Advanced SQL Injection
The course is part of this learning path
This course provides you with a deep dive into SQL Injections, covering some of the more advanced techniques. We're going to see what a blind injection is and look at the alternative tests that we can use to find SQL vulnerabilities. We're going to talk about hex representations, reading and writing files and we're also going to see how to hack into a server using a SQL Injection type of vulnerability.
Hi. Within this lecture, we're going to cover a tool called SQL Map or a Sequel Map. And this tool works in a way that it tries to find all the vulnerabilities regarding to SQL Injection and it summarizes them, and it even shows us how to exploit them as well. So, I didn't show this before because we have to know all of this stuff and sometimes it doesn't even catch everything on that website. So, I found a many vulnerabilities regarding to SQL Injection that this tool couldn't find. Okay, so we shouldn't rely on this, but maybe it's a good starting point. If there is a simple injection then this tool will definitely get it. So, let me go to our top 10 and find the user info over here. So, we have worked on this before, I'm going to give admin and password some kind of a wrong password over here. So, just to test this, just to get this URL actually. As you can see we can see the parameters over here like admin, admin in this case. So, I'm going to need this URL. I'm going to copy this with ctrl+C, and paste it in my SQL Map to just scan for this website. Okay. So, let me clear all of this stuff, and let me show you how tool works. So, the tool that I'm talking about, the SQL Map, if you write "sql map -u" then you're going to give the URL. If you just write SQL map, you can see all the different parameters and you can see the help as well, you can just go for the -h, which is the help documentation, and you can see there are a lot of parameters that you can change. You can try to give some column names, table names, you can specify schema, anything that you want regarding to SQL Injections, and we know all of this stuff. So, it maybe come in handy when it comes to automize things, but again, you shouldn't rely solely on these tools, because sometimes you may catch actually a lot of vulnerabilities that this tool cannot catch. So, I'm going to give the host inside of double quotation marks. And I believe I pasted the document or help, something like that. So, let me do exit or ctrl+C, yep, here you go. Let me try one more time, sqlmap -u, and copy this thing, come back and give it. I forgot the double quotation marks. So, let me go back. It's a little bit stupid to do that. Don't forget to add the double quotation mark before you do that okay, or you're going to have to go like this. So, sqlmap -u, and the website URL itself. So, that's it, that's all you got to do. After you give this URL, and this URL is the URL that you get suspicious of SQL Injections, you're going to search for SQL Injections, and if you hit 'Enter' as you can see, it says that you didn't give me any cookies. If this doesn't work it's your fault. And as you can see server wants to set its own, of course, you can try to get the cookie information from burp-suite or the network manager or give it there as a parameter, but we don't have to do that. So, as you can see, it says that I use this or not. So, if it gives Y in capital letters, then just go for Y. Just say yes. If it gives N in capital letters go for no, for the default options. As you can see, I believe it already found something. It shows us different kind of things like or, or and that we can use in these parameters to hack into or just do a SQL Injection over here. It's actually trying all of this stuff that we have tried before. So, if you look into it you can see it's doing 1 = 1, but it's not doing 1 = 1. It's doing 8080806 = 8080806 because of the things that I have talked about before, to bypass the filters or bypass the firewalls, but it's essentially doing the same thing that we have done before. And it found something and it's showing the results back to us. Like if you just write this and if you just try to inject this, then it will work. So, just try to analyze this stuff and see the things that they are doing. So, it's a good idea to use 8080806 = 8080806 rather than 1 = 1. So, if you copy this, for example, and if you come over here to use your name and just give it, and then if you come over here and just give a random password, like password or test. If you come over here, as you can see, we get the admin username and password, so it works. So, it gives you the things that is going to work in this case. So, that's it, that's simple. But if you don't know this stuff then you're not going to understand this, or if the tool doesn't catch anything, then there might be still the vulnerabilities. You're going to have to try manually. So, don't try on don't rely on tools. Don't try only with tools but try yourself, try manually every time you do web pen-testing. That's the summary of this section. We're going to stop here and continue with a new vulnerable machine, new vulnerable website called Juice Shop. And this is going to be fun.
Atil is an instructor at Bogazici University, where he graduated back in 2010. He is also co-founder of Academy Club, which provides training, and Pera Games, which operates in the mobile gaming industry.