1
00:00:01,230 --> 00:00:08,460
Now let's see if we can select and get and have a look on all the accounts that exist within this table.

2
00:00:08,460 --> 00:00:17,120
So let's see if we can query the database and read the information stored in the accounts table to do

3
00:00:17,120 --> 00:00:17,960
that.

4
00:00:17,990 --> 00:00:24,920
We're going to first need to know the column names of the columns that exist within this table because

5
00:00:24,950 --> 00:00:31,910
if you look at the way you were using our statement we're doing union select column name from a table.

6
00:00:31,910 --> 00:00:35,530
So we still don't know what columns exist in accounts.

7
00:00:35,540 --> 00:00:41,360
Now we can try and guess that there is a user name and password but sometimes they could be different

8
00:00:41,360 --> 00:00:41,660
names.

9
00:00:41,810 --> 00:00:47,780
So I'm going to show you how you can select the columns for a certain table the command is going to

10
00:00:47,780 --> 00:00:54,980
be very similar to the tables command and the only difference is instead of table name we're going to

11
00:00:54,980 --> 00:01:02,710
say column name and instead of selecting it from the information schema the tables we're going to select

12
00:01:02,710 --> 00:01:05,060
IDs from information schema those columns

13
00:01:08,040 --> 00:01:10,680
and we're going to say where the table name

14
00:01:13,760 --> 00:01:19,520
is equal to accounts because we're interested into the accounts table if you wanted to get columns for

15
00:01:19,520 --> 00:01:24,680
another table then you just substitute this with the table or with the column that with the table that

16
00:01:24,680 --> 00:01:25,740
you want.

17
00:01:25,760 --> 00:01:32,960
So our command is going to be union select one column name from the information schema those columns

18
00:01:33,590 --> 00:01:39,470
where the table name is the table that we're interested in which is the accounts and this should show

19
00:01:39,470 --> 00:01:44,440
us all the columns that exist within the accounts table.

20
00:01:44,600 --> 00:01:45,770
So let's run this command

21
00:01:56,500 --> 00:02:06,610
and perfect same columns that we've seen before and see I.D. username password my signature and is admin.

22
00:02:06,620 --> 00:02:13,290
Now let's take this one step further and select the usernames and passwords from the account table.

23
00:02:13,350 --> 00:02:18,900
So again the cut at the command is gonna be very similar to what we're running at the moment we're going

24
00:02:18,900 --> 00:02:22,410
to be selecting and we're going to select username

25
00:02:26,950 --> 00:02:35,100
and I'm going to select the passwords for number two and for number three we're going to select the

26
00:02:35,220 --> 00:02:37,110
is adamant.

27
00:02:37,280 --> 00:02:43,200
Now remember I can't select anything instead of number one and number five because they don't they're

28
00:02:43,200 --> 00:02:46,510
not they're never displayed for me on screen.

29
00:02:46,560 --> 00:02:51,990
The only thing that I see was number two three and four which were displayed here two three and four.

30
00:02:52,350 --> 00:02:59,790
So therefore I'm only substituting values for two three and four and we're going to select that from

31
00:02:59,790 --> 00:03:00,400
accounts

32
00:03:03,080 --> 00:03:04,610
and we're not going to need the where.

33
00:03:04,640 --> 00:03:07,200
So I'm gonna delete the where.

34
00:03:07,490 --> 00:03:09,460
So very simple statement.

35
00:03:09,470 --> 00:03:16,760
We're selecting username password is admin from the accounts and this should return all the usernames

36
00:03:16,760 --> 00:03:22,610
and passwords that exist within the current table that exist in the accounts table

37
00:03:32,160 --> 00:03:37,060
and I have an extra quote here that I'm gonna delete.

38
00:03:37,220 --> 00:03:42,360
And as you can see we got all the user names and passwords we have the admin and their password design

39
00:03:42,370 --> 00:03:48,710
admin we have other users and we have their passwords and it's also telling us whether they are admins

40
00:03:48,710 --> 00:03:55,490
or not this is very useful because in most Web sites when you log in as admin you have so much more

41
00:03:55,490 --> 00:03:57,340
privileges than a normal person.

42
00:03:57,470 --> 00:04:03,800
And then you'd be able to upload BHP shells or backdoor as viruses whatever you want to do really.

43
00:04:03,800 --> 00:04:12,370
And then further exploit the system so at the moment I can actually log in with a user name admin and

44
00:04:12,370 --> 00:04:17,610
a password admin pass and this can accept that because it's correct

45
00:04:20,760 --> 00:04:26,690
so no matter how complicated the password was we're just going to be able to read it because we're reading

46
00:04:26,690 --> 00:04:28,180
it straight from the database.