1
00:00:01,800 --> 00:00:08,300
OK so now let's try and determine how many columns are being selected into this page.

2
00:00:08,310 --> 00:00:15,780
So how much information are being selected and displayed on this page so to do that we're going to use

3
00:00:15,780 --> 00:00:17,220
the order by command.

4
00:00:17,220 --> 00:00:23,310
So we did order by one and that returned something that was acceptable and order by one hundred thousand

5
00:00:23,310 --> 00:00:24,340
devils on error.

6
00:00:24,420 --> 00:00:27,330
So let's try and do order by 10.

7
00:00:28,170 --> 00:00:29,910
And we still get an error.

8
00:00:29,910 --> 00:00:34,900
So I'm gonna do an order by 5:00 and that works.

9
00:00:34,900 --> 00:00:37,980
So let's try to do an order by 6:00.

10
00:00:38,620 --> 00:00:39,760
And that gives an error.

11
00:00:39,790 --> 00:00:47,470
So by doing this we know that there is five columns or are being selected from a certain table.

12
00:00:47,470 --> 00:00:53,470
And it's the accounts table and displayed on this page.

13
00:00:53,650 --> 00:01:01,900
So let's try and build our own SELECT statement and get it to be executed on the target computer so

14
00:01:01,990 --> 00:01:04,360
let's come here and try to build it there.

15
00:01:04,360 --> 00:01:13,120
So at the moment this statement is select star from accounts where your unit is equal to Zaid and we're

16
00:01:13,120 --> 00:01:14,700
doing an order by 1.

17
00:01:14,770 --> 00:01:22,940
So let's see if we can fix that and get it to select something that we like so the normal way to select

18
00:01:22,940 --> 00:01:30,680
stuff is using this format but because we are trying to do multiple select and we're trying to do it

19
00:01:30,680 --> 00:01:39,620
from the URL we're going to have to use a union first and then we're going to say select then we need

20
00:01:39,620 --> 00:01:45,290
to imagine what's happening on this application so in this web application we know that there are five

21
00:01:45,290 --> 00:01:46,830
records being selected.

22
00:01:47,150 --> 00:01:50,180
So there are five columns that are being selected.

23
00:01:50,180 --> 00:01:57,040
So we're doing one two three four five and we got that from the order by command.

24
00:01:57,590 --> 00:02:00,520
So let's run this and see what happens

25
00:02:12,100 --> 00:02:13,810
and I spilled union wrong

26
00:02:25,060 --> 00:02:30,730
and as you can see now the selection was right and we got the first selection so the first selection

27
00:02:30,730 --> 00:02:34,590
that this line does has been done.

28
00:02:35,170 --> 00:02:37,270
And then it did the union.

29
00:02:37,270 --> 00:02:42,520
So it's it combined that selection with another selection and it showed us something else.

30
00:02:42,520 --> 00:02:46,110
And as you can see here we're only seeing two three and four.

31
00:02:46,150 --> 00:02:52,330
And what that means is whatever value you put in number two or three or four whatever you want to select

32
00:02:52,570 --> 00:02:56,380
if you put it in there it's going to be displayed in this page.

33
00:02:56,380 --> 00:03:01,000
In this particular location and you can see that here you have results for two.

34
00:03:01,180 --> 00:03:04,990
So whatever you put into would also be shown in here

35
00:03:07,800 --> 00:03:10,500
so let's try to see our database.

36
00:03:10,560 --> 00:03:17,980
So instead of number two I'm gonna say database and instead of number three I'm going to say user name

37
00:03:20,360 --> 00:03:28,730
or user and instead of number four I'm gonna do a version and this will select the current database

38
00:03:29,000 --> 00:03:35,000
the current the user privileges that we have and the version of the database.

39
00:03:35,090 --> 00:03:38,290
So let's see if this gets executed and then we'll talk about it.

40
00:03:44,820 --> 00:03:45,210
Okay.

41
00:03:45,220 --> 00:03:45,810
Cool.

42
00:03:45,820 --> 00:03:51,010
So the user name is showing up as I was 10 and that's that was number two.

43
00:03:51,010 --> 00:03:54,560
So that is the database that we're looking for.

44
00:03:55,420 --> 00:04:01,870
So the database is ours then the current user that we're logged in as is root at local hosts.

45
00:04:01,870 --> 00:04:05,320
So we're the root user and and the signature of this.

46
00:04:05,320 --> 00:04:07,800
So this stuff I actually don't mean anything.

47
00:04:07,800 --> 00:04:12,670
We're only concerned about this and what we injected and we injected the version and we can see this

48
00:04:12,670 --> 00:04:16,920
is the version of my SDL so it's five point zero point five one.

49
00:04:17,050 --> 00:04:24,610
So at the moment we know that our database that we're connected to is our and usually in most real life

50
00:04:24,610 --> 00:04:28,690
scenarios each database is assigned to a certain user.

51
00:04:28,720 --> 00:04:36,310
So usually you're only able to select stuff tables columns data that is located in this current database

52
00:04:37,520 --> 00:04:39,580
at the moment who are logged in as root.

53
00:04:39,620 --> 00:04:46,880
So this web application has been connected to the database as root so therefore we can actually access

54
00:04:46,910 --> 00:04:50,660
other databases but this doesn't really happen in real life scenarios.

55
00:04:50,720 --> 00:04:59,150
Usually each user has their own their own database so when they connect a web application to a database

56
00:04:59,320 --> 00:05:04,340
they connect connected to one database and therefore you want to be able to access other databases.

57
00:05:04,340 --> 00:05:11,000
So we're going to consider that we're going to assume that we only have access to our Stan which is

58
00:05:11,000 --> 00:05:19,790
our current database for this current Web site and that the user name is Root at local Post and the

59
00:05:19,790 --> 00:05:26,000
next videos we'll see how we can further exploit this and do more powerful select statements.