Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated:
1
00:00:00,530 --> 00:00:09,110
Now let's discuss how this terrorist is killing action can be exploited in a way, I'm here at the ESKIL
2
00:00:09,110 --> 00:00:14,150
injection option, which is an editor based ESKIL injection challenge.
3
00:00:14,930 --> 00:00:20,570
We can use either the select item called option or the search option.
4
00:00:21,170 --> 00:00:24,780
I'm going to use this search option for this exercise.
5
00:00:25,400 --> 00:00:29,500
So let's first and third one and click submit and see what happens.
6
00:00:32,190 --> 00:00:40,620
OK, so it is showing some results for the item 81, let's enter two and see what happens.
7
00:00:42,630 --> 00:00:42,960
OK.
8
00:00:43,000 --> 00:00:46,710
Seems like there are no items for the lady to now.
9
00:00:46,890 --> 00:00:54,330
Let's end the one and single cord and let's click submit and look at that.
10
00:00:54,390 --> 00:01:02,610
There is an error here which says that call to a member function under assault on a non object in home
11
00:01:02,610 --> 00:01:04,820
not be on line 65.
12
00:01:05,490 --> 00:01:10,760
When you see this fetch under hassock, it is most likely and Eskil error.
13
00:01:11,610 --> 00:01:17,650
So probably the single code that we have injected is causing this ESKIL error.
14
00:01:18,390 --> 00:01:21,720
Let's try to understand what might have happened in the background.
15
00:01:22,440 --> 00:01:25,050
Let me open Mousepad to explain this.
16
00:01:36,230 --> 00:01:47,170
Here it is now, possibly this is the banking query, select start from some people name.
17
00:01:48,170 --> 00:01:55,500
I assume it is Cepheid because when you entered one, it is showing some coffee related images and description.
18
00:01:56,060 --> 00:02:08,490
So I chose my people as caffeine where the item highly of the item called equals something.
19
00:02:09,320 --> 00:02:10,870
So this is the existing query.
20
00:02:10,910 --> 00:02:11,930
That's what I'm assuming.
21
00:02:12,290 --> 00:02:13,520
Not when you enter one.
22
00:02:13,910 --> 00:02:18,500
It has perfectly executed and it has shown us the results.
23
00:02:19,100 --> 00:02:26,330
But when we entered one and single called, it has thrown an error, possibly because one single code
24
00:02:26,330 --> 00:02:32,750
is open here and one single code is closed and there is one more single code that is left unclosed.
25
00:02:33,470 --> 00:02:37,520
So possibly because of that, there was an obscure error.
26
00:02:38,090 --> 00:02:43,910
We can confirm if the error is caused by our single court by adding one more single code.
27
00:02:44,510 --> 00:02:45,320
What will happen?
28
00:02:45,320 --> 00:02:49,280
There is one single code is opened and one single code is closed.
29
00:02:49,880 --> 00:02:56,900
And because we are adding an additional single code, it is going to close the existing unclosed single
30
00:02:56,900 --> 00:02:57,310
code.
31
00:02:58,070 --> 00:03:02,480
So let's try to add another single code and see if the error is gone.
32
00:03:03,290 --> 00:03:06,710
If it is gone, that means our analogy is correct.
33
00:03:06,710 --> 00:03:10,190
And this application is one level, the sequel injection.
34
00:03:14,240 --> 00:03:18,050
So I'm just adding one and two single quotes.
35
00:03:19,050 --> 00:03:22,320
Clicking submit and look at that.
36
00:03:22,590 --> 00:03:29,640
There is no at this time now just to confirm that this is happening because of sequel action, let's
37
00:03:29,640 --> 00:03:36,240
add one more single code, making it a total of three single quotes and see if the error comes back,
38
00:03:36,240 --> 00:03:39,720
because there will be one single code left unclosed.
39
00:03:40,740 --> 00:03:44,550
OK, so I'm just entering one and three single quotes.
40
00:03:45,090 --> 00:03:46,110
Let's click submit.
41
00:03:47,310 --> 00:03:48,180
And there it is.
42
00:03:48,630 --> 00:03:51,030
There is a miniscule error once again.
43
00:03:51,240 --> 00:03:56,220
So this confirms that the application is vulnerable to sequel injection.
44
00:03:57,010 --> 00:03:59,460
Now, this confirms that the application is vulnerable.
45
00:03:59,970 --> 00:04:01,230
Now, what is the next step?
46
00:04:01,460 --> 00:04:07,420
We want to exploit it and extract information from the database to do that.
47
00:04:07,620 --> 00:04:09,570
There are few steps that we need to do here.
48
00:04:10,170 --> 00:04:16,380
The first step is to obtain the number of columns that are being used by the query that is written in
49
00:04:16,380 --> 00:04:17,000
the background.
50
00:04:17,550 --> 00:04:20,970
There is a reason for doing that, which I'll explain in a moment.
51
00:04:21,690 --> 00:04:28,950
But to identify the number of columns, we can simply use the same query
52
00:04:33,510 --> 00:04:36,620
and write an order by statement.
53
00:04:39,030 --> 00:04:46,170
So what we are going to do is we are going to write order by one and we are just commenting on everything
54
00:04:46,170 --> 00:04:52,330
after order by one so that the single code that is left unclosed will not cause any error.
55
00:04:53,040 --> 00:04:59,130
So we are closing the existing single code by using a single code after one.
56
00:04:59,520 --> 00:05:02,570
And we are writing our own ESKIL statements here.
57
00:05:03,360 --> 00:05:10,470
What order by one will do is it is going to try to order the results based on the column number one.
58
00:05:11,100 --> 00:05:15,980
If column number one exists, there won't be any error and the data will be sorted.
59
00:05:16,470 --> 00:05:17,480
So that's the idea.
60
00:05:18,030 --> 00:05:21,350
If the column doesn't exist, it is going to throw an error.
61
00:05:21,840 --> 00:05:25,970
So we will have to increment this number until we get an error.
62
00:05:26,160 --> 00:05:31,140
So we will get a conclusion that that specific column doesn't exist in the database.
63
00:05:31,590 --> 00:05:32,530
So that's the idea.
64
00:05:32,550 --> 00:05:33,870
So let's go ahead.
65
00:05:34,890 --> 00:05:43,890
I'm going to copy this from one till the hash and let's enter this in the search field.
66
00:05:46,270 --> 00:05:47,290
Let's click submit.
67
00:05:48,670 --> 00:05:53,850
Lawyer, let's incremented this one and click submit again.
68
00:05:55,410 --> 00:05:56,290
There is no letter.
69
00:05:56,970 --> 00:05:59,540
Let's make it five and see what happens.
70
00:06:01,030 --> 00:06:02,500
Once again, there is no leader.
71
00:06:03,010 --> 00:06:04,620
Let's make it eight.
72
00:06:06,550 --> 00:06:10,880
There is an error, which means eight column doesn't exist.
73
00:06:11,380 --> 00:06:12,430
Let's make it seven.
74
00:06:15,370 --> 00:06:20,350
Later, this confirms that the table has seven columns.
75
00:06:27,340 --> 00:06:34,540
Identifying this number of columns is required because in the next step, we are going to use a union
76
00:06:34,540 --> 00:06:41,520
statement, a union statement can be used with two different Sellick statements on both sides.
77
00:06:42,100 --> 00:06:47,230
Now, on both the sides, the number of columns in the select statements have to be equal.
78
00:06:48,010 --> 00:06:49,730
Let me show you how that looks like.
79
00:06:51,310 --> 00:06:52,810
I'm going to copy this first.
80
00:06:57,290 --> 00:07:05,840
And I'm going to sit here and instead of either buy one, I'm going to write a union statement.
81
00:07:06,860 --> 00:07:13,430
And as I mentioned, the union statement allows you to write silly statements on board the sites.
82
00:07:14,090 --> 00:07:18,910
So these Sellick statements should have the same number of columns.
83
00:07:19,400 --> 00:07:27,290
So on the right side, I'm giving one, two, three, four, five, six and seven.
84
00:07:27,620 --> 00:07:32,720
Since we obtained the number of columns on the left hand side in the previous step, we are able to
85
00:07:32,720 --> 00:07:36,130
give the number of columns on the right hand side in this step.
86
00:07:36,530 --> 00:07:41,210
That's exactly the reason why we identified the number of columns in the previous step.
87
00:07:41,990 --> 00:07:49,640
OK, so since it is an editor based school, in addition, if one of these numbers are displayed back
88
00:07:49,640 --> 00:07:56,740
on the screen, we can basically use that display number to retrieve further information from the database.
89
00:07:57,170 --> 00:08:05,990
So let's copy this and inserted into the search field and hope for some number being displayed back.
90
00:08:10,460 --> 00:08:13,640
I'm pasting it here and let's click submit.
91
00:08:15,270 --> 00:08:22,440
And there are a bunch of numbers here, two, four, five and six, we can use any of these numbers
92
00:08:22,710 --> 00:08:25,470
to retrieve information from the database.
93
00:08:25,950 --> 00:08:36,810
So to do that, I'm going to first copy this line here and let's start here and let's probably use the
94
00:08:36,810 --> 00:08:39,120
number five, which is displayed back.
95
00:08:39,780 --> 00:08:48,090
So instead of five, I'm going to use a database off so we can just copy this.
96
00:08:48,390 --> 00:08:53,370
And if everything goes fine, we should get the name of the database.
97
00:08:58,430 --> 00:09:02,100
So just watch out for this number five here and see what happens.
98
00:09:02,450 --> 00:09:03,140
Click submit.
99
00:09:04,920 --> 00:09:12,120
Look at that instead of number five, we are getting the name of the database and the rest of the numbers
100
00:09:12,120 --> 00:09:13,350
are there as is.
101
00:09:14,190 --> 00:09:16,320
OK, now let's go back.
102
00:09:17,100 --> 00:09:20,610
And we have gotten the name of the database.
103
00:09:21,870 --> 00:09:24,240
Now, once again, I'm just going to copied
104
00:09:27,180 --> 00:09:37,220
and pasted here and we can also get the version as well as the name of the user being used.
105
00:09:37,620 --> 00:09:39,150
So let's do it one by one.
106
00:09:39,430 --> 00:09:41,610
First, let's try to get the version.
107
00:09:49,680 --> 00:09:56,130
As you can see, the audition is this it also contains the version of the Obama server, which is 14
108
00:09:56,130 --> 00:09:57,270
of four in this case.
109
00:10:00,330 --> 00:10:06,240
Now, the best part is we just don't need to stick to one column, since the other columns are also
110
00:10:06,240 --> 00:10:13,670
being displayed by, for example, column number two, we can use this for displaying the user information.
111
00:10:14,310 --> 00:10:16,280
So I'm just going to copy it once again.
112
00:10:21,990 --> 00:10:27,810
And I'll post it here and let slip submit.
113
00:10:29,080 --> 00:10:36,480
Now look at that, instead of the number two, we are getting the username of the mythical database,
114
00:10:36,810 --> 00:10:38,510
which is the root in this case.
115
00:10:39,090 --> 00:10:41,610
And let's go ahead and pasted here.
116
00:10:44,860 --> 00:10:49,950
OK, so we have Gordon bought the username as well as the database version.
117
00:10:50,680 --> 00:10:58,930
Now the next step is to identify the table names of names.
118
00:11:00,020 --> 00:11:05,920
And once we get these two, we can actually get the actual data that is stored in the papers.
119
00:11:06,460 --> 00:11:11,420
So the database contains tables, tables contain columns and data.
120
00:11:11,980 --> 00:11:14,650
That's the reason why we are going in this audit.
121
00:11:15,250 --> 00:11:20,350
So the next step is to find out the list of tables that are available in the database.
122
00:11:21,910 --> 00:11:27,910
So I'm just going to copy this line once again, and it's posted here.
123
00:11:29,090 --> 00:11:37,660
Now, let's just replace this user with two and let's use this five for retrieving the table names.
124
00:11:38,500 --> 00:11:44,580
I'm going to use the table underscored name, which is a predefined variable kind of thing.
125
00:11:44,740 --> 00:11:49,480
You shouldn't change this because all the tables will be retrieved using this table.
126
00:11:49,480 --> 00:11:59,440
Underscore name and the table names or any other metadata in my sequel is stored in a special database
127
00:11:59,440 --> 00:12:07,330
called Information Underscore Schema, and the table names can be accessed by using DOT.
128
00:12:08,590 --> 00:12:11,680
So we are going to use this to retrieve table names.
129
00:12:11,980 --> 00:12:13,660
I'm copying this payload here.
130
00:12:15,130 --> 00:12:18,580
And let's go back and let's face it here.
131
00:12:21,910 --> 00:12:29,020
Now, it has dumped a lot of people names, and what we are interested in is some custom tables which
132
00:12:29,020 --> 00:12:31,510
may contain user specific information.
133
00:12:32,230 --> 00:12:39,610
So let's search for tables with the word user name typing users.
134
00:12:41,460 --> 00:12:47,730
There it is, there is a table named uses and looks like that's the end of it, so most likely it is
135
00:12:47,730 --> 00:12:49,220
a user defined table.
136
00:12:49,740 --> 00:12:50,820
So I'm copying this.
137
00:12:51,270 --> 00:12:56,870
And let's go back to the notepad and let's use this information here.
138
00:12:57,450 --> 00:13:01,540
So use this table is what we are interested in now.
139
00:13:01,860 --> 00:13:10,560
Once again, let me just copy this whole line and pasted here and this time.
140
00:13:12,170 --> 00:13:19,640
We want to dump the column names for this table users to dump the column names we can just replace,
141
00:13:20,540 --> 00:13:26,870
they will underscore name with column, underscore name, and the information underscores Qimonda.
142
00:13:26,900 --> 00:13:31,330
Columns should be used here because this is what is going to contain the column names.
143
00:13:32,000 --> 00:13:34,130
So once again, I'm copying this.
144
00:13:37,990 --> 00:13:38,560
And.
145
00:13:40,420 --> 00:13:45,640
I'm going to start here and let's click submit.
146
00:13:47,790 --> 00:13:54,900
If you notice, there are a lot of columns I will use a stable, having all of these columns is highly
147
00:13:54,900 --> 00:13:55,500
unlikely.
148
00:13:56,190 --> 00:14:04,050
So what's happening here is the query that we have inserted is dumping all the columns from information
149
00:14:04,050 --> 00:14:06,780
underscore schema, which is not required by us.
150
00:14:07,230 --> 00:14:11,470
Now, what we are interested in is the column names only from this user's table.
151
00:14:12,060 --> 00:14:19,950
So let's add a filter here, saying we're table underscored name is uses.
152
00:14:21,930 --> 00:14:24,420
OK, so let's copy this payload
153
00:14:27,510 --> 00:14:36,240
and let's face it again, let's click submit and there it is.
154
00:14:36,750 --> 00:14:43,520
Interestingly, there are only three columns in this table uid username and password.
155
00:14:44,250 --> 00:14:46,410
So let's knock them down.
156
00:14:48,910 --> 00:14:57,120
Username, password Eweida, these are the three columns we identified from Users Table.
157
00:14:57,760 --> 00:15:01,240
Now the last step is to extract these details.
158
00:15:01,810 --> 00:15:08,170
So let's modify our payload a bit so that we can extract the usernames and passwords from the user's
159
00:15:08,170 --> 00:15:08,560
table.
160
00:15:11,230 --> 00:15:17,520
OK, the first thing that I'm going to do is I will just remove this information underscores Quemada
161
00:15:17,600 --> 00:15:20,280
columns because we are not looking for metadata anymore.
162
00:15:20,650 --> 00:15:23,200
We are looking for the actual data stored in the table.
163
00:15:23,800 --> 00:15:27,910
So we want to retrieve data from a user's table.
164
00:15:28,780 --> 00:15:34,270
And instead of calling them, we want the actual data and we know the call them names.
165
00:15:34,300 --> 00:15:42,070
So we will just use UID username password.
166
00:15:43,060 --> 00:15:49,060
But if you notice, we are actually using more than seven columns here because we are just using these
167
00:15:49,060 --> 00:15:51,090
three as three different columns.
168
00:15:51,670 --> 00:15:58,180
Instead we can just click all of them and concatenate into one column for that.
169
00:15:58,180 --> 00:16:06,730
I can use group underscore contact and when this information is displayed on the Web page, I want these
170
00:16:06,730 --> 00:16:09,760
details to be separated by a column like this.
171
00:16:10,210 --> 00:16:15,810
So for that, I'm going to use a hex value to specify that the column has to be displayed.
172
00:16:16,390 --> 00:16:21,280
So zero x three here and zero x3 here.
173
00:16:21,940 --> 00:16:28,390
So this payload should dump all the data that we are expecting some just going to copy my payload to
174
00:16:28,390 --> 00:16:29,580
be injected once again.
175
00:16:31,780 --> 00:16:33,460
And let's face it there.
176
00:16:40,530 --> 00:16:48,150
There it is, if you notice, we have got in the UAE one which is admin and there is a password hash,
177
00:16:48,450 --> 00:16:51,660
similarly xvid we a password hash.
178
00:16:52,140 --> 00:16:57,500
There is a third user with the name user and he has a password hash password.
179
00:16:58,110 --> 00:16:59,910
So let's copy all of this.
180
00:17:05,140 --> 00:17:06,610
And paste here.
181
00:17:07,270 --> 00:17:12,040
So this is the list of credentials that we have extracted from the table now.
182
00:17:12,400 --> 00:17:14,800
The passports are not in clear text.
183
00:17:14,890 --> 00:17:17,470
They are stored in hashed format, which is good.
184
00:17:17,920 --> 00:17:23,820
But if these hashes are generated using a weak hashing algorithm, they can be easily cracked.
185
00:17:24,280 --> 00:17:31,570
The purpose of this demo is only to show you how to exploit error based sequel injection by using manual
186
00:17:31,570 --> 00:17:34,260
techniques and without using any automated tools.
187
00:17:34,750 --> 00:17:38,680
So cracking these hashes is something which we will discuss later.
188
00:17:39,640 --> 00:17:46,410
I hope you have enjoyed this exercise of exploiting error based sequel injections in later videos.
189
00:17:46,420 --> 00:17:51,900
We are also going to discuss how we can use automated tools to exploit sequel injection.
190
00:17:52,420 --> 00:17:53,740
So that's all for this video.
191
00:17:54,010 --> 00:17:55,140
See you in the next one.
20080
Can't find what you're looking for?
Get subtitles in any language from opensubtitles.com, and translate them here.