SQL Injection - Lab #9 SQL injection attack, listing the database contents on non Oracle databases

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hi everyone welcome back to another video in the web security academy series in today's video we'll be using a union-based sql injection attack to list the database content on non-oracle databases all right let's get started this lab contains a sql injection vulnerability in the product category filter the results from the query are returned in the application's response so you can use a union attack to retrieve data from other tables the application has a login function and the database contains a table that holds usernames and passwords you need to determine the name of this table and the columns it contains then retrieve the contents of the table to obtain the username and password of all users to solve the lab login as the administrator user all right so we've got a couple of angles over here the first one is we need to determine the table that contains usernames and passwords the next one is to determine the relevant columns and then once we have the table name and the column names we will use that to output the content of the table and then we need to log in as the administrator user so the nice thing about this lab is that we're not assuming anything so in previous labs we were given the name of the user's table we were also given the column names that contain the username and passwords so in this lab we're going to have to figure that out all on our own which is more of a realistic scenario than the previous labs okay so let's create an analysis section and access the lab all right so it looks like it's the same shopping application that we've been dealing with in the past couple of labs you could refine your search based on a category once you do refine your search so we're doing it for accessories over here it'll only display the results that are related to this category and that's done based on a field in the url called category and we know this field is vulnerable to sql injection because the lab tells us however in a scenario where you don't know it's vulnerable to sql injection all you have to do is fuzz the application with sql characters to see if it breaks a query at the back end and it does so we get an internal server error which confirms that it's potentially vulnerable to sql injection all right the thing about this category field is that whatever we enter over here gets displayed on the page and what that means is that we could use a union-based sql injection in order to display content from other tables in the database and that's exactly what we're going to do so i'm going to move on to using burp from now and on because it's just easier when it comes to encoding let's close that hit next start burp all right let's put that over here for a bit and set proxy proxy to use burp all right now when i load this it should be intercepted viper and it is so what i'm going to do is i'm going to send this to repeater because i need to send this request a couple of times and i'm going to turn my intercept off okay so in order to exploit a union-based sql injection we said there's a couple of steps the first one is to find the number of columns that the vulnerable query is using so in this case the vulnerable query is the one that filters on category and the way to determine the number of columns is to use the order by clause so order by and the column number over here if we enter a column number that doesn't exist it'll throw an error so this way we could determine the number of columns that are being used by the vulnerable query i can tell based on this that there's two columns one for the title of the product and then the other for the description of the product and so there's at least two columns and let's confirm that with burp so let's copy that put it over here do control u to url in code hit send and we get a 200 okay response that means that this column exists which again makes sense because i said that there's at least two columns based on the output that is on the page so this one should also give us a 200 response code so again ctrl u to url encoded hit send and we get a 200 response code let's try three and again ctrl u to url encoded hit send and we get an internal server error so i'm just going to make note of that what that means is that the number of columns that are being used by the vulnerable query is three minus one which is equal to two all right the next thing to do is to find the data type of the columns and the reason we do that is because the username and password are going to be of type text and so in order to be able to output them from the database we need columns that accept type text and so let's see if any of these columns are of typed text and the way we do that is using union select null statements so we know there's two columns based on the first step over here and so what i'm going to do is we iteratively try each one to see if they accept type string now if this is incompatible with type string it should throw an error if it's compatible you should see the character a on the screen now again just based on the output you could see that there's alphabets over here and there's alphabets over here so they both should accept type string and so instead of doing it iteratively i'm just going to try both at the same time just to save a little bit of time and let's try that and i copied the wrong thing okay ctrl u to url encoded hit send and we get a 200 response code and that's a good sign so we should see our characters a somewhere so you could see it over here and over here so we make a note both columns except type text okay before we try to output content from the database we need to figure out which database we're dealing with and the reason behind that is because that query that you use in order to output all the tables in the database is different depending on the database so one way to do that is to figure out the version of the database and to do that we're going to use the hint section in the exercise so the sql injection cheat sheet you could see over here database version so on oracle this is the query that you do in order to output the version this is microsoft postgresql and mysql now depending on which one actually gives us a 200 response and the version of the database will know which database we're dealing with but you could see over here that we're dealing with a non-oracle database and so we're left with three options microsoft postgresql and mysql so let's start with microsoft and again we need to fit that with our sql injection so it would be union select at version and then there's still another column we could just put null in there and comment out the rest let's try that let's do control u to url encoded hit send and we get a 500 internal server response so i'm just going to make a note saying not microsoft next let's try postgresql again we got to fit it in our union based sql injection and let's test that out and again ctrl u to url encoded hit send and we get a 200 okay response and so we should see the version over here post square sql here we go so that's the version of the database so i'm going to make a note say 200 response 200 okay and it's a postgres sql database all right now that we know the database version we could use that in order to output all the tables in the database so that's our next step i'll put the list of table names in the database and the way to do that we go back to our hints sheet and we go to section database contents and it tells you based on the database how you could output the list of table names that are contained in the database and that's why we needed to do step number three because you'll see over here each one differs based on the database you're dealing with now we're dealing with postgres sql so this is the way to do it so you've got the information schema.tablesview and what that does is it allows you to get the information about all the tables with an add database so we're going to copy that and again i need to fit it in my union based sql injection so i'm going to say union select and we need two column names over here because that's how the union base sql injection attack works so i'm going to copy this and just google it to see the column names that are available to us and i'm actually going to say post quest sql because it might differ click on columns all right so these are the column names you've got table catalog table schema table name column name and so on so i care about the table name so i'm just going to copy this one and put it over here and then i'm going to say null because i don't care about outputting any other column in that table so i'm going to copy this put it in here and do control u to url encoded send and we get an internal server which means we did something wrong and we forgot to do the comment so hit send again and we get a 200 okay response so this should have outputted the table names that are available in the database so you could see over here there is pg partition table pg available extension and so on i'm looking for a table that contains the user's word in it and here we go so you could see there is a table called users underscore and then some random characters so i'm assuming that this is possibly my table that contains the list of usernames and passwords of the users of the application we'll confirm that in a bit using the next step and the next step is to output the column names of the table so what we're trying to do is figure out which columns contain the usernames and passwords because we're going to need that in our end query and to do that we go to the hint section and you'll see over here for postgres sql the way to do that is select star from information schema dot columns where table name is equal to table name here so let's copy that again it has to be part of our union based sql injection so we'll add that the table name is this one over here and we need two column names so to figure out the column names that are available we'll google it again and say postgres sql okay so the view columns has these column names so i'm interested in this one over here so i'm going to say column name and null okay so that should give me the column names that are available in this users table so let's copy that put it in burp ctrl u to url it and hit send okay 200 response code which is good so what i'm looking for is a column that contains the word username that's good so we've got this one over here and then a column that potentially contains the word password all right and we found another one over here perfect so now we know the table name we also know the column name that contains the usernames and the column name that contains the passwords and so we could put this information together in order to output content from this table and so that's step number six which is output the usernames and passwords and that's just a normal query so let's have our union-based sql injection payload and then we say select this column and this column over here this table and comment out the rest of the query so let's copy that put it in burp ctrl u to url encode it hit send and 200 response again that's a good sign let's see if it outputted the usernames and passwords and it did so you could see over here a username and a password we're looking for the administrator user and it's right over here so i'm just going to copy all that and put it over here okay so we've got the administrator's password now we can use it to log in as the administrator user which is the last step in our end goal okay click on my account select administrator copy the password click login and it says congratulations you've solved the lab if you would like to see a detailed version of the video where we both exploit the vulnerability manually and then script it in python check out the video linked on the screen also make sure to hit the subscribe and share button so that the video reaches a wider audience thank you and see you in the next video
Info
Channel: Rana Khalil
Views: 34,342
Rating: undefined out of 5
Keywords: security, web security, owasp, open web application security project, sqli, sql injection, portswigger, web security academy, python, offensive security, bug bounty, scripting, burp, burp suite, oswe, offensive security web expert
Id: JduM_dO8glw
Channel Id: undefined
Length: 18min 26sec (1106 seconds)
Published: Sun May 02 2021
Related Videos
SQL Injection - Lab #10 SQL injection attack, listing the database contents on Oracle
Rana Khalil
22K
SQL Injection - Lab #9 SQL injection attack, listing the database contents on non Oracle databases
Rana Khalil
8.8K
SQL Injection Attack Tutorial - I didn't know you can do that
Loi Liang Yang
30K
SQL Injection - Lab #7 SQL injection attack, querying the database type and version on Oracle
Rana Khalil
33K
you need to learn SQL RIGHT NOW!! (SQL Tutorial for Beginners)
NetworkChuck
1.4M
Secret To Optimizing SQL Queries - Understand The SQL Execution Order
ByteByteGo
395K
MongoDB Explained in 10 Minutes | SQL vs NoSQL | Jumpstart
MongoDB
184K
SQL Injections: The Full Course
Cybr
100K
CSRF - Lab #5 CSRF where token is tied to non-session cookie | Short Version
Rana Khalil
23K
Types of Databases: Relational vs. Columnar vs. Document vs. Graph vs. Vector vs. Key-value & more
Anton Putra
30K
BEGINNER SQL INJECTION (PicoCTF 2022 #49 'sqlilite')
John Hammond
46K
SQL Injection - Lab #10 SQL injection attack, listing the database contents on Oracle
Rana Khalil
6.1K
IT Security Tutorial - Preventing SQL injections
LinkedIn Learning
488K
SQL Injection - Lab #6 SQL injection UNION attack, retrieving multiple values in a single column
Rana Khalil
24K
Basics of SQL Injection - Penetration Testing for Ethical Hackers
freeCodeCamp.org
166K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.