Basic SQL Injection | PicoCTF 2017 [35] My First SQL
Key Takeaways
Basic SQL Injection | PicoCTF 2017 [35] My First SQL
Full Transcript
hello everyone my name is John Hammond welcome back to more Pecos CTF this challenge is called my first sequel the first challenge in the web category of level 2 here 50 points it says I really need access to this website but I forgot my password and there's no reset can you help so we can check out the website open up a new tab here just like a regular forum login user name and password so credentials we would otherwise have to know what the hint here is have you heard about sequel injection so this is the first Pico CTF introduction to sequel injection which is one of my favorite things I think one of the coolest things for hacking on the internet and stuff like that sequel injection is tricking a back-end web program into thinking that you are inputting data into a database that runs in the back however it's not real data that you're putting in you're tricking it and that it's going to take some of that data and consider it to be code so normally you'll see queries that are trying to insert or select data from a database that's of the the syntax and the style select something some kind of column or table information from a specific table where whatever column or field is something else so if you get your own input that's kind of just being concatenated or added into the original query there is significant potential for like bad things to happen that's a vulnerability if you are just concatenate those sequel luck constants and their sequel literals so this is kind of exactly what we can assume this website is doing and if I wanted to just like login with please sub and a password password that's weird not ok I don't know why that's not the regular login that makes no sense to me but whatever we can inject something into this determine if whether or not a user exists or not by getting a condition to log in that we know is always going to be true because this where clause in that sequel statement is running a test it is running a conditional where name is equal to something that we supply but we can inject hence sequel injection some other code or sequel into that a sequel being the language of course it's being run in the background I don't want to baby this up but I know I should and that some people are wanting to learn this for the first time a sequel injection the magic thing the bird kind of like bare bones basic test you'll see in like sequel injection challenges and tests of this it's just determining can we get one thing that obviously equals another thing to return or to go through sometimes you don't know the kind of string or quotations that it's using to determine a string and maybe using double quotes or single quotes to denote their string so you kind of have to fuzz testing which one you are trying to end because you're again concatenating in your input inside of what would expect to be a string so you have to escape or end out of their string with a terminating quote double quote or not continue sequel quote with adding a new condition or an or statement for this we're essentially an if clause or test clause in another condition where something is equal to obviously itself so that will that will clearly return true 1 is equal to 1 but we don't know what it is at the very end of this query so sometimes we'll have to comment out the rest of the sequel code and the way we do that again is dependent on the sequel that's running in the background like the back end database version maybe it's my sequel maybe it's Microsoft sequel rendition the sequel Lite it's that wrote cetera and we all have a different kind of form so again you'll have to fuzz and fudge that until you get something that that will return a hit so if we wanted to we could simply try double quote or one equals one and then a hash tag is what you'd expect for some my sequel versions I'm just gonna paste that in both the username and the password field because we don't know which one is vulnerable we can go ahead and try and log in but that doesn't work for us so okay let's try with or one equals one another pound symbol or a hash tag because that is what my sequel uses for comments try and log in with that oh okay we get an error with your request and it shows us actually the query that's trying to run in the background you don't normally see this this is again just for your learning capability in the CTF scene because CTF is being nice to us where it shows us what they're trying to use they're using a single quote where user equals the start of our input you see we have our single quote inject it into it so that's why the error is happening because it's trying to interpret this or one equals one but our hash tag is being weird it's getting in the way because we now don't have a string that matches the rest of this password is in there as well so maybe it's not this the comments style but we do know we are using simple quotes for our string so let's change that rather than using a hashtag the Wikipedia pages suggest some other things where you can use - - or - - to use a comment that you'd expect to see in sequel light so let's try that again I'm gonna use it in the username and password field and we log in welcome admin flag be careful what you let people ask in the hash that should be different for each one so we logged in as admin because we got an immediate return and it immediate truth in our condition where one equals one or one equals one so the first thing that we return is the very first row in the table that we're looking at likely admin are usually admin so cool immediate login we've got our flag if we wanted to we can script this and I'd showcase that another video but I don't think it's necessary for this one we can paste that in and we can jump up on the scoreboard 50 points super cool that's equal injection I will however want to take a note of that as our flag because I think that's good practice certainly writing again flag strip would also be good practice for it but whatever I digress if you'd like me to we certainly can I'd use some Python requests use regular expressions to pull out the flag and we'd be grooving special shout out to the people that support me on patreon - thank you guys so much I love you that was weird sorry a $1 or more on patreon a month will give you a special shout-out just like this at the end of her video five dollars or more on patreon will give you a special access to a folder on Google Drive that I like to upload my early access videos well I include all the videos that I have recorded but not yet released on YouTube because I normally record in bulk and YouTube gradually upload them on a on a scheduled basis so if you want to not wait you want the content right when it's ready that's the best way to do it just $5 a month on patreon if you did like this video please do press that like button maybe leave me a comment if you're willing to subscribe that would be awesome link in the description to draw our discord server it's a cool community of CTF player's programmers and hackers if you want to hang out with me or some other awesome people that's the best way to do that hope to see you guys on patreon thank you and I hope to see you in the next video bye
Original Description
If you would like to support me, please like, comment & subscribe, and check me out on Patreon: https://patreon.com/johnhammond010
E-mail: johnhammond010@gmail.com
PayPal: http://paypal.me/johnhammond010
GitHub: https://github.com/JohnHammond
Site: http://www.johnhammond.org
Twitter: https://twitter.com/_johnhammond
Watch on YouTube ↗
(saves to browser)
Sign in to unlock AI tutor explanation · ⚡30
Playlist
Uploads from John Hammond · John Hammond · 0 of 60
← Previous
Next →
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
Code Commentaries? PHP to JavaScript in Bash and PHP!
John Hammond
Tutorials? MySQL connection with PHP and Bash!
John Hammond
Variable Naming in Python! Happy Birthday, Linux! Nokia N900!
John Hammond
JavaScript Splits The URL!
John Hammond
HTML Tables in Python!
John Hammond
HTML, Net Shares, GML!
John Hammond
Python 08 Programming Style and Comments
John Hammond
Python 26 Object Oriented Programming
John Hammond
75 Python Tutorials, Out Now!
John Hammond
Batch 14 Mathematical Expressions
John Hammond
Batch 85 Array Append
John Hammond
Batch 86 Array Count
John Hammond
Batch 87 Array Index
John Hammond
Batch 88 Array Insert
John Hammond
Batch 89 Array Remove
John Hammond
Batch 90 Array Reverse
John Hammond
Python [colorama] 00 Installing on Linux
John Hammond
Python [colorama] 09 Cursor Position
John Hammond
Python [hashlib] 02 Algorithms
John Hammond
Python 00 Installing IDLE on Linux
John Hammond
Python [pygame] 11 Rectangular Collision Detection
John Hammond
Python [pygame] 12 Platforming Rectangular Collision Resolution
John Hammond
Python [XML-RPC] 01 Research
John Hammond
Python [pyenchant] 03 Personal Word Lists
John Hammond
FancyURLopener Authentication and User-Agent [urllib] 03
John Hammond
Python 04: PEP8 Coding
John Hammond
Python Challenge! 17 COOKIES
John Hammond
Google CTF 2016: Ernst Echidna
John Hammond
Google CTF 2016: Spotted Quoll
John Hammond
Google CTF 2016: Can you Repo It?
John Hammond
Google CTF 2016: No Big Deal
John Hammond
Google CTF 2016: In Recorded Conversation
John Hammond
Homemade CTF Challenge: 01 "Orchestra"
John Hammond
Homemade CTF Challenge: 02 "Bae's Base"
John Hammond
Homemade CTF Challenge: 03 "Web Hunt"
John Hammond
Homemade CTF Challenge: 04 "UPX"
John Hammond
Homemade CTF Challenge: 05 "The Assumption Song"
John Hammond
Homemade CTF Challenge: 06 "A Brisk Stroll"
John Hammond
Homemade CTF Challenge: 06 "I lost my password!"
John Hammond
web25 :: Mr. Robot : EKOPARTY CTF 2016
John Hammond
web50 : RFC 7230 :: EKOPARTY CTF 2016
John Hammond
misc50 : Hidden inside EKO :: EKOPARTY CTF 2016
John Hammond
Hack The Vote 2016 CTF: Sander's Fan Club [web100]
John Hammond
Hack The Vote 2016 CTF Warpspeed [forensics150]
John Hammond
Juniors CTF 2016 :: Black Suprematic Square
John Hammond
Juniors CTF 2016 :: Six Strange Tales
John Hammond
Juniors CTF 2016 :: Lost Code
John Hammond
Juniors CTF 2016 :: Here Goes!
John Hammond
Juniors CTF 2016 :: Southern Cross
John Hammond
Juniors CTF 2016 :: Clone Attack
John Hammond
Juniors CTF 2016 :: Dirty Repo
John Hammond
Juniors CTF 2016 :: Hackers Blog
John Hammond
Juniors CTF 2016 :: Voting!!!
John Hammond
Juniors CTF 2016 :: The Good, The Bad and The Junkman
John Hammond
Juniors CTF 2016 :: Stop Thief!
John Hammond
Juniors CTF 2016 :: ROFL
John Hammond
Juniors CTF 2016 :: Restriced Area
John Hammond
Juniors CTF 2016 :: Oh SSH!
John Hammond
HackCon CTF 2017 TRIVIA and BONUS Challenges
John Hammond
HackCon CTF 2017 "Bacche" Challenges
John Hammond
Related AI Lessons
⚡
⚡
⚡
⚡
Cyber Hygiene: The Everyday Habits That Protect Your Digital Life
Medium · Cybersecurity
I found 10 bugs in my own security scanner. Here's what they taught me about false positives.
Dev.to · Zein Saleh
Sudden SSL Error for github pages custom domain website
Reddit r/webdev
Reverse-proof protector
Medium · Cybersecurity
🎓
Tutor Explanation
DeepCamp AI