The course is part of this learning path
In this course, we're going to continue learning about SQL Injections, focusing on GET SQL Injections. They are very similar to POST SQL Injections but we're going to learn about new techniques, new kinds of attacks, and much more.
Hi, within this section, we're going to continue sequel injections but this time we're going to see different representations or different implementations of the sequel injections and a little bit more advanced stuff. Then, we're going to move into really advanced stuff later on in the next section. Now, I'm inside of Kali Linux. Of course, my Metasploitable2 machine is running as well. So, make sure both of them are running and just find your Metasploitable IP and write it down so that you can just connect to it. Open the Mutillidae. And if you haven't watched the previous sections, if you don't know what the Mutillidae or Metasploitable is, please watch the previous sections and come back here afterwards. So, we have seen the basics of the sequel injections and we have actually seen this equal 101 as well. So let me come over here and find my sequel injection.txt. So, that is the file that we have been taking notes on. I'm going to open it one more time with Gedit. You can just open it with whatever you want. Leave pads, Jeannie, I don't know whatever you want. Whatever you have chosen for html 101 page, for example, 101 section. So far, we have been working with this and we have all understood why we are querying the things that we have been querying and we have actually seen the logging bypassing authentication, bypassing thing with all of those. So, passwords like nullifying the rest of the comments, or doing an or or and. We have seen all of this stuff and these words I believe they were all in post methods. And it doesn't really matter if we are doing this in post or yet but we haven't seen yet method. Sometimes, we see parameters in the URL as well in the get methods. So, that's what we are going to do in this section. So I'm gonna come over here to extract data. Rather than login. So, we have covered this bypass authentication. Now, I'm gonna go back to extract data and find the user info and click on it. By the way, I have actually decreased the security level one more time. It's zero right now. Make sure you do it as well if you watched the previous section. So, if I say atil 123456. So, we know our password. We get this information. Okay username is atil, password is 123456. And the signature is atil. So, we're going to try and see if we don't know the password that we can retrieve this information. Of course. So, let's do it for admin with 123456. And as you can see, we get an authentication error because we don't know the admin password at this point. So, what I'm going to do, I'm going to open the Burp suite as usual. I'm gonna leave it running on the background and then, we're going to see actually a different tab at different functionality of Burp suite that we haven't covered before in this lecture. So, my intercept is on and let's see my Foxyproxy, let's turn it on as well. So, let's do a request. I'm going to say atil, I'm going to say 123456. And here you go, as you can see now this is a get request and we see all the Parameters over here as well. So, username is atil, password is 123456. So, we have the cookies and stuff. And if you forward this, that is good. So, let me turn this off. Then, we can get the response back in here. But as you can see, right now we see all the things, all the parameters in the URL as well. So, it doesn't necessarily have to be this way. But in this case, it is. So, let me copy this your URL and paste it over here. And I'm just going to take notes and say GET METHOD. Because maybe afterwards, you may want to review your notes and I'm going to say POST METHOD to this line as well. You don't have to do that, obviously. So in this case, we have the URL and we can see this past parameters over here as well. So, like question mark, we're going to pass a page parameter, we're going pass this page into this request and we're going to have a username, we're going to have a password. So, all the parameters are written down in here. So again, it doesn't have to necessarily be this way but in this case, it is.
And if this is the way that we actually experience this, then it's better because rather than trying everything in the input fields, then we can also try them on the URL as well. Maybe there might be some sort of a protection mechanism in the input fields in the html site but not in the URL site. So maybe, it's a good thing for us. So, rather than testing everything in here, we should learn how to test them in the URL as well because it might actually request some sort of encoding or decoding in here. For example, let me try this. So, we're going to basically try the same things that we have tried in the previous section. So, the logic of this sequel injection will not change. We're going to try the same things but the implementation would become a little bit different in this case. So, what do I mean? So, in the text fields I have atil over here and for the password, maybe we can just try one of these. Maybe we can just try these or for the password you can try one single quotation or thing, whatever you want. So, let me try the most basic one first. So, atil'# and for the password, I'm just going to say one and here you go. As you can see, it works. So that we know that this is the sequel injection. Let's try this for the admin and see if this works or not. So let's come over here and say one and here you go. We see the admin username and admin password as well. So, adminpass admin and the signature of the admin is monkey, apparently. So far, so good. Now we know, this works here as well. Again we can try the or things or queries in the password site but the thing that I want to mention in here or emphasize over here is the link itself. So, let me just copy this URL and just try and see what kind of different things we have in the URL, rather than our code. So, let me just show you this. As you can see, I have put admin'1# in here. But they turned it, actually the system turned it, into something else %27%23. So, why does this happen? So, in the URL, it's URL encoding actually. So, in URL sometimes, you cannot use special characters like single quotation marks and hashtags, so it converts them. So sometimes, it doesn't convert them and you should write %27 instead of one single quotation. And sometimes, you should write hashtag rather than, I mean %23 rather than hashtag over here. So as you can see, if I change this to be '#, it doesn't work. So, if I do percent %23, then it works. So, there will come times that you may actually have to try this on the URL rather than the text input. And, if you put hashtag over here it won't work. Then, you should put %23. So, how will you know, what to put, how to convert characters into your URL encoding?
So, this is one of the things that you should learn. So of course, Burp suite has a module for that as well. So it's very good to do that. If you come over here to decoder, you can decode or encode whatever you want. So, let me show you some examples. If you come over here to decoder tab. If you write something, like admin'# , for example, you can just change it into anything you want, you can just say Decode as or Encode as. Of course, we're going to try encoding because it's already decoded for us. So, I'm going to say URL and here you go. It's actually converted every character into URL encoding. So apparently, A is %61. So, let me delete everything and just see them by one. So '# is Percent %27%23. So, you can actually learn the characters and the representation of URL representation of them from here as well. For example, if I do %27, it will just change everything over here. But if I decode them as URL, we can see them decoded as well. So if you have something like that, you can decode them rather than encoding them as well. So, it's working two ways, both ways and it's very good. You can, of course, go to some online website and just try them there as well. But it works very good in the Burp suite. And we are always using Burp suite. So, it's a good idea to use decoder as well. So, here we go. Now, this is how you understand what to put in the URL. If you want to try something to inject in the URL section. Another example would be to understand how space works. As you can see, space is encoded or decoded like %20. So, rather than just leaving a space in the URL, you might actually write %20 and it will work. So far, so good. Now, that's a start for a SQL injection in the GET Request. We're gonna stop here and continue within the next lecture.
Atil is an instructor at Bogazici University, where he graduated back in 2010. He is also co-founder of Academy Club, which provides training, and Pera Games, which operates in the mobile gaming industry.