How a Hacker Could Attack Web Apps with Burp Suite & SQL Injection

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hey hackers today we're going to learn how to attack vulnerable web apps with herb sweep using SQL injection on this episode of cyber weapons lab so today we're going to attack vulnerable web apps using a sequel injection attack now sequel injection attacks are pretty cool because they actually use the sequel syntax against itself in order to grab information from a database that we're not necessarily supposed to be able to see at least four databases that are misconfigured most web applications these days are configured in a way that don't allow sequel injection but there are still plenty out there that will but to do this we're actually not going to need to write any sequel code we're going to use burp suite burp suite is a great application that has all sorts of general pen testing applications and although it is a paid product everything we're gonna need to do today can be done with the Community Edition also if you want to learn more about other specifics of this topic go ahead and check out the link in the article description below and also you're going to be need to be running Linux I'm using a bun too you can also be using Kali or I think any other Linux distribution would work so without further ado let's get started so in order to test our sequel injection attack we're going to be using Metasploit Abel Metasploit Abel is an operating system that was designed to be hacked and one of the services it offers is a server that is vulnerable to sequel injections so let's go to our I'm running Metasploit on VirtualBox let's go to Metasploit Abel I've logged in as MSF admin which is the default account permit is voidable and I want to find the IP address of our servers so I'm just gonna of this machine so I'm just going to type in ifconfig and I'm gonna look for the inet address so I'm gonna do pipe gret inet and I'm I want this IP address at the top which is 192.168.1.3 so let's go to a Firefox browser and then let's go to that IP address all right so you can see right here this is the splash page for the Metasploit Bowl server we're interested in this particular site in utility and on it in the OWASP 10 section there's injection and sequel extract data user info right here so this is what you would find on many websites it's a login portal and this one is vulnerable to sequel injection so this is kind of our testbed so once we're here we don't really need to do anything um mute illa day already has a host of other accounts that have already been created that are in the database for this server and all we need to do is attack it with burp suite so before we load burp suite first what we want to do is we want to go into our Firefox settings we're going to go down to the bottom and we're going to change the network settings now we're going to switch to manual proxy configuration and for this video we're gonna do one to 7.0.4 8080 make sure this box is checked and no other thing is checked let's go and press ok alright so now we're running through a proxy and let's start Bert's burp suite okay so burp suite this is the Community Edition there's a lot of features that are better disabled but thankfully sequel injection is still something that we can do with the Community Edition I start a temporary project use the burp defaults start alright so there's a lot going on right here don't need to pay attention to any of this the first thing we need to do is we need to go to proxy and we see intercept is on to check to test this let's go back to utility in Firefox and let's type in username I'm just going to go with password let's enter all right and now we can see burp soup has captured all of the the raw HTTP that's gone through here so once we have this the next thing we need to do is we need to send this to the intruder what that lets us do if we go over to the intruder is we can go to positions and we can see the same information was sent here this lets us edit the HTTP request so let's first we need to clear everything and what were particularly interested is we're interested in injecting sequel code in the username field so we're gonna highlight the after pressing clear we're gonna highlight the what we entered in as the username in this case I kind of confusingly just entered user name now we're gonna click the Add button with that highlighted so that's where it's going to inject our sequel code all right so we're actually almost done the only thing we need to do now since we aren't writing any of our own sequel code we're using a list of basically sequel injection words or strings that someone else has created I found this one on github and I also believe this is the default one that comes with Kali Linux I'm using Ubuntu so obviously it's not designed for attacking so it doesn't have that word list included but I just downloaded this so go back to burp suite I'm going to load that list right here open it and you can see all of the strings are right here and once we have all of those loaded we just have to start the attack as you can see we're getting with each string we're getting the status 200 which is which is good that means okay that means we successfully were able to fulfill the request and we when we look at all of these strings that we've tried we look at their response and we can go to the render tab and see basically what happened when we try to enter in that when for instance this once there's a failure it basically says that the sequel syntax wasn't correct but if we look at a different one I know number 39 works cuz I have tested this but uh some of these some of these work and some of these don't work that's what we have a full list of them this one has an authentication error all right and if we've been to number 39 we should yeah there we go so we can see that this particular sequel string what was it exactly it was an quote or one equals one or double quote equals single quote so yeah that particular sequel string what we were able to essentially display everything in the database so you can see all of these different usernames and passwords and their signatures the entire beta database of the locking credentials is now ours and the reason this works is because of sequel itself so I should I attempt a little example right here so when we're entering a username and password into those fields on the web page it makes a sequel query that's usually structure something like this select username password from users where username equals my name which is the username that you typed in and password equals password my password which is the password you typed in now when we put something in the username field like end quote or one equals one - - for instance what we're doing is when the the sequel query is run where it asks where username equals it basically says blank right here or one equals one which always evaluates to true and then these double hyphens will negate anything after them so the and password is irrelevant so basically um since one up one equals one evaluates to true it's going to select every single entry in the database and display it for us so yeah that's just a little insight into what's actually going on but you don't even need to know that with burp suite and with the sequel injection word list we are able to totally see the entire database so yeah there you go if you liked this tutorial be sure to check out our website where we have hundreds of free articles and videos as well as premium paid content like the ethical hacking certification bundle which features pen testing with ola sap wordpress hacking and hardening and the comte a cyber security analyst prep course check out the link in the description below alright guys so that was pretty cool you saw we were able to grab the all of the credentials all the usernames and passwords from this Web Apps database including some Administration credentials which is pretty cool so if you want to go more in depth with this you should probably learn some sequel yourself that way you can customize your text and grab exactly what you want from the databases unfortunately in the real world any big company or large end surprise is not going to be vulnerable to this kind of attack because there are specific coding practices that make daily basis basically impervious to sequel injection but there are plenty of small websites out there that you know anyone these days can set up a web server with a database behind it and unless they're using those very specific coding practices they will be vulnerable to sequel injection so they put our potential targets although of course I do not condone attacking any websites that are not your own if you want to learn more about sequel injection and about burp sweep go ahead and check out the link to the article in this video's description as well as the multiple other articles we have on know bite about this topic so and if you have any suggestions for future videos go ahead and hit me up on Twitter at Tim 5 10 9 - don't forget to like comment and subscribe to this video and have a good day we'll see you next time guys bye bye

Info

Channel: Null Byte

Views: 85,349

Rating: undefined out of 5

Keywords: wht, wonderhowto, nullbyte, null byte, hack, hacking, hacker, hacks, hackers, how to hack, howto, how to, tutorial, guide, cyber weapon, cyber weapons, cyber, cyber weapons lab, Burp Suite, SQL, sql injection tutorial, sql injection attack, sql injection tutorial for beginners, sql injection explained, sql injection example, sql injection attack tutorial, burp suite sql injection, sql injection, blind sql injection, kali linux, error based sql injection, injection attacks

Id: 2oeCg8bj-4U

Channel Id: undefined

Length: 10min 9sec (609 seconds)

Published: Fri Sep 25 2020