1 00:00:07,050 --> 00:00:08,110 - [Instructor] SQL injection 2 00:00:08,110 --> 00:00:12,090 or SQL injection vulnerabilities can be catastrophic. 3 00:00:12,090 --> 00:00:15,620 Because basically they can allow an attacker to view, 4 00:00:15,620 --> 00:00:20,340 to insert, to delete or modify records in a database. 5 00:00:20,340 --> 00:00:23,720 In a SQL injection attack, the attacker actually injects 6 00:00:23,720 --> 00:00:28,210 or inserts, partial or complete SQL queries 7 00:00:28,210 --> 00:00:30,420 via a web application. 8 00:00:30,420 --> 00:00:34,220 Basically, the attacker can inject these commands 9 00:00:34,220 --> 00:00:39,220 into input fields in an application or via a URL. 10 00:00:39,780 --> 00:00:41,820 And he can actually do that in order to execute 11 00:00:41,820 --> 00:00:45,680 predefined SQL commands and manipulate the database. 12 00:00:45,680 --> 00:00:48,310 Now I want to give you a brief introduction to SQL, 13 00:00:48,310 --> 00:00:49,870 but only for your reference. 14 00:00:49,870 --> 00:00:52,840 Many of you already are familiar with SQL 15 00:00:52,840 --> 00:00:54,580 and SQL statements. 16 00:00:54,580 --> 00:00:56,261 In the screen, I'm actually sharing 17 00:00:56,261 --> 00:01:00,460 the most common SQL statements for your reference. 18 00:01:00,460 --> 00:01:01,920 So you have things like select 19 00:01:01,920 --> 00:01:04,000 that is used to obtain data from a database 20 00:01:04,000 --> 00:01:07,100 update, to update database, you know records, 21 00:01:07,100 --> 00:01:11,620 delete, insert to create database, alter database, 22 00:01:11,620 --> 00:01:16,210 create tables to use and you know, to create a new table, 23 00:01:16,210 --> 00:01:19,690 drop tables, alter tables, create index, 24 00:01:19,690 --> 00:01:21,820 drop index and so on. 25 00:01:21,820 --> 00:01:23,480 Now, typically SQL statements 26 00:01:23,480 --> 00:01:26,230 are divided into different categories. 27 00:01:26,230 --> 00:01:27,560 The first one is actually 28 00:01:27,560 --> 00:01:31,500 the Data Definition Language statements or DDL, 29 00:01:31,500 --> 00:01:34,880 Data Manipulation Language statements, DML, 30 00:01:34,880 --> 00:01:36,690 Transaction Control Statements, 31 00:01:36,690 --> 00:01:38,580 Session Control Statements, 32 00:01:38,580 --> 00:01:40,740 System Control Statements, 33 00:01:40,740 --> 00:01:43,810 and Embedded SQL Statements as well. 34 00:01:43,810 --> 00:01:47,030 Now the W3Schools website has a tool 35 00:01:47,030 --> 00:01:50,140 called the TryIt SQL editor that actually allows you 36 00:01:50,140 --> 00:01:55,140 to practice with SQL statements using an online database 37 00:01:55,680 --> 00:01:59,620 that again, you can actually use to become familiar 38 00:01:59,620 --> 00:02:00,790 with the actual protocol 39 00:02:00,790 --> 00:02:03,720 if you have never been exposed to the protocol. 40 00:02:03,720 --> 00:02:08,720 So another good resource that explains SQL queries in detail 41 00:02:08,820 --> 00:02:13,743 is the GeeksforGeeks.org SQL tutorial, 42 00:02:14,900 --> 00:02:16,800 as I'm actually sharing in the screen. 43 00:02:17,640 --> 00:02:19,450 Now what I want to actually share with you 44 00:02:19,450 --> 00:02:23,250 is an SQL statement that is actually trying to gather 45 00:02:23,250 --> 00:02:28,250 a specific record within a table in a database 46 00:02:28,780 --> 00:02:30,630 and the table name is customers. 47 00:02:30,630 --> 00:02:33,870 And basically, I'm doing a select all from customers 48 00:02:33,870 --> 00:02:37,870 and I'm filtering them where I only want to see 49 00:02:37,870 --> 00:02:42,870 the contents with a record that matches Saavedra. 50 00:02:43,150 --> 00:02:44,910 And basically, there's a field 51 00:02:44,910 --> 00:02:46,480 or a column called ContactName 52 00:02:47,500 --> 00:02:51,180 and basically I'm using the word ContactName LIKE 53 00:02:51,180 --> 00:02:56,090 and then Saavedra in between wildcards. 54 00:02:56,090 --> 00:02:58,450 Now, what I want to highlight is 55 00:02:58,450 --> 00:03:01,230 what the application is actually sending to the database. 56 00:03:01,230 --> 00:03:04,380 So all that SELECT statement that I'm showing in the screen, 57 00:03:04,380 --> 00:03:06,130 or that I'm highlighting in the screen 58 00:03:06,130 --> 00:03:10,340 is the one that actually is sent from the application 59 00:03:10,340 --> 00:03:14,980 to the database and the user should not see that request, 60 00:03:14,980 --> 00:03:17,620 the only thing that the user can do 61 00:03:17,620 --> 00:03:22,620 is enter the word Saavedra in the input of a web form. 62 00:03:22,714 --> 00:03:25,860 So that's why we actually want to manipulate. 63 00:03:25,860 --> 00:03:29,562 We want to supply crafted input, 64 00:03:29,562 --> 00:03:32,630 in an attempt to make the original SQL statement 65 00:03:32,630 --> 00:03:35,620 execute further actions in the database. 66 00:03:35,620 --> 00:03:39,660 So SQL injections can actually be done user pre, 67 00:03:39,660 --> 00:03:44,193 user supplied strings, or numeric inputs as well. 68 00:03:45,160 --> 00:03:46,760 In this demonstration, basically, 69 00:03:46,760 --> 00:03:47,593 I'm actually using 70 00:03:47,593 --> 00:03:51,300 the WebGoat intentionally vulnerable application, 71 00:03:51,300 --> 00:03:56,300 and I'm demonstrating how I can inject, you know 72 00:03:56,450 --> 00:03:59,740 my own SQL statement in this case, actually, a Boolean 73 00:03:59,740 --> 00:04:04,730 SQL syntax, and where the string Smith 74 00:04:05,720 --> 00:04:08,270 and then followed by a single quote 75 00:04:09,660 --> 00:04:12,090 and then after that, followed by an OR statement, 76 00:04:12,090 --> 00:04:15,830 that's an SQL OR statement, followed by one equals one, 77 00:04:15,830 --> 00:04:19,200 and one equals one is basically true equals to true. 78 00:04:19,200 --> 00:04:20,981 And that actually causes the application 79 00:04:20,981 --> 00:04:23,840 and more specifically the database 80 00:04:23,840 --> 00:04:25,620 to reply back to the application 81 00:04:25,620 --> 00:04:28,800 and display all records in that database table 82 00:04:28,800 --> 00:04:30,470 to the attacker. 83 00:04:30,470 --> 00:04:33,110 Now another example that I'm actually showing you here 84 00:04:33,110 --> 00:04:36,200 is, in this case, using a numeric input 85 00:04:36,200 --> 00:04:37,990 to cause the vulnerable application 86 00:04:37,990 --> 00:04:39,850 to dump the database tables, 87 00:04:39,850 --> 00:04:41,763 as I'm actually showing in the screen. 88 00:04:42,740 --> 00:04:44,950 Now in many cases, you can actually even use 89 00:04:44,950 --> 00:04:49,700 comments delimiters or any other type of inputs, right 90 00:04:49,700 --> 00:04:54,700 as well as other SQL keywords, including AND and OR, 91 00:04:55,430 --> 00:05:00,350 or simple test applications with a single quote. 92 00:05:00,350 --> 00:05:02,790 And as a matter of fact, manual pen-testers 93 00:05:02,790 --> 00:05:06,180 is just to basically test and do a quick test 94 00:05:06,180 --> 00:05:07,480 of an application and make sure 95 00:05:07,480 --> 00:05:09,800 that there's no SQL injection. 96 00:05:09,800 --> 00:05:11,950 People actually start by adding a single quote, 97 00:05:11,950 --> 00:05:15,550 or a semicolon to the field parameter in a web form. 98 00:05:15,550 --> 00:05:18,450 That single quote, is actually used in SQL 99 00:05:18,450 --> 00:05:20,200 as a string terminator. 100 00:05:20,200 --> 00:05:22,370 So if the application doesn't filter it, 101 00:05:22,370 --> 00:05:24,210 then you may be able to retrieve records 102 00:05:24,210 --> 00:05:27,073 or additional information, like error messages, 103 00:05:27,073 --> 00:05:30,260 that can actually help you enhance your query 104 00:05:30,260 --> 00:05:33,253 or your statement and do other type of attacks. 105 00:05:34,650 --> 00:05:38,170 Now there are different SQL injection categories. 106 00:05:38,170 --> 00:05:41,320 SQL injection attacks can be divided into 107 00:05:41,320 --> 00:05:43,920 in-band SQL injection, basically, 108 00:05:43,920 --> 00:05:46,400 that's the type of injection that the attacker 109 00:05:46,400 --> 00:05:49,460 obtains the data by using the same channel 110 00:05:49,460 --> 00:05:52,570 that is actually using the SQL code. 111 00:05:52,570 --> 00:05:55,430 And this is actually the most basic form of SQL injection 112 00:05:55,430 --> 00:05:57,980 out there, and that's where the data is actually 113 00:05:57,980 --> 00:06:01,570 dumped directly in a web application or webpage. 114 00:06:01,570 --> 00:06:05,010 Then you also have out-of-band SQL injection 115 00:06:05,010 --> 00:06:06,430 and that's actually a type of injection 116 00:06:06,430 --> 00:06:11,240 where the attacker retrieves data using a different channel. 117 00:06:11,240 --> 00:06:14,840 So, for example, it can be an email, a text 118 00:06:14,840 --> 00:06:19,370 or an instant message that can be sent by the attacker 119 00:06:19,370 --> 00:06:23,010 or to the attacker rather with the results of the query 120 00:06:23,010 --> 00:06:24,770 or the attacker actually may be able to send 121 00:06:24,770 --> 00:06:27,340 the compromised data to another web server 122 00:06:27,340 --> 00:06:30,060 another system and so on. 123 00:06:30,060 --> 00:06:35,060 Then you also have blind or inferential SQL injection. 124 00:06:35,260 --> 00:06:37,800 And this type of SQL injection 125 00:06:37,800 --> 00:06:39,760 is the one that actually the attacker 126 00:06:39,760 --> 00:06:44,760 does not make the application display or transfer any data 127 00:06:44,850 --> 00:06:47,620 thus the name blind SQL injection. 128 00:06:47,620 --> 00:06:50,300 Instead, basically, the attacker is able 129 00:06:50,300 --> 00:06:53,020 to reconstruct the information 130 00:06:53,020 --> 00:06:56,320 by sending specific SQL statements 131 00:06:56,320 --> 00:06:58,300 and also by discerning the behavior 132 00:06:58,300 --> 00:07:00,683 of the application and the database. 133 00:07:01,630 --> 00:07:03,500 Now there are several techniques that can be used 134 00:07:03,500 --> 00:07:06,190 to exploit SQL injection vulnerabilities. 135 00:07:06,190 --> 00:07:09,501 You have union operators, this actually typically is used 136 00:07:09,501 --> 00:07:13,100 when a SQL injection vulnerability allows a SELECT statement 137 00:07:13,100 --> 00:07:17,050 to combine two queries in a single result 138 00:07:17,050 --> 00:07:19,340 or a set of results. 139 00:07:19,340 --> 00:07:22,430 Then you also have Boolean, which is actually used to verify 140 00:07:22,430 --> 00:07:25,510 whether a certain condition is true or false. 141 00:07:25,510 --> 00:07:30,510 And that's the example that we went over a few minutes ago. 142 00:07:31,140 --> 00:07:33,730 You also have the error-based technique. 143 00:07:33,730 --> 00:07:36,000 And this is actually used to force a database 144 00:07:36,000 --> 00:07:39,650 to generate some type of error in order to enhance 145 00:07:39,650 --> 00:07:42,600 and refine the attack or the injection. 146 00:07:42,600 --> 00:07:45,550 You also have out-of-band techniques. 147 00:07:45,550 --> 00:07:48,470 And this is basically used to obtain records 148 00:07:48,470 --> 00:07:52,620 from the database by using a different channel. 149 00:07:52,620 --> 00:07:53,910 Remember that out-of-band is actually 150 00:07:53,910 --> 00:07:57,560 by using a different channel, like making HTTP connection 151 00:07:57,560 --> 00:08:00,900 to send the results to a different web server 152 00:08:00,900 --> 00:08:04,470 or a local machine that is actually running a web service. 153 00:08:04,470 --> 00:08:08,060 Then you also have the time delay technique. 154 00:08:08,060 --> 00:08:10,660 It is possible to actually use database commands 155 00:08:10,660 --> 00:08:14,250 to delete answers from the server. 156 00:08:14,250 --> 00:08:18,300 And basically, an attacker may use this type of technique 157 00:08:18,300 --> 00:08:23,300 whenever he or she doesn't get any output or error messages 158 00:08:23,400 --> 00:08:25,370 from the application. 159 00:08:25,370 --> 00:08:27,590 And of course, you can actually combine 160 00:08:27,590 --> 00:08:30,710 any of these techniques that I actually mentioned. 161 00:08:30,710 --> 00:08:34,320 For example, you may use the union operator 162 00:08:34,320 --> 00:08:38,343 and the out-of-band techniques to perform an attack. 163 00:08:38,343 --> 00:08:41,490 Now I'm gonna go over a different example 164 00:08:41,490 --> 00:08:44,030 on how you can actually use different tools 165 00:08:44,030 --> 00:08:47,190 like the Burp Suite, and SQL map 166 00:08:47,190 --> 00:08:49,450 to find SQL vulnerabilities. 167 00:08:49,450 --> 00:08:52,130 Basically, in this screen, I actually have 168 00:08:52,130 --> 00:08:55,710 the Burp Suite tool, and I'm actually gonna be using it 169 00:08:55,710 --> 00:08:59,230 as a proxy to intercept the transactions 170 00:08:59,230 --> 00:09:02,920 between my web browser and the web application 171 00:09:02,920 --> 00:09:04,370 or the web server. 172 00:09:04,370 --> 00:09:07,090 In this case, I'm actually turning on intercept, 173 00:09:07,090 --> 00:09:10,830 then my browser is actually configured already 174 00:09:10,830 --> 00:09:14,592 to send old traffic to the proxy. 175 00:09:14,592 --> 00:09:16,710 So I'm skipping those steps in here. 176 00:09:16,710 --> 00:09:20,450 However, once I actually navigate, in this case 177 00:09:20,450 --> 00:09:23,710 to the Damn Vulnerable Web Application or DVWA, 178 00:09:23,710 --> 00:09:26,130 on the SQL injection, basically, 179 00:09:26,130 --> 00:09:30,360 I am just typing my name in this form. 180 00:09:30,360 --> 00:09:33,400 I am submitting that to the application, 181 00:09:33,400 --> 00:09:37,260 and as you can see, in Burp, my transaction, 182 00:09:37,260 --> 00:09:40,340 the GET transaction, the GET request, rather, 183 00:09:40,340 --> 00:09:43,550 with the ID =omar is actually being sent 184 00:09:43,550 --> 00:09:45,510 to the web application. 185 00:09:45,510 --> 00:09:47,180 In this case, what I'm doing is actually 186 00:09:47,180 --> 00:09:50,250 I'm highlighting that GET request 187 00:09:50,250 --> 00:09:52,600 and I'm sending that or saving that 188 00:09:52,600 --> 00:09:56,250 to a file called SQL test. 189 00:09:56,250 --> 00:09:57,830 In my example, I already have a file 190 00:09:57,830 --> 00:09:59,570 that actually was called SQL test, 191 00:09:59,570 --> 00:10:01,410 so I'm overwriting that file. 192 00:10:01,410 --> 00:10:05,510 Now that I have created that file with the GET request 193 00:10:05,510 --> 00:10:09,680 from Burp, I'm gonna be using a tool in the command line 194 00:10:09,680 --> 00:10:11,520 called SQL map. 195 00:10:11,520 --> 00:10:14,700 So I'm launching that tool, with a -r option 196 00:10:14,700 --> 00:10:16,770 follow to read the file, 197 00:10:16,770 --> 00:10:18,700 followed by the file that I created, 198 00:10:18,700 --> 00:10:20,890 and then at the end, I'm gonna type --dbs 199 00:10:22,480 --> 00:10:26,240 to enumerate any databases, that the tool can actually, 200 00:10:26,240 --> 00:10:28,473 you know, enumerate in that application. 201 00:10:29,410 --> 00:10:31,330 So in this case, as you actually can see, 202 00:10:31,330 --> 00:10:36,070 the tool is actually running basically, within seconds. 203 00:10:36,070 --> 00:10:38,600 It already is telling me that the backend database 204 00:10:38,600 --> 00:10:41,430 looks to be a MySQL statement. 205 00:10:41,430 --> 00:10:44,610 It asked me if I want to skip the test payload 206 00:10:44,610 --> 00:10:46,600 specific for other databases, 207 00:10:46,600 --> 00:10:49,510 in this case, since I know that it's MySQL server, 208 00:10:49,510 --> 00:10:51,340 I'm gonna say yes. 209 00:10:51,340 --> 00:10:54,160 And then it actually asked me if I want to 210 00:10:54,160 --> 00:10:56,920 include all the other tests for MySQL, 211 00:10:56,920 --> 00:10:59,110 so in that case, I say yes. 212 00:10:59,110 --> 00:11:01,820 And as you see main other tool is actually running 213 00:11:01,820 --> 00:11:06,100 and was able to, within seconds, 214 00:11:06,100 --> 00:11:08,180 enumerate different databases. 215 00:11:08,180 --> 00:11:10,310 Now there's a database called dvwa, 216 00:11:10,310 --> 00:11:12,730 that's the one that we are interested on. 217 00:11:12,730 --> 00:11:15,180 The other three are the information schema, 218 00:11:15,180 --> 00:11:17,900 the MySQL database and the performance schema 219 00:11:17,900 --> 00:11:20,083 that come by default with MySQL. 220 00:11:20,980 --> 00:11:23,530 So now that we know the database, what I'm going to do 221 00:11:23,530 --> 00:11:26,570 is I'm gonna use exactly the same tool, SQL map, 222 00:11:26,570 --> 00:11:28,420 I'm gonna read the same file, 223 00:11:28,420 --> 00:11:31,180 and I'm gonna dump all the contents 224 00:11:31,180 --> 00:11:34,440 of the database that I can encounter, right. 225 00:11:34,440 --> 00:11:38,140 So the cool thing about this tool, as you can actually see 226 00:11:38,140 --> 00:11:41,950 is that within seconds it was actually able to determine 227 00:11:41,950 --> 00:11:45,260 that there is some table within that database 228 00:11:45,260 --> 00:11:46,710 that is called users. 229 00:11:46,710 --> 00:11:50,300 And it appears that the tool recognized 230 00:11:50,300 --> 00:11:54,720 some possible password hashes in a column called password. 231 00:11:54,720 --> 00:11:58,400 So it even asked me, "Hey, do you want to store these hashes 232 00:11:58,400 --> 00:12:01,030 on a temporary file for eventually, 233 00:12:01,030 --> 00:12:03,390 I mean or further processing with other tools." 234 00:12:03,390 --> 00:12:05,500 In this case, I'm actually saying yes. 235 00:12:05,500 --> 00:12:09,700 And also it has the capability to perform 236 00:12:09,700 --> 00:12:11,150 a dictionary based attack, 237 00:12:11,150 --> 00:12:13,760 to actually crack those passwords. 238 00:12:13,760 --> 00:12:17,280 So just to go with the flow, I'm gonna say yes, 239 00:12:17,280 --> 00:12:19,010 to crack those passwords. 240 00:12:19,010 --> 00:12:23,390 And as you see actually it's using a default word list 241 00:12:23,390 --> 00:12:27,250 to perform that dictionary attack, and you know, 242 00:12:27,250 --> 00:12:28,860 a brute force attack. 243 00:12:28,860 --> 00:12:30,850 And you know, of course, it's actually asking me 244 00:12:30,850 --> 00:12:33,590 if I want to use the common password suffixes. 245 00:12:33,590 --> 00:12:35,200 And I say yes. 246 00:12:35,200 --> 00:12:39,550 And as you can see, the tool not only was actually able 247 00:12:39,550 --> 00:12:42,650 to dump the contents of different tables in here, 248 00:12:42,650 --> 00:12:47,450 but was also able to crack the passwords of these users. 249 00:12:47,450 --> 00:12:50,670 So you have the admin account. 250 00:12:50,670 --> 00:12:52,770 So if I own an account called admin, 251 00:12:52,770 --> 00:12:54,870 and the password is password, 252 00:12:54,870 --> 00:12:57,110 you also have another one called gordonb, 253 00:12:57,110 --> 00:12:58,980 the password is abc123. 254 00:12:58,980 --> 00:13:00,950 And you see the other ones here. 255 00:13:00,950 --> 00:13:03,280 Now the other thing that you actually see 256 00:13:03,280 --> 00:13:07,130 is the guest book, a database or a table rather, 257 00:13:07,130 --> 00:13:12,130 in the dbwa database and the content of the that, you know, 258 00:13:12,180 --> 00:13:15,260 that table with three entries in the screen. 259 00:13:15,260 --> 00:13:16,650 So as you can see, this is actually 260 00:13:16,650 --> 00:13:19,490 a very, very, very powerful tool. 261 00:13:19,490 --> 00:13:22,380 But one thing that actually I want to highlight in here 262 00:13:22,380 --> 00:13:26,390 is that these tools are actually using the same mechanisms 263 00:13:26,390 --> 00:13:27,910 that I explained to you before, 264 00:13:27,910 --> 00:13:29,550 they're actually using union queries, 265 00:13:29,550 --> 00:13:31,600 they're using time based attacks, 266 00:13:31,600 --> 00:13:33,410 they're using many different techniques 267 00:13:33,410 --> 00:13:35,420 to find SQL injection. 268 00:13:35,420 --> 00:13:39,880 So for you to become better familiar 269 00:13:39,880 --> 00:13:43,530 of all these techniques, yes, you can run these tools 270 00:13:43,530 --> 00:13:46,800 but what I will strongly suggest is for you 271 00:13:46,800 --> 00:13:50,720 to also become familiar with those strings 272 00:13:50,720 --> 00:13:52,160 that you see in the string 273 00:13:52,160 --> 00:13:54,390 and what they are actually used for, right. 274 00:13:54,390 --> 00:13:58,773 So practice, practice, practice, but also understand 275 00:13:58,773 --> 00:14:01,070 what the actual tools are doing 276 00:14:01,070 --> 00:14:04,970 and what the underlying flaws are within the database. 277 00:14:04,970 --> 00:14:07,390 Now, one last thing that I want to highlight 278 00:14:07,390 --> 00:14:09,750 is the mitigations for these. 279 00:14:09,750 --> 00:14:14,210 At the end of the day, SQL injection is an input validation, 280 00:14:14,210 --> 00:14:15,570 you know, type of vulnerability, right? 281 00:14:15,570 --> 00:14:18,210 So you have to sanitize input. 282 00:14:18,210 --> 00:14:21,850 Many different frameworks already provided many support, 283 00:14:21,850 --> 00:14:26,850 and you know, functionality to filter, invalid transactions 284 00:14:26,850 --> 00:14:31,620 and, you know, potentially block attackers 285 00:14:31,620 --> 00:14:34,360 that are trying to actually do what I'm teaching you here, 286 00:14:34,360 --> 00:14:37,080 trying to put a single quote, trying to escape 287 00:14:37,080 --> 00:14:39,380 and put their own SQL statements, right. 288 00:14:39,380 --> 00:14:41,500 So at the end of the day, always remember 289 00:14:41,500 --> 00:14:45,640 that the mitigation is gonna be input validation. 290 00:14:45,640 --> 00:14:49,190 Especially for things like SQL injection, command injection, 291 00:14:49,190 --> 00:14:51,040 and many of the other vulnerabilities 292 00:14:51,040 --> 00:14:53,290 that you're gonna be learning in this course.