comment right here.

149
00:12:46,700 --> 00:12:52,760
So let me just make a few spaces and type next command, which we, as usual, start with two and then

150
00:12:52,760 --> 00:12:55,250
apostrophe unión.

151
00:12:57,830 --> 00:13:02,040
Select and now we're selecting columns, so we are going to type instead of table name.

152
00:13:02,060 --> 00:13:11,270
We're going to type column, underscore name, comma column on the score type from information on the

153
00:13:11,560 --> 00:13:13,490
Cima dot columns.

154
00:13:14,630 --> 00:13:17,880
Remembering the last command we used dot tables.

155
00:13:17,900 --> 00:13:24,530
Now we are using dot columns because we are furthermore diving into our database and we need a condition

156
00:13:24,530 --> 00:13:25,070
at the end.

157
00:13:25,080 --> 00:13:38,180
So we're table underscore Chima is going to be equal to divi w a and table underscore name equals users.

158
00:13:39,080 --> 00:13:45,020
So remember we got two results right here and we want to go with the users one first, because that

159
00:13:45,020 --> 00:13:48,910
looks more interesting to us than this guest book table.

160
00:13:50,250 --> 00:13:55,230
OK, so let's go to this comment and now I'm going to copy the entire comment.

161
00:13:57,100 --> 00:14:01,140
So select copy and paste right here.

162
00:14:02,070 --> 00:14:03,660
And click on Submit.

163
00:14:04,840 --> 00:14:08,480
And again, we get a lot of results here they are.

164
00:14:09,070 --> 00:14:15,070
Can you guess which one out of all of these columns are most interesting to us, if you guessed the

165
00:14:15,070 --> 00:14:15,880
password one?

166
00:14:16,480 --> 00:14:23,620
Well, you guessed right, but we also want to extract other columns as well, such as usernames, which

167
00:14:23,620 --> 00:14:30,280
we get right here, such as first names, last names, IDs as well, and all of that we want to extract.

168
00:14:30,850 --> 00:14:37,570
To do this, we will need to use the concat function because we only have two fields available to input

169
00:14:37,810 --> 00:14:38,860
our result.

170
00:14:39,400 --> 00:14:44,890
So we must concat a few results in one field and the rest of the results in the other field.

171
00:14:45,550 --> 00:14:52,750
We can concat, for example, user ID, first name and last name in the first name field, and we can

172
00:14:52,820 --> 00:14:56,830
conquer the usernames and passwords in the surname field.

173
00:14:57,370 --> 00:14:59,830
So let's see how that combined would look like.

174
00:14:59,830 --> 00:15:09,910
If I go back and add a few more spaces, let's type two and then apostrophe union select and then use

175
00:15:09,910 --> 00:15:13,660
the concat function to concat multiple fields into one.

176
00:15:13,660 --> 00:15:17,230
And we can do that by specifying which fields we want inside of this function.

177
00:15:17,710 --> 00:15:25,120
Let's type user underscore ID as a first field comma and we are going to separate them with two dots.

178
00:15:25,120 --> 00:15:30,360
So comma and then first underscore name, which is going to be our second field comma.

179
00:15:30,670 --> 00:15:35,490
Let's use again two dots to separate that also from the last name.

180
00:15:36,070 --> 00:15:40,150
And these are the three fields that we are going to get into first result.

181
00:15:40,780 --> 00:15:47,710
Then after it we want to type comma and concat the usernames and passwords into.

182
00:15:48,960 --> 00:15:49,750
Second result.

183
00:15:50,190 --> 00:15:57,210
So let's flip it like this password, and at the end, we must specify from where are we extracting

184
00:15:57,240 --> 00:15:57,900
all of this?

185
00:15:58,200 --> 00:16:05,000
And in our case, since our database is called W8, we're also accessing the user's table.

186
00:16:05,520 --> 00:16:07,800
So we must type it like this.

187
00:16:08,010 --> 00:16:12,420
So extract all of this from DV w a dot user's.

188
00:16:13,650 --> 00:16:15,210
Add the comment at the end.

189
00:16:16,710 --> 00:16:18,390
And let's copy all of this.

190
00:16:24,260 --> 00:16:25,430
And submit.

191
00:16:27,830 --> 00:16:35,750
Well, here it is, here is all of the information about all of the users from this database in the

192
00:16:35,750 --> 00:16:42,260
first name field, we get the user I.D. followed by the first name, followed by the last name.

193
00:16:42,890 --> 00:16:48,200
And in the surname field, we get the username and password.

194
00:16:48,890 --> 00:16:54,560
So we successfully performed ESKIL injection and we extracted all of the information about all of the

195
00:16:54,560 --> 00:16:56,420
users inside of their database.

196
00:16:57,020 --> 00:17:00,920
But you will notice that passwords are rather strange, right?

197
00:17:01,640 --> 00:17:08,300
This is because they are Hashd usually websites for hash value of passwords inside their database for

198
00:17:08,300 --> 00:17:14,240
security reasons, since even if something like an injection happened and someone managed to extract

199
00:17:14,240 --> 00:17:20,270
the entire database, they wouldn't get passwords in plain text, but rather as hash value that they

200
00:17:20,270 --> 00:17:24,410
need to run a dictionary attack on in order to find it in plain text.

201
00:17:25,190 --> 00:17:29,450
And by looking at them, I would say that this is probably a modified hash.

202
00:17:30,080 --> 00:17:33,700
We can figure this out by copying one of these passwords.

203
00:17:33,710 --> 00:17:35,600
So let's go with this one, for example.

204
00:17:36,880 --> 00:17:40,660
Going to Google and just paste and get inside of this search bar.

205
00:17:44,440 --> 00:17:49,750
And we can see most of the results are empty, five and five and five, so we can guess that this is

206
00:17:49,750 --> 00:17:50,920
an empty five hash.

207
00:17:51,220 --> 00:17:57,280
And since this is an easy password, if I click on this link, it will even tell me which password this

208
00:17:57,280 --> 00:17:58,380
empty five hash is.

209
00:17:58,960 --> 00:18:02,200
So it is the password A.B.C. one to three.

210
00:18:03,040 --> 00:18:10,660
So if I go back to this page, we can conclude that Cordin has a password of ABC one, two, three,

211
00:18:10,660 --> 00:18:16,770
because this website showed us what is the string of this hash that we pasted.

212
00:18:17,410 --> 00:18:19,510
We can do that for any other hash as well.

213
00:18:19,750 --> 00:18:23,640
As long as it is a simple password, it should manage to find it online.

214
00:18:23,950 --> 00:18:26,530
If I go and paste this one, for example.

215
00:18:28,470 --> 00:18:33,600
Go right here, click on this website and the five hash for password is this.

216
00:18:33,930 --> 00:18:38,610
So it seems that our empty five hash is a string of password.

217
00:18:39,240 --> 00:18:50,370
So our user called admin has a password that is simply just password, and that is how you extract the

218
00:18:50,370 --> 00:18:53,460
entire database with the ESKIL injection vulnerability.

219
00:18:54,210 --> 00:18:58,890
Now, this is probably the hardest bug that we are going to cover inside the bubble web application

220
00:18:58,890 --> 00:19:06,120
section, and it might take some time for you to get used to it and to get used to all of this as syntax

221
00:19:06,120 --> 00:19:07,310
that we performed right here.

222
00:19:07,560 --> 00:19:13,110
For example, these database functions, user functions could be known by someone that already knows

223
00:19:13,110 --> 00:19:19,290
Eskil, since these are already the inbuilt functions and that also stands for all of these syntax like

224
00:19:19,290 --> 00:19:25,110
table name, like information, underscore CIMA that columns and the rest of these comments.

225
00:19:25,770 --> 00:19:31,230
But if you practice it more and more, you will eventually get better at performing SQL injection.

226
00:19:31,920 --> 00:19:32,930
OK, great.

227
00:19:33,270 --> 00:19:39,570
So we performed as injection and in the next video we're ready to continue discovering even more bugs

228
00:19:39,570 --> 00:19:41,550
on our TV application.

229
00:19:42,060 --> 00:19:42,630
So you better.