SQL Injection

David Bombal · Intermediate ·🔐 Cybersecurity ·5y ago

Key Takeaways

Demonstrates SQL Injection using sqlmap

Full Transcript

hit return let's get it hit return go go thing do do stuff oh yeah it's going oh look at this it says recognized possible password hashes in column password well how about that nice going there sql map good call and it says do you want to store hashes to a temporary file for eventual further processing other tools so if i want to try to crack those passwords myself it can dump it to a file for me and i can go after that later i'm just going to go with no because i don't want to now it says do you want to crack them via a dictionary based attack sure why not we're already here might as well go ahead and fire away that so it says what dictionary do you want to use i'm just going to go with the default which is the default dictionary that it has available and uh do you want to use a common password suffixes no again i'm going with defaults and there you go and now it's churning and burning away at the passwords that it found already found one password because we see it hit right it's cracked password for hash here comes another one cracked password charlie for this hash here's another password we've just cracked let me in here's another one password uh for this hash and looks like maybe that's all of them we'll see right it'll finish up it's not a very long word list so it shouldn't take too very long to finish up but i love having like again going back to that script kitty we're we're just pointing things at things and letting it do what it's going to do and it was able to crack a few passwords for us so it looks like that was all the passwords it cracked and you can see it's a little janky because i've got the screen so blowed up but [Music] hey everyone it's david bumble really excited to have daniel from ikey pro tv back with me it pro tv we're very kind to sponsor this video so big shout out to them for sponsoring this video and a series of videos with daniel what i wanted daniel to do is to show us practically how to hack networks so i've brought him on to show us his top five hacking tools daniel welcome hey thanks for having me back david i was super excited when you contacted us about doing this right going hey you know what would be cool showing people how these hacking tools can work and what they're all about i was like heck yeah any day of the week sign me up so i'm i'm glad to be back with you man yeah i mean it's you you know we mentioned it before you can read about it you can study it but until you see it it doesn't really hit home and i mean i want to try and make these videos as short as possible so i'm going to try and keep quiet okay and just let you get on with the demo so go for it all right so uh if you're looking at my screen you're going okay what's daniel got going it says vulnerability sql injection that sounds fun it should be fun if everything goes according to plan uh and what we're going to do is we're going to do a little bit of sql injection and we're going to use a tool called sql map sql map automates the process of us performing sql injection the only thing we need to do is try to identify the place in which a sql injection might occur luckily for us we have a vulnerable web application right here that is built purposefully for us to be able to do that and test these things play with these tools this is called dvwa or the damn vulnerable web application i don't name these things but it does a great job of giving us a playground in which to get into and so we can check out things like sql map and other cool hacking tools and uh we're gonna look at this one maybe a couple of other things that will allow us to do this i'm just running this locally on my machine in virtualization so there is a server running it has network capabilities we're accessing it through the browser it's that simple right we gotta love that yeah i think we just just thought just for youtube sorry to interrupt you we need to say that this is not any website out there this is a local version absolutely daniel's using a test network locally it's a virtual machine on his yeah yeah i don't know i don't i don't hack people's stuff without permission and neither should you that's a it's a great way to get a nice shiny set of bracelets though and a cool cell mates so we've talked about that before we don't want that we did yeah we did we want to avoid that at all costs all right so uh here we just have the app right so it has an input box and i want to do something it says a user id so i'm going to assume they mean numerical ids so i'll just try number one because number one is usually admin or something and that's exactly what we see that's comes true well id is one first name is uh admin surname is admin as well it's the admin thing so it's just reaching into the background pulling in this stuff from the database and spitting it out on our website now that said i want to grab information that i'm going to need to give to sql map which is just two bits of info nothing nothing crazy one is going to be the url itself sometimes well you're always going to need the url it's going to need to know where am i going who am i contacting and looking for so i'm just going to grab that url right there right slap that and ready to go okay now once i have that i'm going to need something else possibly which is if it's doing any kind of session tokens or anything like that inside the cookies you might need to grab that stuff i've also already grabbed that and put that in uh in our our sql map command so that said now that we have those two pieces of these elements and you can get that through your if you're like how do i get a session token you just got to look in the um the inspector tools you can look through there you can use something like burp suite to grab that which spoiler alert i use because that's a simple way to do that and once i have that now i can feed those to sql map and run sql map to see if it can automate the process of finding and exploiting an actual problem in this web application so let's let's let's let's hack it and then i'll i'll ask you to show us how to get that information manually shall we then let's do it yeah go for it okay let's get here let me grab my terminal i've already pasted that stuff all that information right like there is my um url you can see that right dash dash url and you just start the command with sql map i give it the url url there it is dbwa there's the vulnerabilities sqli and it's that id equals one that you see right there that's what's gonna be the what's called injectable area i know that because i know how sql injections work but if i didn't it wouldn't matter i just grabbed this slap it in here unlike david likes to say script kitty the thing up and just see if the tool will work for me all right so there's all that stuff uh what else do we have and then below that yes there's the session cookie so the security assistant we'll explain all of that in a moment yeah all right let's get in uh there hit hit return let's get it returned go go thing do do stuff oh yeah it's going all right so it's asking me a question at this point just saying hey it looks like the backend database is my sequel do you want to skip other payloads yeah i want to skip other payloads do the thing uh do i want to include all remaining tests i'm just going to hit the defaults on this so move along little doggie and now it's testing right it's doing all that automation stuff it's literally script kitty mode yeah yeah oh this is this is full on script kitty it's funny though it is a it's a valid tool though like i only have if i was an actual pen tester it's asking me something else it does say look the get parameter id is vulnerable do you want to keep testing the others i'm good if you got one go ahead and hit it you'll notice that's the default but if i were a pencester i would want to like i wouldn't want to spend all my time manually enumerating a sql database i would just want to get that stuff you'll notice here are all the databases that it was able to see within that mysql instance we have a lot of them right but the one we're looking for is the dvwa which is right there right now i know the name of the database cool i've i've figured something out we've done something and it worked i enjoy it all right let's i'm just going to press up arrow so i can get this going back again now i need to enumerate that database a little bit right so i want to i want to know what the table is all so dash dash tables in dash d which is going to tell us the database which is called dvw dbwa hit go and now it should tell me the names of the tables that are inside of that database and we do see that right here two tables we've got one called guest book and one called users which one would you like to look in david i think prep preps users users okay i mean i thought guestbook was gonna have all the money in it but what the heck right if you want users admin guess user yeah this is your show so we're just going to go the way you like all right so i'm going to go over here and i'm going to change this i want to look at the columns just to see what column names are available uh columns like that i want to see the columns that are in that table and then i also have to tell it dash t for the for the table name which is users all right firing away again and there it goes it's showing me the different columns and the information that is stored inside of those columns so there's one column called password there's one called users well it's not showing me the information in it we will see that in just a second uh so this is all nice right because you got password you got user you've got uh when they've last logged in whether or not they've had failed logins user ids all great stuff cool we are about to like own this database total money we're actually going to look in the database and see that information well even farther like down to the nitty gritty the important elements that could actually be useful for us if we were doing this as a like a job or something right so i'm just going to change this dash columns to dump i want you to dump the database go and as you can see it does the thing oh look at this it says recognized possible password hashes in column password oh nice how about that nice going there sql map good call and it says do you want to store hashes to a temporary file for eventual further processing with their tools so if i want to try to crack those passwords myself it can dump it to a file for me and i can go after that later i'm just going to go with uh no because i don't want to now it says do you want to crack them via a dictionary based attack sure why not we're already here might as well go ahead and fire away that so it says what dictionary do you want to use i'm just going to go with the default which is the default dictionary that it has available and do you want to use a common password suffixes no again i'm going with defaults and there you go and now it's turning and burning away at the passwords that it found already found one password because we see it hit right cracked password abc123 for hash here comes another one cracked password charlie for this hash here's another password we've just cracked let me in here's another one password for this hash and looks like maybe that's all of them we'll see right it'll finish up it's not a very long word list so it shouldn't take too very long to finish up but i love having like again going back to that script kitty we're we're just pointing things at things and letting it do what it's going to do and it was able to crack a few passwords for us so it looks like that was all the passwords it cracked and you can see it's a little janky because i've got the screen so blowed up but if you try to follow the bouncing ball here's the first actually what i can do is this there's the first entry right that anything highlight is within that so we've got a user id of one we've got a user of admin we've got where the avatar lies we've got a last name of admin there's the password hash and it's kind of broke up let me see if i can there we go just make it a little neater for us we can see that the password is in parentheses right next to the password hash so i don't even have to like go back up and try to you know one to one correlate thing puts everything right there so now i have usernames and passwords from this application i could then use those usernames and passwords specifically that admin one to log into the application as an admin and perform for their damage if i was an attacker i would be going after all the goods right find all that sensitive information pii credit card information that kind of stuff grabbing that exfiltrating it all through just pointing and clicking a tool at its and unfortunately i have found something that works even more simply than this in the wild obviously we won't do that but i could read their entire database and it was a it was a live website i'm like though this is not bad we need to let people know that we got to fix this up but there you go sql map hopefully you're seeing at this point why i like this tool because it is pretty simple it is pretty straightforward you give it a couple pieces of information and you let it go on the thing and you're you're in up database having a good time okay so video can end now no i mean seriously what i want to do is i want to now like get you to explain what you did because we did the script kitty type thing which is fun okay um but now let's let's step back and like work through the process so um we understand what you did so if you can go back to the web the website and let's start there so sure i'm gonna i'm gonna try and bring the level down so anyone who's new to this can kind of understand what we what we what we're doing okay so basically what you've got is you've got a web site um and it's got a a sql database on the back end something like that and when you like when you put in the user id of one it's basically sending a a query to the database and that information is returned back to the web page is that right yeah that's exactly right so the code on the back end of this page it's it's gonna this pages code is going to take in the information that we feed it through the input right so we have an input right here that's that's all that means is a place that the person on the other end of the the world or the computer or whatever is able to give it information and it will take it in that's just the basic idea when we say input so the user has a place to input from there it takes that input and then it slaps it into a a sql statement in the code on the on the back end on the server side right so the server that's that's generating this website that's generating this web page is servicing the web requests that we're making with it has an area that says if you take this in and this value has this this container has value read whatever it is that's in there and slap it in the sql statement and then use that to query the database because there's a there's a language for querying sql databases called transact sql or t-sql and that's what's being done there's a t-sql statement in there that can be put in through i guess it's a php application so php can interface with transact sql you can put transact sql statements in your php code and it can process it for you so it will then reach into the database it will perform that transact sql statement get the results from it send that back put that inside of a variable the variable will then be interpreted by your website's code and then the code will get generated and you have a website and have things like this that return to the other side so that's the that's the basic idea of actually how how most web applications work i have a front end this is what i see and what i deal with i have places for input and on the back end i've got databases and server side code that does things and i want to interact with that stuff and make it do weird things that it's not meant to do sql map allowed us to do that so so show us your sql map statement again so we can sure sure let's let's jump over there pick your brain for about it let's uh let's do this maybe just open another terminal or something well i'll just i'll just do up and then there we go i can get it in the middle i'm actually firing it away don't do that all right then i'll uh let's start with the first one actually because that was the last yeah right in the beginning there we go so there's our statement you've got the the command is sql map that's the application that we're running yeah correct so this is this this is the command this is the binary the executable the program that we want to run and then you've got to start giving it some information right so the first thing we give it is this dash dash url i think where do you where do you get that from so if you want to know more about what sql map can do most good programs give you uh help so if i did sql map dash dash help and let that propagate you can see they got all these wonderful things that we can do right so you can see here i could have just used a dash u or dash dash url i like using the the longer form because it it helps me remember this is what i'm doing with that so when they have that available i like to use that and when i'm demoing it's super helpful for people that are saying well i know what a url is okay great a dash you could that could be a user that could be something else so when it's verbose like that i like to use that and and the actual url did you copy that from the website or where did you get the url exactly you know when you go into your browser and you type in i want to go to google.com or i want to go to itpro.tv and you type that and you hit go and it goes in that bar just copy and paste what you think would be a good site or a good url to feed to sql map to say hey look here i think there might be a sql injection vulnerability check that out for me will ya or you're just like i don't know here's the url check it if it doesn't like it it'll say hey this doesn't look right and kind of complain to you so it does give you some helps as well to tell you that i don't think you're on the right track here so you're actually pointing it to the website not to the backend database is that right right so the site itself is what interfaces with the database so what i want to do is i need those parameters that are sending that information so sometimes you get it all in the url like what we had here so let me um let me bring it up again yeah let me bring that back up and then control c there we go so i mean you've got vulnerabilities forward slash right so you've got the domain name and then it's uh right then it's a um what's called a directory right you got a directory called dvwa you got another directory called vulnerabilities another directory called sqli or sqli and in there after that that's where we start giving it where it's taking its parameters this is where we're feeding it actual information input from us and it's just formatting it in the url it could look different than this you could just see the url itself without that stuff and those things can be uh added as what's called post data that's a hd um http method of interacting with an http server right so yeah you often you often see that question mark equals something yes yes look at your roles here that question mark is saying i have i'm going to define a parameter for you and then i'm going to give that parameter of values hence the equal sign and if that's valid then it will be able to it will be useful to the website itself so uh that's what we see here and that's why it's been programmed so daniel because you're a hacker and i don't trust you can you go back to the the website just copy the url into the uh the command prompt so we can compare the two all right i'm gonna there's the there's the url just highlight it right click yeah copy don't trust i i can't trust you magickatv you just lost it all right paste there we go and so that's that's essentially the url yeah right so and then you and then you made a you made a special change where you did like a backslash at some point i did so there is an ampersand if you guys it looks like the and symbol that we typically think of it's called ampersand and you'll notice that in my code or in my format i put a backslash there that ampersand can be interpreted by the bash interpreter the terminal itself as a special character and it was kind of freaking it out when i was working this up was like oh it doesn't like that i need to negate that and tell the tell the interpreter that's not a special character it's just a character treat it as a regular character so putting that backslash in there that's what that's what that was for that's what did that okay so we've got sql map is the application yes we've got um url which is just one of the the options for the application absolutely and then you you copied the url and made a slight adjustment i did and then you've got like cookie security stuff what's that about all right good question right because this is something that you may or may not encounter most of the time you'll probably encounter having to do this this dash dash cookie it's kind of broke up you got cook over here and e over here but after that you'll notice i put it in quotations and you can use single quotes or double quotes if there are single quotes or double quotes within your string you probably want to use the opposite to encapsulate it so i'm encapsulating my cookie from my browser so when you go to a lot of websites most of them will give you a session token of some sort and usually that's within the form of a cookie and that just lets it know that you are you and i'm not david and dave it's not me it's the law of identity right there inside your web browser just going right and having a good that's that's how google attracts you isn't it yeah exactly this is the usually it's meant to uh give you enhancement to your experience so i don't have to continue to tell you that i like brown shoes instead of black shoes or whatever it is right uh it keeps that information and it encapsulates that within a cookie and here we're just seeing that the session token itself is also in the cookie and i need that and i also wanted to make sure the security right so that's another piece of information it's giving me i set the security standards for the website to be low so we can do the demonstration without having to get way too technical and making sure that everything just works fine so i had to grab all that stuff and just slap in here i used burp suite to do that because it can can you show us can you show us how to do it manually if you don't have oh yeah yeah you can grab that stuff from the developer tools inside of your browser so easy way to get to that is just right click and go to like inspect element and that will bring up your developer tools they're usually in wicked tiny font they are and for me since i'm using firefox i've got a little box here let me uh let me oh i'm hitting i'm hitting things let's do this let's see here i've got this little box called storage if i click on that you can see there are those values session id right and if you look over there's the value of that piece of token it's a little little truncated we can kind of move that out and you'll notice that security was set to low so i can grab those values straight from from this chrome will be different and ie will be different and edge will be different you just gotta kind of fiddle around inside of there and look for wherever it's storing this information just kind of click around don't be afraid that's why we're hackers right we want to understand things we want to poke it with a stick and see where things stuff and just got to find it and once you do hey there it is grab it it's separated by a semicolon that's all you got to do so you got one value like security equals low boom semicolon space next value which will be php set id i think it's called and whatever equals this value boom i'm done put it in single quotes you've got yourself a cookie so i mean if you scroll left on that because you've zoomed in those are the two yeah so that you've got php session id and security and then you've got the actual values yeah that that crazy number yeah which is i think it's just a md5 some it's just a hash value that they use so that you have some sort of unique identifier that's easy to create and so if you go back to your um command prompt you you literally copied those i mean you use burp suite to make it easier yeah it says i can just basically yes but you basically if you can go back to that um just right there there are so security is low and then the pc yep okay so so we the whole command we've explained thus far um thus far and then what's the uh what's the dump and stuff again all right so we actually went through quite a few different um things the first one we did was dash dbs so let's let's do sql map let's do it again if you don't mind and i will go straight yeah i'm just going to do the dash just help feature and that way we can look for that okay and uh let's see here where's that dbs hiding we might have to go into the man page dbms so if you don't get enough information out of this most of these things have a lot of beyond help files which is called man pages man sql map and in there i can just do a search for dbs there we go and that dash dbs functionality says enumerate dbms databases so look what does that mean look for um what did that let's go back so what that means is go back up here and i want to get there dbms is basically what is the database type find out what that is and then look for the databases that are inside of it that's that's generally that's basically what the idea is just find out what type of database we're running here and figure out whether there are any like what the names of those databases are that are running in that instance so it could be like my sequel as an example of correct mariadb uh would be another one right maybe it's an oracle database maybe yeah there's a myriad of different databases that it can find and you want to know which one you're working with so that you can give it the right type of syntax and work with it correctly so there you go from there once we got that information then we were digging a little bit deeper right do you mind do you mind running the commodity game sure no no not a problem let's start let's go through the whole thing again just slowly sure i'm just going to start from the top that way uh wherever yeah there we go so there's the dbs right we run that this other one really fast now because it kind of caches this stuff um and then you can see it found available databases and there were 17 of them right the back end dbms was my sequel and it looked like it was greater than 5.0 so the version again gave me some versioning information so all of these where it says available databases anything underneath that is telling me this is the name of a database in this database server that i could reach into and give you information about which one would you like just like you were if you were actually at the terminal itself interacting with my sql going oh okay show uh databases semicolon enter and it would it would spit this exact thing right out then we go cool i want to use dvwa semicolon enter bam and it would go okay you're now using the dvwa database what would you like now next thing i want is those tables what tables are in this so from there we just ran we took dbs off and we said dash dash tables and then dash d for the database which was called dbwa so the dash d is saying my database name is going to be dvwa now if that's not a legit database it'll it'll error out you'll have problems but i want to get the tables that are inside that database bam fire away and there they are all right so i've got two tables inside of this database one's called guestbook the other is called users because you're a smart person you decided let's look inside of that user's table right that was the next thing we needed to do was to look in that user's table so backup change this well actually that can stay the same i will do dash t because the table is going to be called users and then i wanted to see what columns were available on that table so i'll just change that to columns fire away and it tells me here are the columns the attributes of this table there's information in those and what type of information it is this column is called password this column is called user and it is it contains characters right uh we've got avatar failed log and so on and so forth so at this point as an attacker or a pen tester if that's what i am hopefully that's what i am and not an attacker i'm going oh this is all really good information for me as an atta if i were an attacker i've got i've got to have a talk and and write this up in my report saying okay i was able to find usernames and passwords through sql injection here's how i did that now let's talk about how we can remediate that problem right so now that i know that users and passwords are things that i want i just want to now just dump the information that was in the database and that brings us full circle back to just dumping so i just changed this from columns to dump so that will dump the contents and that's when it was like oh we found hashes right it said looks like password contains password hashes cool uh do you want me to try to crack them sure which it already did so that was super fast and then of course it dumps the contents of the database i can i can kind of do this and show you that would be more along the lines i don't know if you guys it's really really small but you can see it's a little nicer formatting i can see it fine but i know that's really hard for everybody at home so i want to keep it you know where you can see it it's just giving me all those those columns and the information inside of those columns and those rows and we we are now king we have a username and password we can log into the system if we wanted to we could we could grab one of these so like the user account here for gordon b right okay gordon b his password is abc123 let's give it a shot let's pretend gordon b is the admin of our web application let's go and see what happens when we go to the web application right i'll close these in these tools i will log out and i will log in with gordon b password a a b c one two three oh look we were able to log in and it shows me logged in as gordon b rights down here so i'm now able to impersonate people go in make purchases on their behalf change their information do all sorts of horrible heinous things so that's the importance of trying to keep databases safe from things like sql injection and using things like parameterization prepared statements uh input validation these are all the things that we do of course secure coding practices that implement all of those things so that we don't allow for this but man it sure was easy used in sql map and hence why i like it why is it called sql injection so just let me let me ask some like very easy questions so it's called sql injection because of the idea around the input right i was able to input something into a sql statement and from there that's what causes the problem okay and actually i wonder if let me uh i don't remember if dvwa does this let's go to sql injection and oh yes excellent view source so they kind of give you this wonderful little thing so you can kind of see what's going on right so this is the code that runs this and there is this transact sql statement that is causing our problem okay you'll notice it says select first name last name from users where id equals and it takes this parameter in whatever that is so i wanted to ask you how did you know one that's just guessing because admin will probably be one is that right yeah because most of the time when it comes to user creation the first user that gets created is the administrator because they're setting everything up so it's a really good guess if one's not it maybe try zero because a lot of systems count from zero so you know you bounce around there and see if anything doesn't mean other users couldn't also be admins it just means it's a good bet to see if there is an admin user it usually is number one so there's that but this statement is basically taking that information whatever i put in that input box it just slapped a one okay one that's fine but what if i gave it like a special carry remember how we had problems with that special character in my bash interpreter it was like oh that's an issue i had to negate that you guys didn't see that but because i i prepared for that but if i didn't we would get all sorts of funky weird errors to do something strange that's what we're doing that's why they call an injection because i'm injecting characters that are going to cause it to do things that it wasn't designed to do but does nonetheless so i'm injecting those into and that's why we call it sql injection so you're actually just reading from the database here you're not really writing to the database does it have the ability to write oh yeah it has the ability to write that's a bit more technical that's that takes a bit more effort to do we'll leave that for another time yeah it's good to know that's um something i i have done and can do but um it's definitely a lot more lift you gotta understand a bit more about tranzact sql to be able to perform that attack but yeah and then if i can write to the database i can do things like create users i might even be able to reach and not only write to the database but also write to the file system that the database sits on and say hey put a file in the slash temp directory or put it right here in the web directory and while you're at it you know make that file this and it's inside of that file is going to be like some malicious php if it's a php application and then when i browse to that it will execute that because it's all done under the context of the web application service account so it just trusts it and says hey i created this it's in the right spot i will run it and it's my malicious php code and now i have shell access to the system so this is the the steps that we end up taking to gain actual interactive access to the system beyond just getting into the database which is a fun feat in and of itself and can be extremely devastating which is what a lot of people want but if i wanted to then turn this system into something i want to pivot around and i want to use it to start looking for other machines on that back side and finding oh what's what's beyond the dmz that i normally can't see but because i have access to this it does have access to those other systems and now i can see them great i've now got myself a nice little bot to do my bidding and there you go yeah so i'm going to put it to the to everyone watching do you want daniel to show us that perhaps in a later video if we get more complex put put you know put your comments below let us know what kind of tools you want to see daniel cover i mean we started with five of the ones that he likes most but if you um if you've got any other suggestions any one any other tools that you'd like him to to cover not guaranteeing that we'll do it but put put your comments below but danielle i had another question for you okay okay you demonstrating these um these vms yeah where did you get them from so this one specifically i got from vaughnhub vulnenhub.com they've got a lot of great ctfs but if you search around this one is specifically called web split 2018 and it's actually kind of like a a hacking gymnasium a hacking playground it's got a bunch of different really fun web applications that are specifically broken and broken purposefully so that we can play with hacking tools without getting in trouble right so this is a great one i always like having this one laying around because if i ever want to test something or i need just a playground to throw a new tool at or see how it works or something like that i just spin this up in my virtualization environment and start poking at it and seeing what it does so it's nice to have all those different types of applications i can not only test and see if i understand a certain concept on one platform then i can jump to another broken application see if i can leverage those skills on that platform and i didn't have to get another virtual machine stuff there's a bunch of different stuff in there it has juice shop in there it's got web goat in there it's got uh multilidae it's got b whap it's all sorts of great stuff running in there so i like it's kind of like a all-in-one solution for me so i mean just to if someone wants to replicate what you've done i mean i'll put links below but i mean you've you've got one vm running in vmware and then you've got that that's the one one that's running this this application and then you've got uh kali or kali linux if you prefer running in another vm and you're just you're just connecting them locally on your on your on your laptop is that right yeah because of the you know instant or the uh insecurity wrapped around these these applications you typically don't want to expose them at all to the internet so uh what you can do is just create like a host only environments something that's controlled and only within the virtualization software itself and not actually reaching out beyond that so that's what i've done here to keep everything on the um on the safety right we like to keep like safety first yeah so i mean that it's basically limited to your to your to your laptop yes um but the great thing here is someone else can can replicate this as well oh yes i'll put i'll put links below if anyone who wants to download it anything else you want to talk about with i mean this was a fantastic demo so really thank you for for showing us um anything else you want to talk about this specific uh sql injection you know it's funny you tend to as you teach these things from time to time you kind of get jaded to the the cool factor of it and then every now and then a story will break on the news and go so and so was breach today due to what's called a sequel injection or an injection attack and you're like oh there it is you know you're thinking i'm ridding the world of this no it's still out there we're still humans we still make these mistakes these coding errors that allow for these type of things as an attacker they just have to be diligent enough to continually scan they've got that on their on their side plenty of time so we need to be doing our best practices of making sure that we're using all the mitigations and best practice strategies and security controls that we have available to us to keep this kind of thing from happening because if it does well we've seen how devastating it can be even if that's in a controlled environment so i mean the how would you stop this is this is this where it comes to like proper development someone who's got to write their code right yeah so that comes back to i was talking earlier about the remediation strategies like yeah you have um first you'll probably start with some sort of input sanitization so if i give you input as an end user i want to make sure that that input doesn't contain anything that could potentially cause a problem so i'll make a list and basically what's called regular expression and say this is my list of characters that we're going to not allow to pass through so if i see him i'm going to strip it off or maybe even warn hey you've got a bad character there you know don't do that we don't allow that um most people just strip it off though and say okay those characters aren't allowed that character's not allowed and programmatically will reform the input so that it is acceptable on the other end now there are ways to get around that so we also want to make sure that we're doing things like um prepared statements and these are like instead of injecting into an ac the statement we say oh this is the statement which you want to make i've got a list of statements that are fine let me use one i've already prepared so i'm not passing along that sql injection so that helps a lot with that those two things right there are the main ways in which we stay out of the weeds with sql injection that's great i mean it's you know you you often like you watch them mr robots uh series and then you think okay um is this actually real um and you've shown us a very simple example of um of an attack but um you know anyone could you know script kitty or someone who really knows what they're doing could you could leverage i think the mr robot series has gotten a good rap because it has taken some pretty good pains to try to stay as accurate as possible so it's it is extremely accurate when you watch a lot of what they're doing um i haven't seen too many mistakes i can't think of any off top of my head where i was like oh uh that's that's not right that's not how that works typically you're like oh yeah that's that's legit right there so it's a cool series as far as that goes obviously it's got some interesting storyline to it as well but yes the technical side of it is is pretty on par that's great daniel sir thanks very much for showing sql injection what to to tease for the next one what are you going to show us next oh that's a good question i wasn't prepared for that i don't know because i've got a few of them let's how about uh how about the next one we'll do is metasploit great yeah i'll look forward to it thanks very much no problem thank you

Original Description

Daniel demonstrates SQL Injection using sqlmap. This is one of his favourite tools. Big thanks to ITPro.TV for sponsoring this video. In future videos, he will show us additional tools. ====== Menu: ====== SQL Injection Demo: 0:00 Daniel's top 5 hacking tools: 1:40 SQL Injection: sqlmap and DVWA: 2:31 Don't get shiny bracelets: 3:32 Start attack: 5:44 SQL tables: 8:00 SQL dump: 9:35 SQL Hashes: 9:45 DVWA explained: 12:40 sqlmap command: 15:27 url: 16:06 sqlmap uses the website: 17:34 Change URL to handle special characters: 19:21 cookies: 20:04 How to find cookies manually: 21:41 sqlmap switches dbs: 23:55 sqlmap tables: 26:30 sqlmap columns: 27:31 sqlmap dump: 28:29 Login as a user: 29:45 Why is it called sql injection: 30:41 Can you write to the database: 32:45 What do you want to see? 34:48 How to build the same network: 36:23 It is still used in the real world: 37:31 How to stop this: 38:30 ======================== Download software and VMs: ======================== VM used: https://www.vulnhub.com/entry/websploit2018-1,253/ Kali Linux: https://www.kali.org/downloads/ ================ Links: ================ ITProTV Free Training: http://davidbombal.wiki/freeitprotv My ITProTV affiliate link: http://davidbombal.wiki/itprotv ==================== Connect with Daniel: ==================== LinkedIn: https://www.linkedin.com/in/daniellowrie Blog: https://blog.itpro.tv/author/daniellowrie/ ================ Connect with me: ================ Discord: https://discord.com/invite/usKSyzb Twitter: https://www.twitter.com/davidbombal Instagram: https://www.instagram.com/davidbombal LinkedIn: https://www.linkedin.com/in/davidbombal Facebook: https://www.facebook.com/davidbombal.co TikTok: http://tiktok.com/@davidbombal YouTube: https://www.youtube.com/davidbombal sql sqlmap sql map sql injection sql injection demo kali sql kali linux sql kali linux sql injection kali linux hacker hacking ethical hacking cybersecurity cybersecurity careers ceh oscp itprotv ejpt c
Watch on YouTube ↗ (saves to browser)
Sign in to unlock AI tutor explanation · ⚡30

Playlist

Uploads from David Bombal · David Bombal · 0 of 60

← Previous Next →
1 RYU SDN Controller Part 4: Graphical User Interface (GUI): Practical GNS3 SDN and OpenFlow
RYU SDN Controller Part 4: Graphical User Interface (GUI): Practical GNS3 SDN and OpenFlow
David Bombal
2 HPE Network Protector SDN Application Part 1 - Introduction
HPE Network Protector SDN Application Part 1 - Introduction
David Bombal
3 HPE Network Protector SDN Application Part 2 : DNS Interception using OpenFlow
HPE Network Protector SDN Application Part 2 : DNS Interception using OpenFlow
David Bombal
4 HPE Network Protector SDN Application Part 3 - Lab Setup using Physical Switches
HPE Network Protector SDN Application Part 3 - Lab Setup using Physical Switches
David Bombal
5 HPE Network Protector SDN Application Part 4 - Demo of malicious websites blocked
HPE Network Protector SDN Application Part 4 - Demo of malicious websites blocked
David Bombal
6 HPE Network Protector SDN Application Part 5 - Demo OpenFlow table interception flows
HPE Network Protector SDN Application Part 5 - Demo OpenFlow table interception flows
David Bombal
7 HPE Network Protector SDN Application Part 6 - Demo of Physical Switch configuration
HPE Network Protector SDN Application Part 6 - Demo of Physical Switch configuration
David Bombal
8 HPE Network Protector SDN Application Part 7 - Demo Service Insertion Tunnel / GRE Tunnel
HPE Network Protector SDN Application Part 7 - Demo Service Insertion Tunnel / GRE Tunnel
David Bombal
9 HPE Network Protector SDN Application Part 8 - Demo SDN OpenFlow Reporting
HPE Network Protector SDN Application Part 8 - Demo SDN OpenFlow Reporting
David Bombal
10 HPE Network Protector SDN Application Part 9 - Demo switches interception of DNS traffic
HPE Network Protector SDN Application Part 9 - Demo switches interception of DNS traffic
David Bombal
11 GNS3 Talks: GNS3 version 1.5.X Appliance Tips
GNS3 Talks: GNS3 version 1.5.X Appliance Tips
David Bombal
12 CCNA 200-125 Exam: AAA demo: TACACS+ with GNS3
CCNA 200-125 Exam: AAA demo: TACACS+ with GNS3
David Bombal
13 GNS3 2.0.0 beta 2 install
GNS3 2.0.0 beta 2 install
David Bombal
14 CCNA #012: Learn SNMP with GNS3, Wireshark and Solarwinds NPM - CCNA 200-125 exam
CCNA #012: Learn SNMP with GNS3, Wireshark and Solarwinds NPM - CCNA 200-125 exam
David Bombal
15 CCNA #013: Spanning Tree CCNA Exam Questions: Know the answer? CCNA 200-125 exam
CCNA #013: Spanning Tree CCNA Exam Questions: Know the answer? CCNA 200-125 exam
David Bombal
16 GNS3 2.0.0 beta : GNS3 VM integration with GNS3 GUI
GNS3 2.0.0 beta : GNS3 VM integration with GNS3 GUI
David Bombal
17 CCNA #018: Routing exam questions: Who wins? OSPF, EIGRP or RIP? Sure? CCNA 200-125 exam
CCNA #018: Routing exam questions: Who wins? OSPF, EIGRP or RIP? Sure? CCNA 200-125 exam
David Bombal
18 CCNA #019: Spanning Tree CCNA Exam Questions: Root Bridge, Root Port and more: CCNA 200-125 exam
CCNA #019: Spanning Tree CCNA Exam Questions: Root Bridge, Root Port and more: CCNA 200-125 exam
David Bombal
19 GNS3 Download, installation and configuration - GNS3 1.5.3 and Windows 10
GNS3 Download, installation and configuration - GNS3 1.5.3 and Windows 10
David Bombal
20 CCNA #023 EIGRP Neighbor Troubleshooting (DUAL Issues) for the CCNA 200-125 Exam
CCNA #023 EIGRP Neighbor Troubleshooting (DUAL Issues) for the CCNA 200-125 Exam
David Bombal
21 GNS3 2.0 Architecture and schema Part 1: What is the GNS3 Controller?
GNS3 2.0 Architecture and schema Part 1: What is the GNS3 Controller?
David Bombal
22 GNS3 2.0 Architecture and schema Part 2: Emulators and virtualization
GNS3 2.0 Architecture and schema Part 2: Emulators and virtualization
David Bombal
23 CCNA #028 VTP Troubleshooting for the CCNA 200-125 Exam
CCNA #028 VTP Troubleshooting for the CCNA 200-125 Exam
David Bombal
24 CCNA #029 VTP & DTP Troubleshooting for the CCNA 200-125 Exam
CCNA #029 VTP & DTP Troubleshooting for the CCNA 200-125 Exam
David Bombal
25 CCNA #030 VTP Troubleshooting for the CCNA 200-125 Exam
CCNA #030 VTP Troubleshooting for the CCNA 200-125 Exam
David Bombal
26 GNS3 : How to download Cisco IOS images and VIRL images. Which is the best? How do you get them?
GNS3 : How to download Cisco IOS images and VIRL images. Which is the best? How do you get them?
David Bombal
27 GNS3 ASA setup: Import and configure Cisco ASAv with GNS3
GNS3 ASA setup: Import and configure Cisco ASAv with GNS3
David Bombal
28 GNS3 switching setup and options: Cisco and other switching options in GNS3
GNS3 switching setup and options: Cisco and other switching options in GNS3
David Bombal
29 GNS3 switching setup and options Part 2: GNS3 unmanaged built-in switch
GNS3 switching setup and options Part 2: GNS3 unmanaged built-in switch
David Bombal
30 GNS3 switching setup and options Part 3: Router on a sick with GNS3 unmanaged built-in switch
GNS3 switching setup and options Part 3: Router on a sick with GNS3 unmanaged built-in switch
David Bombal
31 GNS3 switching setup and options Part 4: Etherswitch Router for Cisco Dynamips Part 1
GNS3 switching setup and options Part 4: Etherswitch Router for Cisco Dynamips Part 1
David Bombal
32 GNS3 switching setup and options Part 5: Etherswitch Router for Cisco Dynamips Part 2
GNS3 switching setup and options Part 5: Etherswitch Router for Cisco Dynamips Part 2
David Bombal
33 GNS3 switching setup and options Part 6: Etherswitch, Wireshark, 802.1Q, InterVLAN routing
GNS3 switching setup and options Part 6: Etherswitch, Wireshark, 802.1Q, InterVLAN routing
David Bombal
34 GNS3 Talks: Docker, Open vSwitch, SDN and OpenFlow Part 1: GNS3 Switching Part 7
GNS3 Talks: Docker, Open vSwitch, SDN and OpenFlow Part 1: GNS3 Switching Part 7
David Bombal
35 GNS3 Talks: Docker, Open vSwitch, SDN and OpenFlow Part 2: GNS3 Switching Part 8
GNS3 Talks: Docker, Open vSwitch, SDN and OpenFlow Part 2: GNS3 Switching Part 8
David Bombal
36 GNS3 Talks: Docker, Open vSwitch, SDN and OpenFlow Part 3: GNS3 Switching Part 9
GNS3 Talks: Docker, Open vSwitch, SDN and OpenFlow Part 3: GNS3 Switching Part 9
David Bombal
37 GNS3 Talks: Docker, Open vSwitch, SDN and OpenFlow Part 4: GNS3 Switching Part 10
GNS3 Talks: Docker, Open vSwitch, SDN and OpenFlow Part 4: GNS3 Switching Part 10
David Bombal
38 GNS3 Talks: Docker, Open vSwitch, SDN and OpenFlow Part 5: GNS3 Switching Part 11
GNS3 Talks: Docker, Open vSwitch, SDN and OpenFlow Part 5: GNS3 Switching Part 11
David Bombal
39 GNS3 Nexus (NX-OSv) switch setup and configuration Part 1: GNS3 switching options Part 12
GNS3 Nexus (NX-OSv) switch setup and configuration Part 1: GNS3 switching options Part 12
David Bombal
40 GNS3 Nexus (NX-OSv) switch setup and configuration Part 2: GNS3 switching options Part 13
GNS3 Nexus (NX-OSv) switch setup and configuration Part 2: GNS3 switching options Part 13
David Bombal
41 GNS3 Talks: Docker, Open vSwitch, SDN and OpenFlow Part 6: GNS3 Switching Part 14
GNS3 Talks: Docker, Open vSwitch, SDN and OpenFlow Part 6: GNS3 Switching Part 14
David Bombal
42 GNS3 Talks: Docker, Open vSwitch, SDN and OpenFlow Part 7: GNS3 Switching Part 15
GNS3 Talks: Docker, Open vSwitch, SDN and OpenFlow Part 7: GNS3 Switching Part 15
David Bombal
43 GNS3 Cisco CSR 1000v setup and configuration Part 1: GNS3 NFV
GNS3 Cisco CSR 1000v setup and configuration Part 1: GNS3 NFV
David Bombal
44 GNS3 Cisco CSR 1000v setup and configuration Part 2: GNS3 NFV
GNS3 Cisco CSR 1000v setup and configuration Part 2: GNS3 NFV
David Bombal
45 GNS3 Talks: Use the NAT node to connect GNS3 to the Internet easily!
GNS3 Talks: Use the NAT node to connect GNS3 to the Internet easily!
David Bombal
46 GNS3 Talks: GNS3 2.0 RC1 is now available
GNS3 Talks: GNS3 2.0 RC1 is now available
David Bombal
47 GNS3 Talks: GNS3 2.0 Portable Projects - easily export and import GNS3 projects
GNS3 Talks: GNS3 2.0 Portable Projects - easily export and import GNS3 projects
David Bombal
48 GNS3 Talks: Multiple clients sharing projects in real time, plus console session shadowing!
GNS3 Talks: Multiple clients sharing projects in real time, plus console session shadowing!
David Bombal
49 CCNA #035 NAT Troubleshooting Scenario 1 - Can you find the issue? CCNA Exam 200-125 troubleshooting
CCNA #035 NAT Troubleshooting Scenario 1 - Can you find the issue? CCNA Exam 200-125 troubleshooting
David Bombal
50 CCNA #036 NAT Troubleshooting Scenario 2 - Can you find the issue? CCNA Exam 200-125 troubleshooting
CCNA #036 NAT Troubleshooting Scenario 2 - Can you find the issue? CCNA Exam 200-125 troubleshooting
David Bombal
51 GNS3 Talks: ESXi, GNS3 VM and KVM support Part 1: leverage servers and the cloud
GNS3 Talks: ESXi, GNS3 VM and KVM support Part 1: leverage servers and the cloud
David Bombal
52 CCNA #037 OSPF Troubleshooting - can you find the issue? CCNA Exam 200-125 troubleshooting
CCNA #037 OSPF Troubleshooting - can you find the issue? CCNA Exam 200-125 troubleshooting
David Bombal
53 GNS3 Talks: ESXi, GNS3 VM and KVM support Part 2:  leverage servers and the cloud
GNS3 Talks: ESXi, GNS3 VM and KVM support Part 2: leverage servers and the cloud
David Bombal
54 CCNA #038 NAT Troubleshooting Scenario 3 - Can you find the issue? CCNA Exam 200-125 troubleshooting
CCNA #038 NAT Troubleshooting Scenario 3 - Can you find the issue? CCNA Exam 200-125 troubleshooting
David Bombal
55 CCNA #039 - OSPF DR, BR and DROTHER Election - do you know the answers?
CCNA #039 - OSPF DR, BR and DROTHER Election - do you know the answers?
David Bombal
56 CCNA #040 NAT Troubleshooting Scenario 4 - Can you find the issue? CCNA Exam 200-125 troubleshooting
CCNA #040 NAT Troubleshooting Scenario 4 - Can you find the issue? CCNA Exam 200-125 troubleshooting
David Bombal
57 GNS3 Talks: Arista vEOS GNS3 import and configuration Part 1
GNS3 Talks: Arista vEOS GNS3 import and configuration Part 1
David Bombal
58 CCNA #041 - OSPF DR, BR and DROTHER Election - do you know the answers?
CCNA #041 - OSPF DR, BR and DROTHER Election - do you know the answers?
David Bombal
59 GNS3 Talks: Arista vEOS GNS3 import and configuration Part 2
GNS3 Talks: Arista vEOS GNS3 import and configuration Part 2
David Bombal
60 GNS3 Talks: ipterm: Linux, Docker, Python, SDN and more! Part 1
GNS3 Talks: ipterm: Linux, Docker, Python, SDN and more! Part 1
David Bombal

Related Reads

📰
Is Palki71 BD Real or Fake? How to Identify the Official Website
Learn to identify the official Palki71 BD website and avoid fake clones to ensure a safe online gaming experience in Bangladesh
Medium · Cybersecurity
📰
4 Trends Hackers Are Weaponizing AI: What It Means for Crypto Trading Security
Hackers are using AI to enhance their attacks on crypto trading security, making it crucial to stay ahead of these emerging threats
Medium · Cybersecurity
📰
Hammer | TryHackMe Walkthrough by Gyaneshchand
Exploit weaknesses in authentication processes to gain unauthorized access in the Hammer TryHackMe challenge
Medium · Cybersecurity
📰
The Paywall Worked. The API Did Not, So Is My Brain
Learn how a paywall worked but an API did not, and apply cybersecurity principles to identify and fix vulnerabilities
Medium · Cybersecurity
Up next
Stop Hackers Getting Into Your Website By Updating Old Plugins
Josiah Roche — Google Ads + SEO Training
Watch →