1 00:00:00,630 --> 00:00:01,710 Instructor: Welcome back. 2 00:00:01,710 --> 00:00:04,170 Let's talk about another big vulnerability 3 00:00:04,170 --> 00:00:07,500 in web applications that involves databases 4 00:00:07,500 --> 00:00:10,950 and that is called SQL injection. 5 00:00:10,950 --> 00:00:14,010 So we already talked about how this works. 6 00:00:14,010 --> 00:00:16,860 So you find a user input on a website 7 00:00:16,860 --> 00:00:19,140 that communicates with the database. 8 00:00:19,140 --> 00:00:21,810 Usually, those inputs are something like usernames 9 00:00:21,810 --> 00:00:23,370 or passwords or a page 10 00:00:23,370 --> 00:00:26,160 where you're searching for some type of a product. 11 00:00:26,160 --> 00:00:27,570 Once you input product, 12 00:00:27,570 --> 00:00:30,180 the website communicates with the database to see 13 00:00:30,180 --> 00:00:31,470 if it has it. 14 00:00:31,470 --> 00:00:33,510 Then the database responds back. 15 00:00:33,510 --> 00:00:35,670 And all of that is done with the help 16 00:00:35,670 --> 00:00:39,060 of SQL language and SQL queries. 17 00:00:39,060 --> 00:00:43,050 But as usual, user input might not be well filtered, 18 00:00:43,050 --> 00:00:46,140 and we might be able to inject SQL code there 19 00:00:46,140 --> 00:00:49,773 and send our own SQL queries to the database. 20 00:00:50,640 --> 00:00:53,490 Maybe on that website there are online accounts 21 00:00:53,490 --> 00:00:56,220 and their passwords are stored in a database. 22 00:00:56,220 --> 00:00:59,340 If we were to find SQL injection on a website like that, 23 00:00:59,340 --> 00:01:02,070 we could potentially extract usernames 24 00:01:02,070 --> 00:01:04,530 and passwords of all of the accounts 25 00:01:04,530 --> 00:01:06,213 through that SQL injection. 26 00:01:07,050 --> 00:01:11,280 This is an example of how an SQL query could look like. 27 00:01:11,280 --> 00:01:13,530 It is very similar to English language. 28 00:01:13,530 --> 00:01:15,840 And what this statement essentially does 29 00:01:15,840 --> 00:01:20,040 is it selects some type of element from a table 30 00:01:20,040 --> 00:01:22,203 where some condition is fulfilled. 31 00:01:23,040 --> 00:01:26,250 And table is just a part of database. 32 00:01:26,250 --> 00:01:30,180 Databases are consisted of tables and columns. 33 00:01:30,180 --> 00:01:32,460 Now, I will be real right here. 34 00:01:32,460 --> 00:01:34,523 If you are encountering SQL injection 35 00:01:34,523 --> 00:01:38,220 for the first time or SQL language for the first time, 36 00:01:38,220 --> 00:01:40,470 you might find this a little bit hard. 37 00:01:40,470 --> 00:01:42,330 However, through practice, 38 00:01:42,330 --> 00:01:44,970 this will become easier and easier. 39 00:01:44,970 --> 00:01:46,680 Here, we can see an example of 40 00:01:46,680 --> 00:01:50,343 how a real-world SQL query could look like. 41 00:01:51,330 --> 00:01:54,540 Here, books are our table from the database, 42 00:01:54,540 --> 00:01:56,430 ID is our condition, 43 00:01:56,430 --> 00:01:58,980 and this star sign indicates 44 00:01:58,980 --> 00:02:02,100 that we want to extract everything. 45 00:02:02,100 --> 00:02:06,123 Usually, in programming world, star sign means everything. 46 00:02:07,020 --> 00:02:07,853 Great. 47 00:02:07,853 --> 00:02:09,330 Now that we know behind the scenes 48 00:02:09,330 --> 00:02:11,670 of how an SQL injection works, 49 00:02:11,670 --> 00:02:15,303 let's try to perform one on our DVWA page. 50 00:02:16,140 --> 00:02:17,280 So let's go right here, 51 00:02:17,280 --> 00:02:20,853 log in as usual to our DVWA page. 52 00:02:23,880 --> 00:02:28,110 And let's first select the DVWA security to low 53 00:02:28,110 --> 00:02:31,140 and navigate to the SQL injection. 54 00:02:31,140 --> 00:02:34,650 Now, you might notice that we also have SQL injection blind. 55 00:02:34,650 --> 00:02:35,850 And this is something that we are going 56 00:02:35,850 --> 00:02:37,410 to talk about later on. 57 00:02:37,410 --> 00:02:41,100 For now, let's just focus on this SQL Injection tab. 58 00:02:41,100 --> 00:02:43,020 So what do we have right here? 59 00:02:43,020 --> 00:02:45,660 We have something called user ID. 60 00:02:45,660 --> 00:02:48,120 And usually, we would input something 61 00:02:48,120 --> 00:02:49,530 like a number right here. 62 00:02:49,530 --> 00:02:50,850 So let's give it a try. 63 00:02:50,850 --> 00:02:54,933 If we, for example, input number one and click on Submit, 64 00:02:56,400 --> 00:02:58,710 well, it'll tell me that the ID 65 00:02:58,710 --> 00:03:02,340 of one is a user with the first name admin 66 00:03:02,340 --> 00:03:04,230 and surname admin. 67 00:03:04,230 --> 00:03:07,080 And that user has ID one. 68 00:03:07,080 --> 00:03:09,630 What if we type two, for example? 69 00:03:09,630 --> 00:03:11,070 We click on Submit. 70 00:03:11,070 --> 00:03:14,250 Well, we got a user with ID two. 71 00:03:14,250 --> 00:03:17,970 His name is Gordon, and his last name is Brown. 72 00:03:17,970 --> 00:03:21,120 And we can go for each and every number if we want. 73 00:03:21,120 --> 00:03:23,970 For example, the ID five has first name Bob 74 00:03:23,970 --> 00:03:26,430 and last name Smith. 75 00:03:26,430 --> 00:03:30,030 But to search for the SQL injection, 76 00:03:30,030 --> 00:03:33,810 what we can do is we can type some special characters, 77 00:03:33,810 --> 00:03:36,570 and that might throw an error 78 00:03:36,570 --> 00:03:38,940 if there is an SQL injection. 79 00:03:38,940 --> 00:03:42,120 For example, if I type apostrophe 80 00:03:42,120 --> 00:03:45,273 or a single quote and I click on Submit, 81 00:03:46,558 --> 00:03:48,510 it'll throw me this error. 82 00:03:48,510 --> 00:03:52,590 It'll say, "You have an error in your SQL syntax; 83 00:03:52,590 --> 00:03:54,330 check the manual that corresponds 84 00:03:54,330 --> 00:03:56,370 to your MySQL server version 85 00:03:56,370 --> 00:03:59,970 for the right syntax to use near line one." 86 00:03:59,970 --> 00:04:02,520 And this already is an indication 87 00:04:02,520 --> 00:04:05,190 that we have SQL injection bug 88 00:04:05,190 --> 00:04:10,190 since it interpreted our apostrophe as a part of SQL syntax. 89 00:04:10,410 --> 00:04:12,660 So for now, we know that there is an SQL error 90 00:04:12,660 --> 00:04:14,670 because we got an SQL error syntax. 91 00:04:14,670 --> 00:04:16,529 But before we continue, 92 00:04:16,529 --> 00:04:19,380 let's first explain why does this give an error. 93 00:04:19,380 --> 00:04:22,023 Why using a single quote gives us an error. 94 00:04:22,920 --> 00:04:24,630 Well, let me show you like this. 95 00:04:24,630 --> 00:04:26,163 If I open terminal, 96 00:04:27,300 --> 00:04:30,720 let's just go and find a program 97 00:04:30,720 --> 00:04:33,330 that will allow us to write text. 98 00:04:33,330 --> 00:04:35,490 And here we got some text editor 99 00:04:35,490 --> 00:04:37,290 under the Usual Applications. 100 00:04:37,290 --> 00:04:39,330 I'm going to open that, 101 00:04:39,330 --> 00:04:41,550 and I'm going to enlarge it just 102 00:04:41,550 --> 00:04:44,173 so we can type something right here. 103 00:04:44,173 --> 00:04:45,360 And now that we've opened this, 104 00:04:45,360 --> 00:04:50,190 let's explain why apostrophe gives an error in SQL syntax. 105 00:04:50,190 --> 00:04:52,710 Well, as we already mentioned in our slides, 106 00:04:52,710 --> 00:04:55,920 usually, we will have an SQL syntax 107 00:04:55,920 --> 00:04:59,280 or an SQL query that will look something like this. 108 00:04:59,280 --> 00:05:03,030 So SELECT, and then something from a certain table 109 00:05:03,030 --> 00:05:05,550 where some condition is fulfilled. 110 00:05:05,550 --> 00:05:09,180 And for our page right here, if I go back, 111 00:05:09,180 --> 00:05:12,150 since we have user IDs, first names, and last names, 112 00:05:12,150 --> 00:05:14,100 it could possibly look something like this. 113 00:05:14,100 --> 00:05:17,400 So SELECT Name, comma, Surname 114 00:05:17,400 --> 00:05:21,000 FROM the table that could be named something like accounts. 115 00:05:21,000 --> 00:05:22,860 We don't know that yet. 116 00:05:22,860 --> 00:05:25,350 Where ID equals, 117 00:05:25,350 --> 00:05:28,560 and then the ID number goes between single quotes. 118 00:05:28,560 --> 00:05:31,830 So this could possibly be our SQL query 119 00:05:31,830 --> 00:05:33,270 that we send to the database, 120 00:05:33,270 --> 00:05:37,113 and then the database retrieves the user under the ID two. 121 00:05:38,070 --> 00:05:41,550 But what happens when we type apostrophe 122 00:05:41,550 --> 00:05:43,710 is instead of this two 123 00:05:43,710 --> 00:05:46,170 and instead of it filtering the apostrophe, 124 00:05:46,170 --> 00:05:49,650 it just writes it between these two single quotes. 125 00:05:49,650 --> 00:05:52,290 And then we get three single quotes: 126 00:05:52,290 --> 00:05:53,820 The opening single quote, 127 00:05:53,820 --> 00:05:55,200 and then our single quote 128 00:05:55,200 --> 00:05:57,900 that we injected becomes the closing single quote, 129 00:05:57,900 --> 00:06:01,320 and then the third one is the single quote that's hanging. 130 00:06:01,320 --> 00:06:03,000 It doesn't belong to anything. 131 00:06:03,000 --> 00:06:05,343 Therefore, the SQL throws an error 132 00:06:05,343 --> 00:06:09,060 that it has one single quote more than it should have. 133 00:06:09,060 --> 00:06:13,380 And whenever that happens, you got an SQL injection bug. 134 00:06:13,380 --> 00:06:16,890 And this is also called the error-based SQL injection 135 00:06:16,890 --> 00:06:19,230 because it throws us an error. 136 00:06:19,230 --> 00:06:20,063 On the other hand, 137 00:06:20,063 --> 00:06:22,620 we got the blind SQL injection that doesn't throw an error. 138 00:06:22,620 --> 00:06:24,090 So there are some other methods 139 00:06:24,090 --> 00:06:25,380 that we must use for that one 140 00:06:25,380 --> 00:06:28,200 in order to figure out whether it exists. 141 00:06:28,200 --> 00:06:30,810 Now that we know that there is an SQL injection, 142 00:06:30,810 --> 00:06:34,170 what we can do is we can type some other statements as well. 143 00:06:34,170 --> 00:06:36,810 For example, we can select the ID number two, 144 00:06:36,810 --> 00:06:40,800 and then close the single quote inside of that SQL query. 145 00:06:40,800 --> 00:06:42,810 And we can type some logical statement 146 00:06:42,810 --> 00:06:47,810 such as, for example, and 1 = 1. 147 00:06:47,910 --> 00:06:50,850 And keep in mind that this right here, 148 00:06:50,850 --> 00:06:53,463 if I copy it and write it down, 149 00:06:55,740 --> 00:06:58,830 has single quotes between the numbers. 150 00:06:58,830 --> 00:07:01,230 And it doesn't have the single quote at the end 151 00:07:01,230 --> 00:07:03,690 because inside of our SQL query, 152 00:07:03,690 --> 00:07:06,330 we already have a single quote at the end. 153 00:07:06,330 --> 00:07:09,900 So this single quote will cover the last part of this one, 154 00:07:09,900 --> 00:07:12,990 and this first single quote will cover the first part 155 00:07:12,990 --> 00:07:14,220 of this two. 156 00:07:14,220 --> 00:07:17,250 So essentially, once added to our as SQL query, 157 00:07:17,250 --> 00:07:19,710 it would look something like this. 158 00:07:19,710 --> 00:07:23,070 Instead of this single quote, we would have this. 159 00:07:23,070 --> 00:07:25,170 And you can see this opening 160 00:07:25,170 --> 00:07:28,410 and closing single quote fulfills our statement. 161 00:07:28,410 --> 00:07:30,930 Let's give it a try and run this. 162 00:07:30,930 --> 00:07:33,660 And we'll just get the information 163 00:07:33,660 --> 00:07:36,390 about user under the ID two. 164 00:07:36,390 --> 00:07:39,000 And that is because our statement is correct. 165 00:07:39,000 --> 00:07:40,710 So we select the user ID two, 166 00:07:40,710 --> 00:07:44,280 and we say, "Do that in case one is equal to one." 167 00:07:44,280 --> 00:07:47,280 And one is equal to one, so there are no problems. 168 00:07:47,280 --> 00:07:48,780 It just brings the username. 169 00:07:48,780 --> 00:07:50,820 But if we were to type the same command, 170 00:07:50,820 --> 00:07:54,633 just change 1 = 2, and click on Submit, 171 00:07:55,470 --> 00:07:59,010 we wouldn't get any output right here. 172 00:07:59,010 --> 00:08:01,860 That is because one is not equal to two. 173 00:08:01,860 --> 00:08:05,643 Therefore, it won't print the user under the ID two. 174 00:08:06,660 --> 00:08:10,710 That could be another sign that there is an SQL injection. 175 00:08:10,710 --> 00:08:13,560 Now that we know for sure that there is an SQL injection, 176 00:08:13,560 --> 00:08:14,880 we can try some other commands, 177 00:08:14,880 --> 00:08:16,770 such as, for example, this one. 178 00:08:16,770 --> 00:08:20,460 So if I go down here and type two, single quote, 179 00:08:20,460 --> 00:08:24,030 and this is just us selecting the ID number two, 180 00:08:24,030 --> 00:08:28,560 and then use a statement called order by one 181 00:08:28,560 --> 00:08:33,559 and add dash, dash, then space, and single quote at the end. 182 00:08:33,570 --> 00:08:35,370 So let's explain this command. 183 00:08:35,370 --> 00:08:37,620 The reason we have this dash, dash, space, 184 00:08:37,620 --> 00:08:39,929 and then single quote is because that is referred 185 00:08:39,929 --> 00:08:41,100 to as a comment. 186 00:08:41,100 --> 00:08:42,900 This dash, dash is a comment, 187 00:08:42,900 --> 00:08:45,990 and we must add this at the end of our statement 188 00:08:45,990 --> 00:08:47,880 at the end of our SQL query 189 00:08:47,880 --> 00:08:50,730 because otherwise it would throw us an error. 190 00:08:50,730 --> 00:08:53,160 We must have it so we don't get error 191 00:08:53,160 --> 00:08:55,320 when running our SQL commands. 192 00:08:55,320 --> 00:08:57,240 And order by one will just check 193 00:08:57,240 --> 00:08:58,680 whether there is column one. 194 00:08:58,680 --> 00:09:01,860 And we are going to do that for two, for three as well. 195 00:09:01,860 --> 00:09:05,073 And we are going to see how many columns do we have. 196 00:09:06,000 --> 00:09:07,563 So if I copy this 197 00:09:09,900 --> 00:09:11,580 and go back to here, 198 00:09:11,580 --> 00:09:13,533 paste this, click on Submit, 199 00:09:14,370 --> 00:09:17,010 we'll get an output first name Gordon 200 00:09:17,010 --> 00:09:18,360 and surname Brown. 201 00:09:18,360 --> 00:09:20,940 That means this is a valid statement. 202 00:09:20,940 --> 00:09:23,520 Let's try with order by two. 203 00:09:23,520 --> 00:09:27,120 So just change from one to two and click on Submit. 204 00:09:27,120 --> 00:09:28,860 And this is also a valid statement 205 00:09:28,860 --> 00:09:32,130 because we get the first name and surname. 206 00:09:32,130 --> 00:09:36,513 And if we try number three and click on Submit, 207 00:09:37,440 --> 00:09:39,270 well, there is an error: 208 00:09:39,270 --> 00:09:42,240 Unknown column three in order clause. 209 00:09:42,240 --> 00:09:45,510 And that's how we know that we have two columns. 210 00:09:45,510 --> 00:09:48,570 Now, let's see what those two columns are. 211 00:09:48,570 --> 00:09:51,840 If I go and type this command, 212 00:09:51,840 --> 00:09:54,330 and I'm going to type it right here first, 213 00:09:54,330 --> 00:09:56,070 two as our ID, 214 00:09:56,070 --> 00:10:00,840 and then union select one and two. 215 00:10:00,840 --> 00:10:02,640 And let's not forget our comment 216 00:10:02,640 --> 00:10:04,440 at the end by specifying dash, dash, 217 00:10:04,440 --> 00:10:05,580 and then single quote. 218 00:10:05,580 --> 00:10:06,670 If I copy this 219 00:10:09,120 --> 00:10:12,540 and I paste it right here, click on Submit. 220 00:10:12,540 --> 00:10:15,450 Okay, so we get this output right here: 221 00:10:15,450 --> 00:10:17,247 The first name for the ID two, 222 00:10:17,247 --> 00:10:21,000 and we get the first name one and surname two. 223 00:10:21,000 --> 00:10:23,220 Now that we know that we have two columns 224 00:10:23,220 --> 00:10:26,850 and that we have an SQL injection vulnerability, 225 00:10:26,850 --> 00:10:29,433 we're going to start extracting data. 226 00:10:30,270 --> 00:10:33,030 So we know that we have two output fields: 227 00:10:33,030 --> 00:10:36,240 the first name and the surname field. 228 00:10:36,240 --> 00:10:39,090 So we are going to try to extract the database name 229 00:10:39,090 --> 00:10:41,520 and the user of the database. 230 00:10:41,520 --> 00:10:45,300 To do that, we can type the command two 231 00:10:45,300 --> 00:10:49,860 to select the user ID, and then union select. 232 00:10:49,860 --> 00:10:52,380 And we are going to type database, 233 00:10:52,380 --> 00:10:53,820 open and closed brackets, 234 00:10:53,820 --> 00:10:57,270 and comma, user, open and closed brackets. 235 00:10:57,270 --> 00:11:00,390 At the end, we add our comment with a single quote. 236 00:11:00,390 --> 00:11:01,950 And here, we are specifying 237 00:11:01,950 --> 00:11:05,880 the functions called database and user. 238 00:11:05,880 --> 00:11:09,630 These two functions are already defined in MySQL. 239 00:11:09,630 --> 00:11:11,790 So let's copy this command just 240 00:11:11,790 --> 00:11:14,610 to see the name of the database and the name of the user 241 00:11:14,610 --> 00:11:17,370 and type it right here. 242 00:11:17,370 --> 00:11:19,770 And we get the first name, 243 00:11:19,770 --> 00:11:23,490 which will store the database name, which is dvwa, 244 00:11:23,490 --> 00:11:25,770 and the surname, or the user, 245 00:11:25,770 --> 00:11:29,700 which is going to be root@localhost. 246 00:11:29,700 --> 00:11:30,990 Now that we know this, 247 00:11:30,990 --> 00:11:34,350 we can try to extract the list of the databases 248 00:11:34,350 --> 00:11:37,290 by injecting the following command. 249 00:11:37,290 --> 00:11:39,960 So after this, we once again start with two, 250 00:11:39,960 --> 00:11:42,870 and then union SELECT. 251 00:11:42,870 --> 00:11:45,060 These select statements you can also type 252 00:11:45,060 --> 00:11:46,110 in capital letters. 253 00:11:46,110 --> 00:11:47,070 It doesn't really matter. 254 00:11:47,070 --> 00:11:49,860 You can type capital or lowercase letters. 255 00:11:49,860 --> 00:11:53,850 What matters is is that you type the correct command syntax. 256 00:11:53,850 --> 00:11:54,930 So right now we're going 257 00:11:54,930 --> 00:11:56,953 to call for schema_name, 258 00:12:01,440 --> 00:12:06,440 comma, two FROM information underscore. 259 00:12:06,570 --> 00:12:09,210 And let me just enlarge this 260 00:12:09,210 --> 00:12:10,860 so the entire command can fit. 261 00:12:10,860 --> 00:12:14,193 So two FROM information_ schema.schemata, 262 00:12:19,200 --> 00:12:22,650 dash, dash, and then closed single quote. 263 00:12:22,650 --> 00:12:23,483 Okay. 264 00:12:23,483 --> 00:12:25,740 So let's just copy this and see what do we get 265 00:12:25,740 --> 00:12:26,670 with this command. 266 00:12:26,670 --> 00:12:29,370 If I copy, go to my page, 267 00:12:29,370 --> 00:12:31,443 and paste it right here, 268 00:12:32,400 --> 00:12:36,000 well, we get quite a few results back. 269 00:12:36,000 --> 00:12:38,167 And we essentially get different databases 270 00:12:38,167 --> 00:12:40,200 outputted right here. 271 00:12:40,200 --> 00:12:42,180 We got our dvwa database, 272 00:12:42,180 --> 00:12:43,590 we got metasploit database, 273 00:12:43,590 --> 00:12:46,170 mysql database, owasp10. 274 00:12:46,170 --> 00:12:48,660 And since we are doing this all inside 275 00:12:48,660 --> 00:12:52,410 of the DVWA application on our Metasploitable, 276 00:12:52,410 --> 00:12:57,410 we would most likely be interested in this dvwa result. 277 00:12:57,510 --> 00:13:00,633 So let's try to extract even more from it. 278 00:13:01,590 --> 00:13:03,930 We can use the following command, 279 00:13:03,930 --> 00:13:05,190 which is ID two, 280 00:13:05,190 --> 00:13:08,720 and then union SELECT table_name, 281 00:13:10,380 --> 00:13:15,250 comma, two FROM information_schema 282 00:13:17,070 --> 00:13:18,480 dot tables. 283 00:13:18,480 --> 00:13:20,580 So you might be wondering what even are these. 284 00:13:20,580 --> 00:13:24,570 And this is just regular syntax for the SQL language. 285 00:13:24,570 --> 00:13:25,403 These are just something 286 00:13:25,403 --> 00:13:28,170 that you will get used to over time. 287 00:13:28,170 --> 00:13:31,110 Once we type FROM information_schema.tables, 288 00:13:31,110 --> 00:13:35,700 WHERE the table_schema is going to be equal 289 00:13:35,700 --> 00:13:36,810 to the one that we want. 290 00:13:36,810 --> 00:13:39,270 And in our case, that is dvwa. 291 00:13:39,270 --> 00:13:41,280 So we can just type equal, 292 00:13:41,280 --> 00:13:43,980 open single quote, dvwa, 293 00:13:43,980 --> 00:13:44,910 closed single quote, 294 00:13:44,910 --> 00:13:48,273 and then our comment, dash, dash, quote. 295 00:13:49,350 --> 00:13:54,350 Let's copy this entire command, 296 00:13:54,600 --> 00:13:57,633 copy and paste it right here. 297 00:13:58,560 --> 00:14:00,480 Now, I'm not sure if I copied the entire command, 298 00:14:00,480 --> 00:14:01,920 so I'm just going to go back 299 00:14:01,920 --> 00:14:04,710 and add what's missing, which is two, 300 00:14:04,710 --> 00:14:07,200 and then single quote, and then union. 301 00:14:07,200 --> 00:14:10,650 Click on Submit. And here is the output. 302 00:14:10,650 --> 00:14:12,000 So with this command, 303 00:14:12,000 --> 00:14:15,150 we sent a query where we requested names 304 00:14:15,150 --> 00:14:19,140 of all the tables inside the dvwa database. 305 00:14:19,140 --> 00:14:23,610 We got two results, which is guestbook and users. 306 00:14:23,610 --> 00:14:27,510 And this users right here could be interesting for us, 307 00:14:27,510 --> 00:14:29,700 so let's dive deep into it. 308 00:14:29,700 --> 00:14:34,440 We want to extract columns inside of this users table. 309 00:14:34,440 --> 00:14:38,073 We can do that by injecting this command right here. 310 00:14:39,360 --> 00:14:41,130 So let me just make a few spaces 311 00:14:41,130 --> 00:14:42,450 and type the next command, 312 00:14:42,450 --> 00:14:44,850 which we, as usual, start with two, 313 00:14:44,850 --> 00:14:49,850 and then apostrophe, union SELECT. 314 00:14:49,860 --> 00:14:51,360 And now we are selecting columns, 315 00:14:51,360 --> 00:14:53,280 so we are going to type, instead of table_name, 316 00:14:53,280 --> 00:14:55,233 we're going to type column_name, 317 00:14:56,700 --> 00:14:58,273 comma, column_type 318 00:15:00,330 --> 00:15:04,863 FROM information_schema.columns. 319 00:15:05,880 --> 00:15:09,120 Remember, in the last command we used dot tables. 320 00:15:09,120 --> 00:15:10,620 Now we are using dot columns 321 00:15:10,620 --> 00:15:14,490 because we are furthermore diving into our database. 322 00:15:14,490 --> 00:15:16,290 And we need a condition at the end. 323 00:15:16,290 --> 00:15:19,660 So WHERE table_schema 324 00:15:20,820 --> 00:15:23,650 is going to be equal to dvwa 325 00:15:25,799 --> 00:15:29,213 and table_name equals users. 326 00:15:30,240 --> 00:15:33,027 So remember, we got two results right here, 327 00:15:33,027 --> 00:15:35,610 and we want to go with the users one first 328 00:15:35,610 --> 00:15:38,100 because that looks more interesting to us 329 00:15:38,100 --> 00:15:39,963 than this guestbook table. 330 00:15:41,190 --> 00:15:43,320 Okay, so let's copy this command. 331 00:15:43,320 --> 00:15:46,293 And now I'm going to copy the entire command. 332 00:15:48,060 --> 00:15:52,150 So select, copy, and paste right here 333 00:15:53,040 --> 00:15:54,693 and click on Submit. 334 00:15:55,800 --> 00:15:58,800 And again, we get a lot of results. 335 00:15:58,800 --> 00:16:00,000 Here they are. 336 00:16:00,000 --> 00:16:01,950 Can you guess which one out of all 337 00:16:01,950 --> 00:16:05,220 of these columns are most interesting to us? 338 00:16:05,220 --> 00:16:07,410 If you guessed the password one, 339 00:16:07,410 --> 00:16:09,270 well, you've guessed right. 340 00:16:09,270 --> 00:16:12,630 But we also want to extract other columns as well, 341 00:16:12,630 --> 00:16:16,110 such as usernames, which we get right here, 342 00:16:16,110 --> 00:16:19,410 such as first names, last names, IDs as well. 343 00:16:19,410 --> 00:16:21,780 And all of that we want to extract. 344 00:16:21,780 --> 00:16:25,230 To do this, we will need to use the concat function 345 00:16:25,230 --> 00:16:27,750 because we only have two fields available 346 00:16:27,750 --> 00:16:30,330 to input our result. 347 00:16:30,330 --> 00:16:33,570 So we must concat a few results in one field 348 00:16:33,570 --> 00:16:36,480 and the rest of the results in the other field. 349 00:16:36,480 --> 00:16:39,030 We can concat, for example, user_id, 350 00:16:39,030 --> 00:16:42,870 first name, and last name in the first name field. 351 00:16:42,870 --> 00:16:46,590 And we can concat the usernames and passwords 352 00:16:46,590 --> 00:16:48,330 in the surname field. 353 00:16:48,330 --> 00:16:50,760 So let's see how that command would look like. 354 00:16:50,760 --> 00:16:54,780 If I go back and add a few more spaces, 355 00:16:54,780 --> 00:16:59,207 let's type two, and then apostrophe, union SELECT, 356 00:17:00,180 --> 00:17:02,040 and then use the concat function 357 00:17:02,040 --> 00:17:04,560 to concat multiple fields into one. 358 00:17:04,560 --> 00:17:06,030 And we can do that by specifying 359 00:17:06,030 --> 00:17:08,640 which fields we want inside of this function. 360 00:17:08,640 --> 00:17:12,060 Let's type user_id as a first field, 361 00:17:12,060 --> 00:17:16,079 comma, and we are going to separate them with two dots. 362 00:17:16,079 --> 00:17:18,810 So comma, and then first_name, 363 00:17:18,810 --> 00:17:21,599 which is going to be our second field, comma. 364 00:17:21,599 --> 00:17:24,030 Let's use, again, two dots to separate 365 00:17:24,030 --> 00:17:27,030 that also from the last name. 366 00:17:27,030 --> 00:17:28,740 And these are the three fields that we are going 367 00:17:28,740 --> 00:17:31,710 to concat into first result. 368 00:17:31,710 --> 00:17:34,143 Then, after it, we want to type comma, 369 00:17:35,013 --> 00:17:39,930 and concat the usernames and passwords into second result. 370 00:17:41,070 --> 00:17:43,443 So let's type it like this, password. 371 00:17:44,370 --> 00:17:45,420 And at the end, 372 00:17:45,420 --> 00:17:49,170 we must specify from where are we extracting all of this. 373 00:17:49,170 --> 00:17:52,860 And in our case, since our database is called dvwa, 374 00:17:52,860 --> 00:17:56,460 we're also accessing the user's table, 375 00:17:56,460 --> 00:17:58,920 so we must type it like this. 376 00:17:58,920 --> 00:18:03,453 So extract all of this from dvwa.users. 377 00:18:04,590 --> 00:18:06,273 Add the comment at the end. 378 00:18:07,680 --> 00:18:09,370 And let's copy all of this 379 00:18:13,860 --> 00:18:15,123 and submit. 380 00:18:17,400 --> 00:18:19,950 Well, here it is. 381 00:18:19,950 --> 00:18:21,690 Here is all of the information 382 00:18:21,690 --> 00:18:25,020 about all of the users from this database. 383 00:18:25,020 --> 00:18:26,460 In the first name field, 384 00:18:26,460 --> 00:18:30,300 we get the user ID followed by the first name, 385 00:18:30,300 --> 00:18:32,520 followed by the last name. 386 00:18:32,520 --> 00:18:34,440 And in the surname field, 387 00:18:34,440 --> 00:18:38,490 we get the username and the password. 388 00:18:38,490 --> 00:18:41,190 So we successfully performed SQL injection, 389 00:18:41,190 --> 00:18:43,290 and we extracted all of the information 390 00:18:43,290 --> 00:18:46,620 about all of the users inside of their database. 391 00:18:46,620 --> 00:18:51,240 But you will notice the passwords are rather strange, right? 392 00:18:51,240 --> 00:18:53,430 This is because they're hashed. 393 00:18:53,430 --> 00:18:56,400 Usually, websites store hashed value of passwords 394 00:18:56,400 --> 00:18:59,130 inside their database for security reasons 395 00:18:59,130 --> 00:19:02,490 since even if something like an SQL injection happened 396 00:19:02,490 --> 00:19:05,010 and someone managed to extract the entire database, 397 00:19:05,010 --> 00:19:07,710 they wouldn't get passwords in plain text, 398 00:19:07,710 --> 00:19:09,480 but rather as hashed value 399 00:19:09,480 --> 00:19:11,730 that they need to run a dictionary attack on 400 00:19:11,730 --> 00:19:14,820 in order to find it in plain text. 401 00:19:14,820 --> 00:19:16,170 And by looking at them, 402 00:19:16,170 --> 00:19:19,680 I would say that this is probably MD5 hash. 403 00:19:19,680 --> 00:19:23,280 We can figure this out by coping one of these passwords. 404 00:19:23,280 --> 00:19:25,353 So let's go with this one, for example. 405 00:19:26,490 --> 00:19:29,130 Going to Google and just pasting it 406 00:19:29,130 --> 00:19:30,393 inside of the search bar. 407 00:19:33,000 --> 00:19:36,810 And we can see most of the results are MD5, MD5, MD5, 408 00:19:36,810 --> 00:19:39,540 so we can guess that this is an MD5 hash. 409 00:19:39,540 --> 00:19:41,670 And since this is an easy password, 410 00:19:41,670 --> 00:19:43,260 if I click on this link, 411 00:19:43,260 --> 00:19:47,430 it'll even tell me which password this MD5 hash is. 412 00:19:47,430 --> 00:19:51,540 So it is the password abc123. 413 00:19:51,540 --> 00:19:54,390 So if I go back to this page, 414 00:19:54,390 --> 00:19:59,190 we can conclude that Cordon has a password of abc123 415 00:19:59,190 --> 00:20:01,830 because this website showed us what 416 00:20:01,830 --> 00:20:05,910 is the string of this hash that we pasted. 417 00:20:05,910 --> 00:20:08,280 We can do that for any other hash as well. 418 00:20:08,280 --> 00:20:10,080 As long as it is a simple password, 419 00:20:10,080 --> 00:20:12,450 it should manage to find it online. 420 00:20:12,450 --> 00:20:15,153 If I go and paste this one, for example, 421 00:20:16,950 --> 00:20:19,290 go right here, click on this website, 422 00:20:19,290 --> 00:20:22,470 MD5 hash for password, it is this. 423 00:20:22,470 --> 00:20:27,470 So it seems that our MD5 hash is a string of password. 424 00:20:27,750 --> 00:20:32,750 So our user called admin has a password 425 00:20:33,150 --> 00:20:35,400 that is simply just password. 426 00:20:35,400 --> 00:20:39,120 And that is how you extract the entire database 427 00:20:39,120 --> 00:20:42,210 with the SQL injection vulnerability. 428 00:20:42,210 --> 00:20:44,100 Now, this is probably the hardest bug 429 00:20:44,100 --> 00:20:45,210 that we are going to cover 430 00:20:45,210 --> 00:20:47,700 inside of our web application section. 431 00:20:47,700 --> 00:20:50,520 And it might take some time for you to get used to it 432 00:20:50,520 --> 00:20:54,060 and to get used to all of this SQL syntax 433 00:20:54,060 --> 00:20:55,560 that we performed right here. 434 00:20:55,560 --> 00:20:57,540 For example, these database functions, 435 00:20:57,540 --> 00:20:59,280 user functions could be known 436 00:20:59,280 --> 00:21:02,010 by someone that already knows SQL 437 00:21:02,010 --> 00:21:04,620 since these are already the inbuilt functions. 438 00:21:04,620 --> 00:21:07,020 And that also stands for all of this syntax, 439 00:21:07,020 --> 00:21:08,430 like table_name, 440 00:21:08,430 --> 00:21:10,770 like information_schema.columns, 441 00:21:10,770 --> 00:21:13,770 and the rest of these commands. 442 00:21:13,770 --> 00:21:15,540 But if you practice it more and more, 443 00:21:15,540 --> 00:21:19,890 you will eventually get better at performing SQL injection. 444 00:21:19,890 --> 00:21:22,890 Okay, great. So we performed SQL injection. 445 00:21:22,890 --> 00:21:24,270 And in the next video, 446 00:21:24,270 --> 00:21:27,300 we're ready to continue discovering even more bugs 447 00:21:27,300 --> 00:21:29,820 on our DVWA application. 448 00:21:29,820 --> 00:21:30,653 See you there.