SQL Injection Tutorial For Beginners

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
SQL injection is a web security vulnerability that allows an attacker to modify or extract sensitive information such as username and password from application database in this educational video first we learn how to identify and test for SQL injection vulnerability in a web application then we look at the details step-by-step process of Performing SQL injection attack to retrieve data from the application database for the purpose of this video we use a lab from web Security Academy and you can find the link to this lab in the video description this lab contains an SQL injection vulnerability in the product category filter and to solve this lab we need to exploit the SQL injection to get access to the username and passwords of the admin user and login into his account alright let's go ahead and get started by clicking on access the lab the application homepage contains the list of products under description there is a filter function that allows users to filter products based on their category so if you choose a category the application sends a request to the server and Returns the list of products in that category if we look at the application URL we notice the selected category is sent to filter endpoint in a URL parameter one of the common techniques to identify SQL injection is to add a single code character to an input to check if it will trigger an error or the application returns a different response so to check if the category parameter is vulnerable to SQL injection we go to the URL and add a single go to its value and submit the request the application returns an error confirming that the application doesn't validate category value and the single code was injected into the SQL query that the filter function is using to get the list of products and triggered an error this is an indication that the category parameter in filter function is vulnerable to SQL injection all right now that we have identified the SQL injection vulnerability the next step is to exploit it and obtain data from the application database since the application sends the category value to the filter endpoint in a URL parameter of an HTTP get request we can either use the web browser or burp suite for the exploitation phase but to keep track of each step of the exploitation process let's use burp so we go to verb HTTP history select the get request to filter endpoint and send that request to burp repeater we will use separate tabs for each step of the exploitation process since the filter function is vulnerable to SQL injection and the result of the SQL query that filters the products are returned in the application response we can perform SQL injection Union attack to retrieve data from the application database to perform a union attack first we need to know what union operator is the union operator is used to combine the results of two or more select statements into a single result set let's take a look at the sample Union select query this SQL query will return a single result set with two columns containing values from column's name and description from products table and username and password from users table there are two requirements for using Union operator in SQL the number of columns in each selected statement must be the same and the data types of corresponding columns in each selected statement must be compatible so to perform the SQL injection Union attack first we need to determine the number of columns and their data types in the original query which is the SQL query that the filter function is using to get the list of products then we can use the union operator to add our own select statement to the original query to retrieve data from the application database there are two techniques to find the number of columns in the original query and we will look at both of these techniques the first technique is to use order by clause and the second technique is to use Union select payloads we use this tab to find the number of columns using order by Clause so let's rename it to order by order by clause in SQL is used to sort out the result set of a query in ascending or descending order based on one or more columns in order by class we can either use the column name or column index since at this point we don't know the number of the columns in the original query we can use the column index so we need to inject an order by Clause to category value and increment the column index until we get an error and this way we can find the number of columns in the original query since the injection point is category parameter and it contains a string value first we add a single code to terminate the coated string in the original query that is used by the filter function then we add order by 1 following by Double Dash this payload will modify the original query to sort out the result set based on the First Column and the Double Dash will comment out the rest of the original query to effectively avoid any syntax errors all right now that we are all set we can send the request we get 200 HTTP Response Code which confirms that the original query has at least one column next we modify the payload to order by 2 and resend the request we receive another 200 HTTP Response Code verifying that the original query has at least two columns we repeat this process by incrementing the column index and resend the request and as we see this time we get an error this indicates that the original query doesn't have three columns so we have successfully determined that the filter function SQL query has exactly two columns next we look at the other technique to find the number of columns so we send the request to a new tab the other technique to determine the number of columns is to inject a series of Union select payloads with different number of null values as we discussed earlier when using Union operator the number of columns and the data type in both select queries must match otherwise it will trigger an error since null is compatible with all data types the database will return an error only if the number of nulls in the payload doesn't match the number of columns in the original query alright first let's rename the tab to Union select then we go to category value and inject the union select payload containing one null and finally send the request the application returns an error so the original query has more than one column next we add another null to the union select payload and resend the request this time we don't get an error confirming that the original query contains exactly two columns alright we have completed the first step and managed to find the number of columns in the original query so the next step is to determine the data type of these columns so let's use a new tab for next step and rename that tab to column type when performing SQL injection Union attack the goal is to retrieve information from the application database by injecting an SQL query to the vulnerable inputs this information usually consists of string values such as the database version table names and their columns and also confidential data such as username and passwords of the application user therefore to successfully perform the union attack we need to find the columns in the original query that contains the string value we have already found that the original query has two columns so in order to check if each column can hold string data we can use two Union select queries and each time place a string value in one of these columns and use null for the other column if column data type is not compatible with the string value the injected query will trigger an error and if we don't get an error then it means that the column contains a string value alright we go to the category parameter value and replace the first null with the string value then we send the request as we see we don't get an error message confirming that the first column in the original query contains the string data next we replace the second null with the string value and resend the request the application doesn't return an error confirming that the second column also contains the string data alright since the data type of post columns in the original query contains string data we can use both of them to retrieve data from the application database so far we managed to identify the number of columns and their data type in the SQL query that the filter function is using next we see how to perform SQL injection Union attack to retrieve data from the application database let's use a new tab for Next Step when performing SQL injection attack one of the first steps is to identify the database type and version because it helps us understand the specific SQL syntax and functions that the targeted database is using each database type has its own function to query its version so we have to experiment with various functions in order to find the function that works and allow us to find the type and version of the targeted database all right first let's check if the application database is either Microsoft SQL server or MySQL so we replace the first null with the relevant version function and send the request as we see we get an error next we try the version function for postgres and resend the request this time we get 200 HTTP Response Code and if we inspect the HTTP response we can see the database type and version next we want to get the list of the tables in the application database so we send this request to a new tab and rename it to tables to obtain the list of tables in the application database we can use the information schema information schema is a set of views that contains information about all the tables views and columns in a database so it can be used to gather information about the database structure and contents we can use this SQL query to retrieve the list of all tables in the database using the information schema so we go to the category value and add the union select query to get the list of tables from information schema.tables then we send the request we get 200 HTTP Response Code indicating that our injected payload didn't trigger an error if we look at the body of the response we can see the list of the tables we are interested in a table that contains the user credentials as we see there is a table called users which seems interesting and might be the table that we are looking for next we want to find The Columns of the users table so we send the request to a new tab and rename the tab we can query information schema.columbs to list The Columns of the users table so we go to the category value and add the payload single code following by Union select column underline name and null from information schema.columbs where table name is users once we injected the payload we can send the request we get 200 HTTP Response Code so we go to the response body and we notice the list of The Columns of the users table including the username and password columns now that we managed to successfully find the column names of the users table next we want to retrieve data from users table let's send the request to the new tab and rename it to users credentials to get the username and password from users table once again we go to the category value and add a union select query which is single code Union select username and password from users following by 2- if everything goes well these Union select payload should return the username and password from users table alright let's send the request we get 200 HTTP Response Code so the injected payload worked as expected and if we check the response we can see the username and password of the application users as I mentioned earlier since the category parameter is sent to the application in an HTTP get request we could perform the SQL injection attack only by using the web browser so let's repeat the last part and get the username and passwords from users table in the web browser in the web browser we go to the address bar and add the union select payload for retrieving username and password from users table to the category parameter value and finally submit this request the application Returns the list of products and their description along with the username and passwords from the users table now that we have the user's credentials we can login into their account let's copy admin password and login into his account so we go to the login page and fill out the username and password Fields with the admin credentials and proceed to log in as we see we could login into the admin account and we also get the message that we solved the lab thank you for taking the time and watching this video if you found it helpful please give it a like share with your friends and subscribe to the channel for more contents
Info
Channel: TraceTheCode
Views: 1,849
Rating: undefined out of 5
Keywords:
Id: TNLjwdJJvgE
Channel Id: undefined
Length: 14min 54sec (894 seconds)
Published: Thu Mar 23 2023
Related Videos
you need to learn SQL RIGHT NOW!! (SQL Tutorial for Beginners)
NetworkChuck
1.4M
SQL Injection Tutorial For Beginners
Loi Liang Yang
47K
How to Bypass File Upload Restriction using Magic Bytes in DVWA Application Bypass Low, Medium, High
Mrwebsecure
605
SQL Injection Hacking Tutorial (Beginner to Advanced)
David Bombal
195K
SQL Injections: The Full Course
Cybr
100K
MongoDB Explained in 10 Minutes | SQL vs NoSQL | Jumpstart
MongoDB
184K
Host Header Injection Attack | Authentication Bypass
TraceTheCode
23K
SQL Tutorial for Beginners
Kevin Stratvert
2M
Time-Based Blind SQL Injection!
Intigriti
20K
advanced SQL injection
Loi Liang Yang
57K
Authentication Bypass via Insecure Deserialisation
TraceTheCode
1.1K
SQL Injection For Beginners
Loi Liang Yang
1.4M
MongoDB in 100 Seconds
Fireship
1M
BEGINNER SQL INJECTION (PicoCTF 2022 #49 'sqlilite')
John Hammond
46K
File Upload Restriction Bypass | Upload Web shell via Path Traversal
TraceTheCode
1.4K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.