Bypass admin login with SQL Injections (sqlmap)

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
so you have this website with a login form and you want to figure out how you can use sql injection to successfully authenticate without any valid username or password that's exactly what i'm going to show you how to do in this video now quick disclaimer don't do this unless you have explicit written permission or unless you own the application if you do have permission or if you do own the application not only is this perfectly legal but it's also highly highly recommended by using these tactics you could find vulnerabilities in your own applications before a malicious actor does and then you can fix those vulnerabilities so if you're doing this against an app you do not own that's a big no-no if you're doing it against an app you do own or have permissions for then it's highly recommended now there's this really crazy powerful tool called sql map that we're going to use in this video this tool was literally built as a penetration testing tool to both automate the process of finding and exploiting sql injection vulnerabilities and then actually taking over databases and servers so if you're watching this and you've never used seo map before definitely stick around so i can show you really how easy it can make sql injections now keep in mind though that you don't have to use a tool like this you could actually do this manually and if you're interested in seeing a demo of how to do this kind of technique manually i'd be happy to post that on youtube just let me know in the comments below i've actually already demonstrated that in my injection attacks the free guide course but i'd be happy to share it on youtube as well if there's enough interest and one more thing before i get into it do me a huge favor smash that subscribe button smash the like button and then leave a comment below your engagement helps me tremendously so for our example website that we'll be attacking i'm going to use an application called the oasp juice shop if you've never used it before or if you want to just follow along check out my other tutorial in the cards that shows you exactly how to set it up just like i have it here now the juice shop is actually a modern application that uses angularjs and sqlite as its database and so that actually makes things a lot more interesting than if we're dealing with you know a legacy application or something like that so let's start by just using a generic request i've got zap which is my proxy tool of choice but you could also use burp for this of course and you don't even technically need a proxy tool but it could certainly make things easier so we're going to go to the login page and we'll go ahead and submit fake credentials and so we can see how this application behaves as we do that so for my username i'm just going to type test test.com and then for the password i'll just do test or whatever you want because obviously we're not truly authenticating since these are not valid credentials but if we pull up zap and we find our login request we'll get to see the endpoints that we want to provide to sqlmap and how we'll want to format our data now we can see that a post request is being made to this endpoint right here which is rest user login and then the data is being formatted in json format with email and an email that you submitted and same thing password and password you submitted so even though the web page endpoint itself is slash login when we submit our login request the client side code is sending the request to this endpoint that is rest user login so if we tried testing just a login endpoint directly with sql map we would not find any sql injection vulnerabilities that is not the end point that's processing our login requests so with this information we actually already have enough to start populating a command in sql map so i'll navigate to where i downloaded the latest sql version from github which is going to be into documents slash sqmap dev there is also a pre-installed sql map version if you're using an operating system like cali or parrot os maybe a couple others but anyway if you sure you go in the download that you've downloaded it to and then i'm going to use python 3 to make my request so i've got python3 sqlmap.py which is going to call the sql app script of course and then we're going to submit our target with the dash u option so the dash view option lets us dictate what our target endpoint is and that tells sqmap what that is then we're going to pass in data equals email equals and we're going to put test at test.com and password equals test again this doesn't really matter what the values are as long as you have the correct parameters and then we're going to pass in level five and risk of three now these options actually determine the types of payloads and the techniques that sqmap is going to use against our target and so the higher the level that you submit the more requests and the more detailed the the testing is going to be so of course that has pros and cons you don't always want to use the highest or maximum levels and you can check out my cheat sheets for more information on how that works then i'm going to type in dash f and dash dash banner and those are going to be our fingerprinting options that we're going to use to enumerate our target and to try and gather useful information then after that i'm going to use ignore code of 401 and this is used because when sqmap sends requests with sqli payloads to the target itself it's going to inevitably use invalid login credentials right just kind of like we what we did which results in an http 401 response with the 401 code being the unauthorized http code for and we'll receive that from the target application so the problem is that when sqmap receives a 401 response by default it just shuts down the attack because it doesn't want to waste requests if you didn't expect that response we do expect this response in this case because it's a login page and so we don't want sql to stop we want it to keep going and so we're telling them we're telling sql map ignore the code 401 if you get it just keep running your attack then i'm going to pass in dbms equals sqlite and if you already know without a doubt what the dbms is of the target application you can go ahead and specify it and that tells sqlmap to just throw out all the payloads and all the techniques that are not relevant to that dbms which is really helpful because it prevents you from flooding the target application but also of course it just reduces the amount of time that sqmap has to run before it can complete its operation if you don't know what the back-end dbms is try to research it that's usually really easy to find especially for bigger organizations engineers talk about it on social media blog posts etc but again if you still can't find it no worries sql is pretty powerful it will try to find that information on its own and more often than not it can figure it out pretty easily it just it's going to be a little bit more noisy then the last option that you should use is dash dash technique equals b and so this is going to tell seo map to only use the bullion-based blind technique instead of using all the other available techniques that it has and it has multiple different sql techniques that it can use the only reason i'm doing this is because i already know that it's susceptible to this technique and so that's going to cut back on some of the operation time but otherwise you can use all the different techniques you don't have to limit it to just the the boolean based client payloads and then i'm adding this so don't add this it's the flash option you don't need excuse me flush option you don't need to use flush i'm just doing it to remove any cash that i have from prior operations that i ran against this specific application because this is probably the first time you're running it against this application you don't need to do this you don't have any cash now i know i'm going through these options really quickly for the sake of time but if you want more information again let me know and also have courses that go into really deep dive for these options but let me know i'll be happy to provide more of these videos on youtube if it's popular now we're going to submit this request and we'll wait to see what happens all right so i fast forwarded a little bit because of time reasons obviously but it will find a successful payload if you followed the steps that i'm doing here and because we passed in the fingerprint and the banner options sql map actually enumerated the back-end dma dbms further than what we specified so we told it hey this is sqlite it already knew that we already knew that but maybe what we didn't know is the version number of sqlite and so in this case it enumerated the information from the back-end database management system and found out that it's using 3.34.0 so we can use this information to search for vulnerabilities in different online databases using google et cetera especially if it's not the latest version this is something else that we can not only include in our final report if we're doing a pen test bug bouncy hunting whatever or that we can use to try and find uh existing vulnerabilities that are well known but that this version hadn't patched yet or that uh whoever is running this and administering this database since they haven't patched it that vulnerability is still valid and we might be able to use that to further our attack now one more thing that i'm going to do before we wrap up this video just to show a little bit more behind the scenes is look at the successful sqli payload that sql map found so if we scroll up a little bit and we take a look at the what it found we can see that the vulnerable parameter is the email param and then the successful injection type again is or boolean based blind which we knew that at least the boolean based blind part and the payload itself is right here so we have our email equals test.test.com and then we have a single quote or not and then number equals number dash dash and then some random characters and then the second parameter of password equals test which wasn't being tested so what's really interesting about this though is that technically speaking that payload that you see here doesn't actually work but there's a reason why sql map is showing it and i want to demonstrate that so we can test this payload out manually via both the webpage and via zap so if we go to the login page and we try to submit this payload directly in the username field we don't get a successful login so what's going on why is sql map saying that it's successful if it doesn't actually work what's the deal so there's a reason that i teach you in my course how to read the sqmap code base and how to find information in the code base that's because that's exactly where we can find the answer to that question so if we navigate to the github repo and we go to slash data slash xml payloads and then slash booleanblind.xml then in that file we can search for the title of the payload which is or boolean based blind and then we'll see where or having clause and then in parentheses not so that's the one we're specifically looking for here we'll see that this payload actually gets compared to the response from a second payload so if you look at it here with me here we have or not random number equals random number and then a comparison of or not random number equals random number one so what this means is that the first payload the one that sqmap's showing that's not working is actually being compared with the results from this slightly modified payload what this would look like in practice is again you have number equals number and then the second version of that payload is number equals negative number so the same number just negative which obviously that's the opposite they're not equal numbers and because sql map is getting two different results from the application when it compares these two payloads it knows that there is a vulnerability because otherwise the database would not respond differently with these two different payloads but because it's responding differently with the negative versus the equals one it knows that there's a vulnerability so our successful payload is actually the comparison one not the one that sqlmap is showing us in its result we can validate that by grabbing this version of it i'll add a negative sign right in front of the second number and then i'll submit that request and we'll see what happens and we see that we do have a successful login in this case so that was the successful payload that was being compared to the other one again we can also run this through zap so let's go ahead and try that now and we'll go and zap we'll do the same thing there we'll re rerun the same request and submit it and we get a successful login even without any valid credentials it's because we found a successful sql injection payload that tricks the database into thinking that we are a valid user one more way of explaining the payload difference just in case that didn't click we can go and we can use something called sql fiddle and we're going to create the a fake replica replica of this os produce shop database in sql fiddle basically i'm creating a table called users with an id email password and delete it that column i'm gonna insert a user an admin user with email admin at test.com and then a hash password and then i'm gonna run this sql statement which is very comparable to what you might expect to see from the oauth juice shop so we have select everything from users where email equals test test.com or not and then number equals negative number and then dash dash and then random characters single quote to end that and then end password and so on and so forth again just a regular sql statement and if we run this we can see that it returns all of the results and all the records from the database but now if i rerun this exact same query but this time i don't use the negative version of the number i do number equals number then in this case if i execute this we're gonna see that it's not returning any results sqlmap if i were a sqmap if i were the automation running this i would see these two different results and i would know that i was able to manipulate the database that's how i know there's an sql injection vulnerability so we found a vulnerable input field we found a successful technique and we found what payload successfully lets us log in without even having a valid username or password and again as i said before i know i went through these topics pretty quickly we kind of rushed through this video because i wanted to show all this without running on for half an hour but if you want more details or even if you have any questions just let me know in the comments below i want to know your feedback that way i can create videos that you're actually going to watch and the channel can grow as a result of it ultimately that's the goal so let me know in the comments below please it takes two seconds and then once you do that i'll take that and i'll implement it in future videos of course i also have two free courses that are highly relevant to this definitely check them out on dot com forward slash courses one of them is going to be free injection attacks it talks about sql injections and also other types of of injection attacks that you can find on the owasp top 10 list so these are some of the nastiest injection attacks that you can find in vulnerable applications and then also have a premium course called the practical guide to sql map for sql injections and that's going to be no joke the most in-depth sql app course that you'll find on the internet right now i really put a lot of time and effort into it i wanted to make sure it was a super solid course that you can take and then at the end of it you feel really confident using sqlmap to find sql injection vulnerabilities in professional engagements so that was the goal with it i'd love to see you in any of those courses and i'd love to see your comments at the end of this video thanks so much for watching don't forget to subscribe hit the like button and i'll see you in the next video
Info
Channel: Cybr
Views: 7,533
Rating: undefined out of 5
Keywords: sql injections, sqlmap, adming login bypass, OWASP TOP 10, Injection attacks
Id: HZxo3cWv2l4
Channel Id: undefined
Length: 15min 55sec (955 seconds)
Published: Mon Oct 04 2021
Related Videos
Basics of SQL Injection - Penetration Testing for Ethical Hackers
freeCodeCamp.org
94K
SQL Injections: The Free 2021 Full Course
Cybr
14K
How Easy Is It For Hackers To Brute Force Login Pages?!
Loi Liang Yang
71K
How a Hacker Could Attack Web Apps with Burp Suite & SQL Injection
Null Byte
85K
Live Hacking: SQL Injection For Beginners (Part 1)
Tech Raj
65K
What is SQL Injection ? How to prevent SQL Injection Attack in php/mysql ?
SaiTechnical Learning
13K
Advanced SQL Injection Tutorial! Learn From A Pro Hacker Now!
Loi Liang Yang
36K
Hacking Websites With Cross-Site Scripting (XSS Attack Basics)
Jesse Campos - Chef Secure
324K
Metasploit For Beginners - How To Scan And Pwn A Computer | Learn From A Pro Hacker
Loi Liang Yang
169K
Bypass Login using Sql Injection | Portswigger
Bug Hunt3r
504
What is Cross Site Scripting?| Cross Site Scripting Attack | Cross Site Scripting Tutorial | Edureka
edureka!
160K
SQLMAP full tutorial for beginners from scratch | #sqlmap #sqlmapfulltutorial
TECHYRICK
543
SQL Injection - Lab #2 SQL injection vulnerability allowing login bypass
Rana Khalil
10K
Penetration Testing - Login Page SQL Injection
Tutorials Point (India) Ltd.
138K
Automate searching for SQL injections with SQLmap
Hackery
158
Exploit SQL Injection using Burp and SQL Map
CyberSecurityTV
21K
SQL Injection For Beginners - Learn From A Pro Hacker Now
Loi Liang Yang
551K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.