Exploit SQL Injection using Burp and SQL Map

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hey everyone welcome back to cybersecurity V this week we're gonna talk about the SQL injection one of the most critical vulnerabilities for the verifications and we're gonna see how to be exploited how we find it and also I'm gonna show you like you know different techniques using this sequel map someone who is the beginner using the sequel map and then someone who is more advanced or if you want to have like you know complex requests and we want exploit that how do we do that using the sequel map so let's get started by like you know discussing in general what is the sequel injection now I'm not gonna go into much detail will if you want hit me in the comment section I will do a separate session and what is the sequel injection but just to give you guys a brief understanding on what the sequel injection is it's it's sort of like you know and different drugs like an injection attack when the attacker is gonna put the payload into the application and the payload could be anywhere into the hidden parameters into the get request into the headers itself and some way the application rights interacting with the backend database the payload inserted by the attacker will get executed and get the information out from the database and somehow attacker will have the access to the information so why the problem arise because there is not enough sanitization of the of the input parameters developed by the application developer and that's how like you know we generally say use the parameters query avoid using the simple queries because that would lead to a SQL injection now what are the types of SQL injection there are there is an added business call injection there is a time business-school injection and there is a blind SQL injection so without waiting like you know a longer or without wasting much of the time let's get to a demo I have prepared one application actually that's an application you can download from the github developed by one of the one of the developer which is intentionally broken which has like you know multiple SQL injection module which you can so used to learn I'll put that into the description on this video so if you guys want the details feel free to check out the description as well let's jump on to our VM and and see how it works so here is the application this is the sequel injection like the name of the application is one double web application and we are in the module of the simple injection as you can see there are multiple levels of course I using the automated tools we can exploit any of one of them and here's the information of the who developed the application as well you know so let's click on the sequel injection 1 and see so here is the like you know one of the page which says you enter the first name you hit the submit and you get the last John here submit and look at the last name now if we have to like you know look for whether it's an SQL injection what what we usually do is our simplest payload is make the query unconditional true so for example what I'm going to do is or 1 is equal 1 so what this happens is that query elements to suffice thus queries will become if the first name is equal to 1 or 1 is equal to 1 and this is always going to be hold true so if this is there is an SQL injection we should be able to get all the data from the database so if you'd submit and as you can see we have all the last name which is in the database the good thing about this application is since you have the source code you can also just go into the source code and see where the problem is as I said like you know if they're using the simple query and not using these parameters query then that's when the problem arise okay so this was easier and we were able to find the simple injection now let's go back let's go to level 2 and what I'm gonna do is I'm gonna try the same payload here and more says here is give me the book number I give you the book name in my library so let's say try one okay so one is this one what if I want all of them I'm gonna try same thing which we tried earlier and then you can see here we did not get the full I guess the database of all the numbers or book names but what we got is some error and which is the my sequel error as you can see here and what does it mean is the database could not understand at the payer that the Corinne so of course there is no sensation but then we are featuring the query a little bit it might work so that doesn't mean there is no SQL injection is like more of an error basically injection where you cut the error and based on the error you can figure out here there is still a school injection but we just just need to change the payload now we did not have time to go and start putting all the payloads so what I'm gonna do is or what as it generally has a pen tester what you're gonna do is you'll have access to all the tools and one of the easiest tools you will have access to is Bob sweet so what I'm gonna do is I'm gonna run this through the Bob sweet and see if we can find SQL injection from there and then of course but will not exploit SQL injection we will have to use the we're going to use the sequel map to exploit it so to get all the details now how I'm gonna do it is first let's go to the proxy and let's turn the intercept on and I just put the any book number hit the submit and here we have in the request what I'm going to do is I'm gonna add it to the scan launcher when I create a new task I'm not gonna change any scan configuration I'm just gonna keep it whatever is the default it okay go to the dashboard and here is the scan which is gonna run and find out if there's an SQL injection or not why do I do this because of course you can do it manually but it's going to take a lot of time and when you are doing the testing you might not have that time all like an enough lucky to have spend like a day just to find the payrolls and this makes my task easier because I can also say if I go to the scan launcher here right scan configuration I can also define which one TT I want to scan for rather than like it was scanning for everything I can focus on the sequel injection which I should have done but it's okay this is a localized application cell so it's not gonna take much longer to scan through the application but yeah if you was getting for any particular vulnerability make sure you do that configuration in your scan launcher so as you can see there is still like you know just a twenty requests in here 22 requests so we are still waiting on it to find the sequel 1 TT suka injection I'm going to pause the video just to save some time and I will resume once it is ready so as you can see the status is now done and it found one issue which is highlighted in red that means a critical issue you can find it here as you can see there is an sequel injection found and how bout we to mind it it's based on multiple requests response here it had put on this one and based on the content length it that was different between the currently when the normal request was sent versus the third request there is a second request the second is false and likewise there is also a sleep-like query with the slip and of course were found that the in the application where they deliver it before sending the response that's how determined there is an ASCII injection but as you can see here this is not a sighting or novelty so if we go back to that target localhost now as you can see here confidence is formed similarity is high right but there is not a so like if people are certain this is how it's gonna show up that means SQL think there is a confirm Injection will now at this point the confidence was from that means there is an SQL injection would update that worked things but it's not certain so you might want to double check again expert by yourself so this is what we're gonna do now we know how what the request and what's the vulnerability here as you can find all the information here it says the lumber parameter appears to be vulnerable to SQL injection attacks and if we go here we also have yeah so this is the original query which we send it to escalate as I got to exploit now let's open the box wait not the box inside the sequel map to see how we can exploit this so to open that I'm gonna go to web application analysis sickle map okay so here are all the options you have the TC code map if you get in later on if you're not sure which command to run now first we're gonna start with the easiest way to exploit it which I'm gonna use the wizard and it says for the beginner users so what I'm gonna do is I'm gonna type the sequel map - have fun we start so it's gonna this is like a sort of you can say how you install any exe or any SH like in a batch file on the Linux it's gonna run you through the various configuration you provide the input and it's gonna just do it by itself so that's what it is I'm gonna tip it here so we also have access to this one also what do we need to provide first is we need to provide the enter full target URL so how you can do it is simple go here you can copy URL go here you just paste it and press Enter now post data enter for not generally sometimes you might find asking injection the get parameter so you don't need to provide any post data but in K in this case we have a post request and that data is here so we need to provide that otherwise you just press Enter if you don't have anything so what I'm gonna do is I'm gonna copy this paste it here hit enter now injection difficulty please choose normal medium or hard I I tend to go with the medium if I like you know if I think unless I think that it's very hard to find the injection vulnerability and then animation what you want to do or you want to do the basic intermediate or everything for this one I'm just gonna do like a basic because we just want to confirm whether there is an escalation or and it's also gonna run through quickly for that so that's why I have that in here let me expand so now the sequel map is gonna run it's gonna of course we have not specified which parameters is gonna check for both and then you go it's finished and as you can see here it found the parameter number as a vulnerable which also was given by the Buffs weight and it's a it's an error based sequel injection and then there is also time there's a second injection here are the queries of the Pyrrhus which a sequel not tried to get the data and as you can see it was it will determine the web technology 74 apache 2.4 back in the devices my sequel banner is this currently there is route data resistors and current uses DBA yes that's true so this was the easiest way to exploit the sequel injection and if you happen to come across this situation you can definitely use this now there's a one tricky situation the situation that ticket situation is what if there is like you know SQL injection the force authenticated pages where you also have to provide the session cookie or such information to the simple map so it can get the actual request response because in this case we did not have any cook information and that's why it was easier there's even if I give you this particular request and you send it you will still get the same response as I got but if it's an authentication page let's say after like you know your a your login to your e-commerce website and after you login you add something to the cart and that's why the Mondavi is now that page is not accessible by everyone so even if you give this request that request to be sick well so for example let's let me show you real quick so if we go to game mode on test-fire dot okay I'm not so there is a username password right so if I click here now as you can see a post ok and if I click one more ok yeah show count not this one yeah this one does not highly responsible ha yeah so for example this one right it says bank account number list account with this account number which I had given it here and this is let's say this is a banking website and you find the sequel injection in some let's say myst account parameter but if I send this so let me send to the repeater if I send of course I'm gonna get the full response but what if I do not provide this cookie information all right I'm not gonna find anything and what its gonna do is it's gonna redirect me to the login page because I do not have cook information so in this you know you you cannot use the same technique which we had used because there was nowhere for us to fly the detail so the other way to do it actually the easier way to do it is using the file so in this case we're going to use the like you know applauding the file to the sequel map so if you want to see that option it's available in the Advanced Options so as you can see that these are much more many options than the earlier one were able to find so here you can see how you can determine the in that combat scenario you can use all this methods to do it but the method I'm gonna show you is would be the easiest to use in your future on a pen testing because you just need to take the I'm gonna do it and you're just going to take for example was the yeah not this one we just yeah then I use this as a like request and we just put in the file and provide that to the sequel injection which will also have the key or bearer token or whatever it requires for the authentication it's can I use that for exploiting it so if you see that okay let me so here you can see you can provide the target directly you can also provide the URL but this is what I use load the HTTP request from a Phi alright so let me go ahead and create a file so on the next cell what I'm gonna do this I have this text file what I'm gonna do is I'm copied this from here and just paste it in the text editor and save it so that's all we need for now and let's go back to our terminal and what I'm gonna do this we will have sequel map of course we're gonna use the R for the file the file is on the desktop so and its name is the injection dot txt but we don't need to necessarily give the extension here what next we're gonna do is we're gonna provide the difficulty for the exploitation which is file and is gonna go to the highest number or you can also do like three here we do not do risk as Dell three like options one two or three I'm gonna choose the middle s2 you can go up and down the next thing we gonna I need to provide is parameter like which parameter is vulnerable you can get that information from the work itself it says number is the level parameter so I'm gonna and here you can also find that info which parameter had like how do you provide that parameter so for example this one it's enough like you know in this case it was easy because there only two parameters but imagine with the application went to hell like 20 20 30 pounders it will be a lot of like you know time-consuming for the sickle not to go through each of those otherwise it's easier if you just provide the one number which you want to exploit right the next thing have we're gonna do is what we want to like you know what we wanted to try if you want to share everything you want just a banner or you want to try current user you can use whatever the options let's just go with the everything of course is politics and tab but we can cut off in between so this looks for sequel map we provide the file level risk number and there are multiple options you can choose other than this but yeah this is all having it for now I hit enter okay so it went through quickly it says you want to store hashes to a temporary file forever so further processing the other tools I would say no because I don't care right now or foundation ever returns with that partial has is yes I want to do that so as you can see it's been going fairly quickly and the reason for that is there's a the application is hosted on the localhost so it has like you know really great access to the quick access to the database and everything is on one box but yeah I feel if you're on the web based like the application is somewhere in the cloud that might take a little bit more long okay do not look at them the additional verse attack I'm gonna display it for now because really help confirm the days of school injection we have found enough evidence and enough records of everything that we could drive from the database so here if we start from don't stop so here we can see it like you know it collects all the database users of course we saw that earlier at the banner information then we also have what previous LS this user has and other user rules and everything so and here it also gather all the table their entries their columns and everything so this is how you can use the couple ways you can use this equal map in congestion with the box with to minimize the effort you have to put in to exploit the sequel injection now there is one other way you can also do it which is even more easier and which I use sometimes is using there is an add-on I within box which of cycle map which you can download install and who's that for exploiting I'm not gonna have to do that show now there was this is getting little bit on lengthier side so I will keep that for the next session also some other time how you can download that add-on and how to install it and then how do you use that so you don't have to go back and forth between the terminal and the block so you can just write from the bus read you can send to the sequel map and exploit until the data back so that's what easier way to do it but this is also easier because the add-on in the Bob said I don't like the UI much to be honest but terminal is always great when you can like you know try Advanced Options you can turn like try different things which is much more easier as well but I'll give you also guys that option as well that's it from this week thank you for your time and please subscribe and hit the like button if you liked this video and please leave the comments if you think you want to know something else or you have any idea in mind what you need to what would beneficial for everyone if I show you some other tools or any any other talking in application security again thank you so much for your time and I'll see you guys next week
Info
Channel: CyberSecurityTV
Views: 21,501
Rating: undefined out of 5
Keywords: injection attacks, injection vulnerability, OWASP vulnerability, burp, burpsuit, SQL Injection, sql injection, sqlmap, sql map, burp professional, burp scanner, OWASP Top 10, Exploit injection, exploit sql injection, what is sql injection, blind sql injection, error based sql injection, time sql injection, Automated exploitation
Id: kuSS7Rd_e54
Channel Id: undefined
Length: 22min 36sec (1356 seconds)
Published: Mon Feb 24 2020
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.