1 00:00:06,760 --> 00:00:08,330 - Let's go over a quick introduction 2 00:00:08,330 --> 00:00:12,040 of what is SQL injection or SQL injection. 3 00:00:12,040 --> 00:00:13,350 Basically what it is, 4 00:00:13,350 --> 00:00:17,150 is an input validation vulnerability in a web application, 5 00:00:17,150 --> 00:00:19,360 where if you have a web application 6 00:00:22,720 --> 00:00:26,080 and you do not sanitize input from a user, 7 00:00:26,080 --> 00:00:29,520 basically that user or that attacker 8 00:00:29,520 --> 00:00:34,370 can potentially inject their own SQL statement 9 00:00:34,370 --> 00:00:37,240 to then manipulate a database, 10 00:00:37,240 --> 00:00:39,480 and basically in that database, 11 00:00:39,480 --> 00:00:40,900 either modify records, 12 00:00:40,900 --> 00:00:44,610 retrieve records that he or she should not have access to, 13 00:00:44,610 --> 00:00:46,000 or delete data, right? 14 00:00:46,000 --> 00:00:49,080 Drop tables, in other words, delete a table of the database, 15 00:00:49,080 --> 00:00:50,010 and so on. 16 00:00:50,010 --> 00:00:52,180 Now, SQL injection happens 17 00:00:52,180 --> 00:00:57,180 in both relational databases and NoSQL databases as well. 18 00:00:58,380 --> 00:01:01,590 Now, in order for you to understand what SQL injection is, 19 00:01:01,590 --> 00:01:04,860 first let's actually take a look at a database, right? 20 00:01:04,860 --> 00:01:09,860 What I'm using here is a W3Schools' Try SQL or Try SQL tool. 21 00:01:12,400 --> 00:01:13,280 It's a free tool, 22 00:01:13,280 --> 00:01:16,180 you have the link here in your screen 23 00:01:16,180 --> 00:01:18,040 and you can interact with the database. 24 00:01:18,040 --> 00:01:20,570 It has different tables as you can see, 25 00:01:20,570 --> 00:01:23,150 one called Customers, other one called Categories, 26 00:01:23,150 --> 00:01:25,000 Employees, and so on. 27 00:01:25,000 --> 00:01:27,520 So from this table, 28 00:01:27,520 --> 00:01:31,090 you see that has 10 records of 10 employees, 29 00:01:31,090 --> 00:01:33,440 I can do things like filtering, right? 30 00:01:33,440 --> 00:01:37,620 I can filter by FirstName, by this field, 31 00:01:37,620 --> 00:01:38,810 and let's say I actually filter 32 00:01:38,810 --> 00:01:40,500 just for the record of Nancy. 33 00:01:40,500 --> 00:01:41,560 So for that, 34 00:01:41,560 --> 00:01:44,470 I can do SELECT * FROM Employees 35 00:01:44,470 --> 00:01:49,470 WHERE FirstName LIKE '%Nancy%' 36 00:01:51,220 --> 00:01:53,480 And if I run that SQL statement, 37 00:01:53,480 --> 00:01:56,520 of course, only gives me one record, right? 38 00:01:56,520 --> 00:01:59,020 So, you know, the application is actually doing 39 00:01:59,020 --> 00:02:01,490 all these behind the scenes, right? 40 00:02:01,490 --> 00:02:03,450 All these SELECT statement, 41 00:02:03,450 --> 00:02:05,100 so the SELECT * from Employees 42 00:02:05,100 --> 00:02:06,990 WHERE FirstName LIKE, 43 00:02:06,990 --> 00:02:09,030 and then including the single quote. 44 00:02:09,030 --> 00:02:10,340 Of course, I'm doing a wildcard here 45 00:02:10,340 --> 00:02:12,750 to match anything that matches Nancy. 46 00:02:12,750 --> 00:02:16,390 But all these that I'm highlighting in this screen here, 47 00:02:16,390 --> 00:02:18,840 is sent from the application 48 00:02:18,840 --> 00:02:21,210 directly to the database 49 00:02:24,950 --> 00:02:27,180 without, you know, the user knowing, right? 50 00:02:27,180 --> 00:02:29,000 The user should not know that. 51 00:02:29,000 --> 00:02:32,410 Now these here, the word "Nancy", 52 00:02:32,410 --> 00:02:36,430 think of this as probably something like a hidden field 53 00:02:36,430 --> 00:02:38,630 or in a form, some input field 54 00:02:38,630 --> 00:02:41,070 where you actually enter the name, 55 00:02:41,070 --> 00:02:42,450 you know, or a search, 56 00:02:42,450 --> 00:02:46,000 and then if the attacker is actually able 57 00:02:46,000 --> 00:02:47,480 not only to enter some data there 58 00:02:47,480 --> 00:02:52,480 but escape and then add their own SQL statement, 59 00:02:58,810 --> 00:03:01,500 then he or she can potentially manipulate the application 60 00:03:01,500 --> 00:03:03,440 to get access to the database, 61 00:03:03,440 --> 00:03:07,350 or erase data from the database and so on. 62 00:03:07,350 --> 00:03:10,290 And whenever I mention escape, you know, 63 00:03:10,290 --> 00:03:12,340 I can do a single quote, 64 00:03:12,340 --> 00:03:14,170 and then something like, 65 00:03:14,170 --> 00:03:15,693 OR 1=1, 66 00:03:17,756 --> 00:03:19,985 and then of course send that to the database, 67 00:03:19,985 --> 00:03:21,300 and then you see that, of course, you know, 68 00:03:21,300 --> 00:03:24,260 I'm receiving all the information from the database. 69 00:03:24,260 --> 00:03:27,240 Now, of course, this is a fictitious database. 70 00:03:27,240 --> 00:03:32,113 What I can do is I can go over a specific application, 71 00:03:33,080 --> 00:03:34,780 and in this case, I'm not gonna, 72 00:03:34,780 --> 00:03:39,780 I'm gonna navigate to an application called DVWA 73 00:03:39,880 --> 00:03:42,450 or the Damn Vulnerable Web Application. 74 00:03:42,450 --> 00:03:44,540 It's an intentional vulnerable application 75 00:03:44,540 --> 00:03:48,990 that I have running on top of WebSploit or WebSploit Labs. 76 00:03:48,990 --> 00:03:51,423 If you don't know what WebSploit Lab is 77 00:03:51,423 --> 00:03:54,080 I have mentioned it a few times in this course, 78 00:03:54,080 --> 00:03:56,433 but if you go to websploit.org, 79 00:03:57,470 --> 00:03:59,920 basically I have a learning environment 80 00:03:59,920 --> 00:04:03,280 that I created for many different cybersecurity trainings, 81 00:04:03,280 --> 00:04:06,740 books, video courses that I have written, 82 00:04:06,740 --> 00:04:10,120 and it has over 400 different exercises. 83 00:04:10,120 --> 00:04:13,370 And basically is a series of scripts 84 00:04:13,370 --> 00:04:15,810 that will install tools that do not come 85 00:04:15,810 --> 00:04:18,610 with Kali Linux or Parrot OS. 86 00:04:18,610 --> 00:04:22,100 So basically, first you install Kali or Parrot in a VM, 87 00:04:22,100 --> 00:04:24,070 and then you run a command 88 00:04:24,070 --> 00:04:26,410 to install a whole bunch of different tools, 89 00:04:26,410 --> 00:04:29,490 and also a different Docker containers 90 00:04:29,490 --> 00:04:32,170 that have intentional vulnerable applications. 91 00:04:32,170 --> 00:04:33,640 Now, in this case, 92 00:04:33,640 --> 00:04:34,870 what I'm doing is I'm navigating 93 00:04:34,870 --> 00:04:38,430 to one of these intentional vulnerable applications, right? 94 00:04:38,430 --> 00:04:40,170 Now, by default, 95 00:04:40,170 --> 00:04:43,370 the setting for the security level in DVWA 96 00:04:43,370 --> 00:04:45,270 is set to "Impossible". 97 00:04:45,270 --> 00:04:48,327 So if I go to DVWA security, 98 00:04:48,327 --> 00:04:52,870 "Impossible" means that all the vulnerabilities are fixed. 99 00:04:52,870 --> 00:04:54,050 So what we want to do 100 00:04:54,050 --> 00:04:56,160 is either play with "Low", "Medium" or "High". 101 00:04:56,160 --> 00:04:58,307 And "Low" is for low complexity, 102 00:04:58,307 --> 00:04:59,710 "Medium" for medium complexity 103 00:04:59,710 --> 00:05:02,037 and "High" is for a high complexity, 104 00:05:02,037 --> 00:05:04,440 "Impossible" means that it's actually fixed. 105 00:05:04,440 --> 00:05:07,620 Now, if I navigate to the SQL Injection section, 106 00:05:07,620 --> 00:05:09,870 I can do something similar. 107 00:05:09,870 --> 00:05:12,120 And what I'm doing here is I'm putting a single quote 108 00:05:12,120 --> 00:05:16,710 to escape and inject my own SQL statement. 109 00:05:16,710 --> 00:05:17,700 And this statement 110 00:05:17,700 --> 00:05:22,160 is basically a Boolean SQL injection vector, 111 00:05:22,160 --> 00:05:25,600 or where I put OR 1=1. 112 00:05:25,600 --> 00:05:27,710 And 1=1 equals to True, 113 00:05:27,710 --> 00:05:29,170 so that's a true statement. 114 00:05:29,170 --> 00:05:31,320 If I submit this to the database, 115 00:05:31,320 --> 00:05:33,470 you see that it's actually allowing me 116 00:05:33,470 --> 00:05:37,120 to see all the records for all the different user IDs, 117 00:05:37,120 --> 00:05:40,210 so in this case, the user for admin, 118 00:05:40,210 --> 00:05:42,450 there's another user called Gordon Brown, 119 00:05:42,450 --> 00:05:44,200 another one called Hack Me, 120 00:05:44,200 --> 00:05:46,530 another one called Pablo Picasso, 121 00:05:46,530 --> 00:05:49,150 and another one called Bob Smith. 122 00:05:49,150 --> 00:05:50,490 In the next section, 123 00:05:50,490 --> 00:05:51,860 we're gonna go over a whole bunch 124 00:05:51,860 --> 00:05:54,000 of different types of SQL injection 125 00:05:54,000 --> 00:05:56,870 and also a lot of different payloads 126 00:05:56,870 --> 00:06:00,503 that you can use to launch SQL injection attacks.