The course is part of this learning path
Now that you know about SQL fundamentals, we're going to deep dive into SQL Injection in this course. We're going to see how to find vulnerabilities, how to inject comments using said vulnerabilities, and other techniques that allow you to penetrate SQL databases.
Hi, within this lecture, we're going to increase the security of motility and see what happens when we have a hardened security measure and see what happens when we change the request and try SQL injections. Okay, so all we have to do is just hit on the 'Toggle Security'. And as you can see now, security level is increased from to 1. So, let me try something over here. So, as you can see this was successful in the previous section, remember?
So, what I'm going to try this again. And as you can see it will say that dangerous characters detected and we cannot allow this. So, there is a blacklist over here going on. Right? So, it's blacklisting one of the characters that we use. So, we don't know what kind of characters they blacklist or where are they doing this blaclist thing. So maybe, they're doing this in server or maybe they are doing this in clients. So, let me just around the Burp-Suite so we can understand that. So, let me just create this, and what do I mean by the server or client.
So maybe, they're just controlling this in the browser. Right? Maybe, they don't even send this request to the server or maybe they will send it and they just control it in the server. So, we need to understand what's going on. So, if you turn your Burp Suite on and your foxy proxy on, then you can just try this one more time and see what happens. So, if I say 'Login' as you can see we get this pop-up one more time. But we didn't actually intercept anything in the Burb Suite but we have to make sure that we are not intercepting anything. Okay? So, maybe after we click 'Okay' it will be sent. Maybe it isn't, but we didn't capture it. So, I'm just going to hit one over here. And as you can see there is some sort of a funny thing going on because even though I give 1 to the password, it doesn't let us. So, let me turn this intercept off, and see if that's the case or if that's the reason that we're getting this problem. So, let me go to Login page one more time, and let's turn this on one more time, and I'm just going to write that too, and password is 1. But as you can see, it doesn't allow us to try 1 or 123, as you can see. So maybe, they blocked all the numbers. Okay. So, I don't think that's a good idea to block all numbers because someone can use numbers in their passwords. Right? But maybe, that is the case. But we have to make sure, so I'm going to turn this intercept off. And I'm just going to come over here from scratch or maybe we can just come over here from top as well, like from here, Matillidaey. So, maybe we have broken something or something like that. Okay, so, we have to make sure that is the case. So, if I say atil over here, and for the password I'm going to say 1, and I'm just going to turn the intercept on and let me try to log in. As you can see, it doesn't let us so they blacklisted the numbers which is not an expected behavior I believe. Let me turn this off, and let' say try something like 123456. Even though that's the password, it doesn't let us. So, let me try something like test or atil. But as you can see, if we try the characters rather than numbers we got an authentication error. So, if you try it like this, you won't succeed. If you try something like atil atil or atil test, then you will succeed. So, let me turn this intercept on and see what's the problem. So, as you can see, if I do this atil atil, then I intercept the request. So, this is very important. Why? Because when I did with these numbers or with SQL light injection characters, we didn't get this request at all. Right. Right now, I can see a user name is atil, passwords atil. I can forward this request or I can change this request as well. Right? So, if you go to params over here, look parameters, you can see the parameters over there and you can change it from there as well. So, what I'm going to do, I'm going to forward this and as you can see we get the response back as authentication error. So, the important thing here is that let me just forward this so we can go back. Important thing is here that it's controlling things in the client.
Okay, so, you can't intercept this request because it's not even being said. So, what we can do over here is to try and change the request before we send this to the server and see if they control it also in the server side as well. So, if they are not controlling it in the server side, then our SQL injection will be valid. Right? So, that's what we're going to do rather than giving characters. We're just going to give a password that will be wrong but it will accept it at least for displaying an error message back. Okay, so, we need some password just to send this request to the Burp-Suite. So, we can't do that with 123456, but we can do this with characters like atil or test. So, that's what we're going to do. We're going to give it a password a wrong password, then we're going to change that request, forge that request in a way that it will lead us to a SQL injection, then we're going to see if we can succeed or not. So, i'm going to turn this off and come over here from scratch.
Okay. I'm going to say atil or test to the password as well. I'm going to turn the intercept on, so click 'Login' and here you go. Now we have these parameters over here before we send before we forward this to the server, I'm going to come back to params over here and rather than password, I'm just going to copy and paste my SQL injection code. So, let's try this with hashtag okay, I'm going to copy this with 'Ctrl C' and come over here and change the password from there with 'Ctrl V' and here you go. Now my request has been modified now. If I forward this, it will be sent to the server. And if they are not filtering this in the server, then we will succeed. So, let me forward this and forward this as well. And if you come back here you go, we are logged in as admin. Now it means that it's working. So, it is very important to understand where they are doing this blacklisting or filtering thing in the client or in the server, depending on that, you can actually use Burp-Suite to change your request, and do a SQL injection like we did in this section.
Okay, so maybe, right now you may think that what happens when they harden security even more, we're going to talk about that as well. There is always a way to try, actually, at least to bypass the filtering and the firewalls. In this case, we're going to see all of those things in the next section.
Atil is an instructor at Bogazici University, where he graduated back in 2010. He is also co-founder of Academy Club, which provides training, and Pera Games, which operates in the mobile gaming industry.