Disease Treat

Know About Ulcers Blog

SQL Injection Attack Tutorial (2019)


sequal injections what are they and how can you exploit them coming up right now now before we can dive into a sequel injection we first need to know what is sequel well sequel or SQL stands for structured query language and it’s a standard language use for accessing and manipulating databases now what exactly can sequel do well it can do a lot of things it can execute queries it can insert delete or update records you can create new databases tables views stored procedures and it can also change the permissions for these tables views and store procedures so let’s look at a basic example of a sequel query and we’ll use the example of a typical login form at a website you’ll enter in your username and password and then you click the submit button now once you do that it’s going to hit some code behind that form that looks something like this and what it does is its first gonna grab the user name from the user name box and store that and then it’s going to store the password into the password variable and then finally we’re going to build a sequel query using the username the user typed in now this is bad because there’s no sanitization on the user inputted data and what that means is a user can directly inject sequel queries or rather sequel code to modify the sequel query now once this code is complete our sequel query would look something like this it says select everything from the users table where the username equals admin now if we were to execute this query against our sequel server we would get a result as such we get one row returned with the user ID username and password fill field of the user and and as you can see the user ID of one username admin and password secret and that’s basically how a sequel query functions so let’s go back to our web form now now let’s insert a sequel injection so inside the username field go ahead and enter in a single quote or one equal single quote one and then go ahead and click Submit now through the rest of this video just for your benefit I’m gonna show you at the bottom of the screen how the sequel server will interpret the query from the input let me say that again at the bottom of the screen what I’m gonna do is show you the sequel query that the sequel server is actually going to execute so here you can see how we cleverly injected some sequel code now once we run this query and hit submit the the application returns back an error message it says fill to login as admin then it says it again for moderator and then guest and ghost hmm that’s pretty odd because we did not type in any of these user names and furthermore why did it spit out four different error messages so let’s take a closer look at this query so if we were to execute this on our sequel server the query would look like the following select everything from users where username equals nothing or one equals one so as we can see there are no user names with a blank username so that part is false and it’s not going to find anything the second part says or one equals one well one equals one returns two so if that were to be executed the sequel server is basically going to see that query like the following select everything from users where true and basically there’s no where clause it’s not searching for anything so the query is basically just saying select everything from users and the sequel server does exactly as you asked and it returns all the users and passwords from that table now our error as we can see is dumping all of the user names in the table now that’s great however it would be very useful if we could get the password for these accounts now how exactly are we going to do that we don’t have passwords and we want passwords so what we can do since we’re able to inject sequel code we’re going to first try to find the database name that this application is using so what we need to do is modify our sequel injection and this is our new sequel injection and basically we’re going to use the Union select statement to add additional information into the Select statement by the application and what we’re going to do is we’re going to select the database names from the my sequel information schema dot tables table now one thing I want to point out is this value right here table schema while it says table schema it might lead you to believe that this is information on tables but this is actually the database names inside the sequel server so just note that table schema basically means database name now once I executed this sequel injection the application then spit out the following message and it says the use of select statements have a different number of columns well when I go back to the sequel query on the server I can see that the table has three fields user ID username and password however our query was only selecting one field and that was the database name or the table schema field so what we’re gonna do is let’s modify our query so let’s modify the injection query to always return three values so all I had to do was just add 1 comma 1 comma table schema to our query which gives us the following and then execute it on the application however once again I got the same error message no dice ok let’s modify our query one more time now if you looked at the query you would have seen that we have two Union statements the first Union statement is trying to select the database names from the my sequel server and then the second Union statement is purely here to provide an end a proper end to our sequel query if we did not include this Union select 1 comma 1 comma single quote 1 then the query would query would break so that is required now to ensure that this query always returns 3 values we need to make sure that all of our Union statements returned 3 fields 1 2 3 and our second Union Select returns 1 2 3 fields perfect now when I ran this injection against the application I received the following results our injection worked however the only thing it returned was the value one which that’s not very useful for us so let’s go ahead and try something else this time let’s change the values that we’re setting inside of our injection query so what I did is I changed 1 1 2 3 4 and then 1 1 2 5 6 7 so let’s go ahead and run this query and so we’re going to modify our query we just moved table schema and the value 4 we just switched them back and forth executed our query and bingo we were able to enumerate all the databases on the sequel server and the database that we’re interested in is the SQL I database so now that we know what database were after let’s start to enumerate it to figure out what tables and what columns are inside those tables so we can access the information we want specifically the username and password so to enumerate the SQL database we’re going to inject the following sequel injection now take note that we modified the value here to be table name which is what it says it is it’s the name of the table and then we also included a where clause so we’re only searching from the SQL database that way we don’t see all the tables from all the databases now once I executed that I then received the following output and was able to find the tables profile settings and users now this last output where it says 6 can be ignored as actually just coming from our union select right here so awesome now we know that there are three tables in there and one of them is named users well I want the username and password so I’m going to speculate that they’re inside the users table so now let’s figure out what fields or columns are inside the users table so we’re going to need to modify our query again so this time we’re gonna change the value to column name and change our where clause to a table name to where we’re only searching for the table users once executed I received the following results of with column user ID username and password and as we know from previously those are in fact the column names for the users table so awesome now we have all the information we need in order to dump out the usernames and passwords but we have one problem so the problem is is we’re only able to return one value inside this Union Select query but see we need to pull the username and the password and stick them both inside this one field we couldn’t just put user name here and then password because then only user name would show and vice-versa so this is what we’re going to do in order to dump the user names and passwords in one go what we want to do is combine the user name separated with a delimiter in this case it’s a colon with a password so to accomplish this we’re going to use the following injection for the username and how we accomplish this is using the my sequel function called con cat and all it does is concatenate strings together and that’s perfect because what we’re gonna do is we’re going to use that to concatenate the user name with the semicolon and a password and it’s gonna take all of that and spit it out as one field and that is exactly what we’re looking for so perfect and our query will look like a following and once I executed it bingo I was able to dump all the usernames and passwords from this table via a sequel injection as you can see the men pass word is secret moderator password 1 2 3 guess his password and ghosts password is secret awesome so that’s it guys that is the basics of carrying out a sequel injection attacks now there’s actually many different types of sequel injections and this is just one type in future videos I’ll go into the various types of sequel ejections and give you some examples of how to exploit that before you go do you want to download a sequel injection lab so you can try out the skills that you learned in this video today well check it out if I get a hundred people to comment on this video then I’ll create a sequel injection capture-the-flag lab and upload it to this video for everybody to enjoy so go ahead and comment now but that’s gonna do it for today guys but if you enjoyed this video please click that subscribe button if you liked this video give me a thumbs up don’t forget to click the bell to get notifications of my new videos and as always I will see you the other side [Music]

10 thoughts on “SQL Injection Attack Tutorial (2019)

  1. Thank you for posting this tutorial. I'm wanting to transition into IT and am attending my first cybersecurity meetup at the end of January and the topic is SQL injections. At least I won't be entirely lost! Lol.

  2. mysqli_real_escape_string(somethingfromoutside) and Characters encoded are NUL (ASCII 0), n, r, , ', ", and Control-Z

  3. If you're trying to permanently change your grades, message @oscar_kings_ on instagram, he hacked my school's database and changed all my bad grades. He's the only hired hacker that is guaranteed to get the job done.

Leave a Reply

Your email address will not be published. Required fields are marked *