1
00:00:06,700 --> 00:00:07,550
- [Instructor] Let's go over some

2
00:00:07,550 --> 00:00:11,570
of the most popular SQL injection
tools that pen testers use

3
00:00:11,570 --> 00:00:12,980
in the industry.

4
00:00:12,980 --> 00:00:14,410
Basically, I have a list

5
00:00:14,410 --> 00:00:18,270
of those popular tools
in my GitHub repository.

6
00:00:18,270 --> 00:00:20,560
So if you go under web_application_testing

7
00:00:20,560 --> 00:00:21,950
you will see a markdown page

8
00:00:21,950 --> 00:00:24,840
called SQL-injection-tools
that I'm highlighting here.

9
00:00:24,840 --> 00:00:27,740
And this is not a complete
list or an exhaustive list

10
00:00:27,740 --> 00:00:29,496
but these are definitely some of the top

11
00:00:29,496 --> 00:00:32,560
most popular SQL injection tools

12
00:00:32,560 --> 00:00:35,080
that pen testers use nowadays.

13
00:00:35,080 --> 00:00:36,160
Now I'm gonna be using some

14
00:00:36,160 --> 00:00:38,400
of these tools, especially SQLmap.

15
00:00:38,400 --> 00:00:41,860
And in combination with
others like Burb Suite

16
00:00:41,860 --> 00:00:45,800
and talking about tools,
hacking is not about tools.

17
00:00:45,800 --> 00:00:47,580
It's about the methodology.

18
00:00:47,580 --> 00:00:50,090
It's about you thinking like the attacker

19
00:00:50,090 --> 00:00:52,940
and also demonstrating
what an attacker can do

20
00:00:53,820 --> 00:00:56,210
before they actually find vulnerabilities

21
00:00:56,210 --> 00:00:57,560
that they can leverage

22
00:00:57,560 --> 00:00:59,760
but at any rate we know some of the tools

23
00:00:59,760 --> 00:01:01,550
that we're highlighting here start

24
00:01:01,550 --> 00:01:05,490
with SQLmap, jSQL Injection, BBQ,

25
00:01:05,490 --> 00:01:08,840
and yes, the name is BBQSQL.

26
00:01:08,840 --> 00:01:12,530
There's also a tool that
you can use to interact

27
00:01:12,530 --> 00:01:16,810
with no SQL databases
and find vulnerabilities

28
00:01:16,810 --> 00:01:18,550
that an attacker can manipulate

29
00:01:18,550 --> 00:01:23,550
and leverage to compromise
a NoSQL database.

30
00:01:24,100 --> 00:01:27,500
And there are other
tools like DSSS, explo,

31
00:01:27,500 --> 00:01:30,923
Blind SQL injection via
Bitshifting and Blisqy.

32
00:01:31,810 --> 00:01:34,920
So let's actually go and see
some of these tools in action.

33
00:01:34,920 --> 00:01:38,460
So what I'm going to do,
so I'm gonna go to Burp,

34
00:01:38,460 --> 00:01:40,490
I'm gonna go under proxy

35
00:01:40,490 --> 00:01:43,090
and then I'm gonna open
the builtin browser

36
00:01:43,090 --> 00:01:44,700
just to make it easy here.

37
00:01:44,700 --> 00:01:48,120
And then all the transactions
between my browser

38
00:01:48,120 --> 00:01:51,530
and the web applications will
be intercepted by the proxy.

39
00:01:51,530 --> 00:01:52,700
And I'm gonna log in

40
00:01:52,700 --> 00:01:57,494
to the popular DVWA, intentional
vulnerable application.

41
00:01:57,494 --> 00:01:59,940
And I'm typing, the default
username and password

42
00:01:59,940 --> 00:02:01,930
is admin and password.

43
00:02:01,930 --> 00:02:06,930
I'm going to make sure that
the security level is not set

44
00:02:07,380 --> 00:02:10,140
to impossible, if you
leave it as impossible

45
00:02:10,140 --> 00:02:13,810
that means that all the
vulnerabilities are actually fixed.

46
00:02:13,810 --> 00:02:17,530
So I'm gonna set that to
low, to make the intentional

47
00:02:17,530 --> 00:02:20,670
vulnerable application vulnerable.

48
00:02:20,670 --> 00:02:23,260
Now I'm gonna navigate to SQL Injection.

49
00:02:23,260 --> 00:02:25,010
And as you see in here,
we have a form that you

50
00:02:25,010 --> 00:02:27,930
can put any information
and under the user ID

51
00:02:27,930 --> 00:02:29,550
I'm entering my name.

52
00:02:29,550 --> 00:02:33,690
And then I'm gonna go back to
Burp Suite, turn on Intercept

53
00:02:33,690 --> 00:02:36,930
so I can intercept the
transactions between the browser

54
00:02:36,930 --> 00:02:38,510
and the web application.

55
00:02:38,510 --> 00:02:42,580
I'm gonna click submit,
and then as you can see

56
00:02:42,580 --> 00:02:47,260
the proxy was actually able
to intercept that transaction.

57
00:02:47,260 --> 00:02:50,010
You actually see the ID equals to omar.

58
00:02:50,010 --> 00:02:52,290
So my name, and then of course

59
00:02:52,290 --> 00:02:55,290
you see that we actually
submitted this, or we

60
00:02:55,290 --> 00:02:58,100
attempted to submit this
to the web application.

61
00:02:58,100 --> 00:03:00,870
The proxy actually
intercepted that transaction,

62
00:03:00,870 --> 00:03:02,520
that get request.

63
00:03:02,520 --> 00:03:03,659
I am not gonna modify these transactions,

64
00:03:03,659 --> 00:03:07,510
or this get request in here.

65
00:03:07,510 --> 00:03:10,500
What I'm going to do is I'm
gonna highlight everything.

66
00:03:10,500 --> 00:03:12,420
I'm gonna right click on it.

67
00:03:12,420 --> 00:03:15,210
And I'm gonna copy this to a file.

68
00:03:15,210 --> 00:03:17,450
And then in my home directory

69
00:03:17,450 --> 00:03:21,320
I'm basically going to
name these sql-test.

70
00:03:21,320 --> 00:03:22,153
And as a matter of fact

71
00:03:22,153 --> 00:03:26,477
I actually already have a
file called sql-test.txt.

72
00:03:27,350 --> 00:03:29,023
I'm gonna override that file.

73
00:03:30,290 --> 00:03:32,140
Now I'm gonna open a terminal window

74
00:03:32,140 --> 00:03:33,883
and I'm gonna show you
the contents of that file

75
00:03:33,883 --> 00:03:37,733
that we just created, just so
you can see that, of course

76
00:03:37,733 --> 00:03:40,320
it's actually stored in this file.

77
00:03:40,320 --> 00:03:42,340
And what we're gonna be
doing is actually we're gonna

78
00:03:42,340 --> 00:03:47,010
be using the SQL map or sqlmap tool

79
00:03:47,010 --> 00:03:48,900
and we are gonna read the contents

80
00:03:48,900 --> 00:03:51,620
of that file that we just created.

81
00:03:51,620 --> 00:03:56,370
And first I'm gonna try to
enumerate the type of database

82
00:03:56,370 --> 00:03:59,760
and also any types of
database names that we

83
00:03:59,760 --> 00:04:04,400
can potentially enumerate
using the --dbs option.

84
00:04:04,400 --> 00:04:07,920
So if I launch that,
you see that right away

85
00:04:07,920 --> 00:04:09,410
it actually tells you

86
00:04:09,410 --> 00:04:14,410
that the database may
actually be a MySQL database.

87
00:04:14,670 --> 00:04:16,820
And basically the tool is asking us

88
00:04:16,820 --> 00:04:21,020
if we want to skip the test
payloads for all the databases.

89
00:04:21,020 --> 00:04:23,670
And in this case, I'm
actually gonna say yes

90
00:04:23,670 --> 00:04:25,420
which is the default in there.

91
00:04:25,420 --> 00:04:27,170
And right away, you actually are seeing

92
00:04:27,170 --> 00:04:28,950
that the tool is interacting

93
00:04:28,950 --> 00:04:31,920
with the application in
an automated fashion.

94
00:04:31,920 --> 00:04:34,730
And it's actually trying
to determine the type

95
00:04:34,730 --> 00:04:38,260
of database and doing
a few of the attacks.

96
00:04:38,260 --> 00:04:41,890
Like for example, you see UNION queries,

97
00:04:41,890 --> 00:04:45,270
you're gonna see in a few
minutes, a few other types

98
00:04:45,270 --> 00:04:48,210
of techniques that is
actually trying to send

99
00:04:48,210 --> 00:04:50,930
to the application to cause some

100
00:04:50,930 --> 00:04:55,630
either error messages or to
obtain additional information

101
00:04:55,630 --> 00:04:57,580
about the underlying system.

102
00:04:57,580 --> 00:05:00,170
Now it says that if you want
to actually keep testing

103
00:05:00,170 --> 00:05:03,520
for any other types of implementations

104
00:05:03,520 --> 00:05:05,510
we already know that
it's a MySQL database.

105
00:05:05,510 --> 00:05:08,640
So I'm actually gonna
be selecting no in here.

106
00:05:08,640 --> 00:05:12,160
Now right away, it actually
found four databases.

107
00:05:12,160 --> 00:05:15,988
So you see here DVWA, information_schema,

108
00:05:15,988 --> 00:05:18,550
mysql and performance_schema.

109
00:05:18,550 --> 00:05:22,830
Now information_schema,
mysql and performance_schema,

110
00:05:22,830 --> 00:05:27,380
they're all the built in
databases that come by default

111
00:05:27,380 --> 00:05:28,293
with MySQL.

112
00:05:29,215 --> 00:05:31,830
So the one that we did
not know that existed is

113
00:05:31,830 --> 00:05:34,337
the DVWA database.

114
00:05:34,337 --> 00:05:39,337
So that's the underlying
database in the DVWA application.

115
00:05:39,700 --> 00:05:41,840
We probably could have
guessed it because you know

116
00:05:41,840 --> 00:05:44,210
the name of course is very intuitive.

117
00:05:44,210 --> 00:05:45,850
However, we didn't know that actually

118
00:05:45,850 --> 00:05:47,840
that was the actual name itself.

119
00:05:47,840 --> 00:05:51,870
Now the tool itself was able
to enumerate a few other things

120
00:05:51,870 --> 00:05:54,580
like the Linux operating system

121
00:05:54,580 --> 00:05:56,580
and is running an old version of Debian.

122
00:05:56,580 --> 00:06:01,220
It's also running an old
version of Apache httpd server.

123
00:06:01,220 --> 00:06:04,610
So the underlying web
server is Apache 2.4.10,

124
00:06:04,610 --> 00:06:09,610
very old version, and also
a very old version of MySQL.

125
00:06:10,200 --> 00:06:11,730
Now, if you scroll up,

126
00:06:11,730 --> 00:06:13,830
this is what I want
you to pay attention to

127
00:06:13,830 --> 00:06:18,700
of the different types of
payloads that it actually sent

128
00:06:18,700 --> 00:06:23,320
to the application to
basically be able to determine

129
00:06:23,320 --> 00:06:25,720
and to enumerate these databases, right?

130
00:06:25,720 --> 00:06:30,380
So the first one is a
boolean-based blind SQL injection.

131
00:06:30,380 --> 00:06:33,760
And remember, in the previous
lessons that we were going

132
00:06:33,760 --> 00:06:36,450
over a few examples of Boolean statements

133
00:06:36,450 --> 00:06:39,100
and where two numbers were evaluated

134
00:06:39,100 --> 00:06:41,760
to themselves to cause a true statement.

135
00:06:41,760 --> 00:06:43,910
Well you see that in action here.

136
00:06:43,910 --> 00:06:47,810
You also see an error-based
payload trying to

137
00:06:47,810 --> 00:06:49,270
cause different error messages.

138
00:06:49,270 --> 00:06:52,360
So it can enumerate probably
the type of database.

139
00:06:52,360 --> 00:06:54,980
And that's what it actually did in here.

140
00:06:54,980 --> 00:06:58,000
And other types of information.

141
00:06:58,000 --> 00:07:01,090
Now you also see another query

142
00:07:01,090 --> 00:07:04,650
which is a time-based
blind cycle injection.

143
00:07:04,650 --> 00:07:05,920
And in this case

144
00:07:05,920 --> 00:07:10,000
you see the sleep statement to
basically cause the database

145
00:07:10,000 --> 00:07:12,610
to wait for x amount of time,

146
00:07:12,610 --> 00:07:14,550
in this case for five seconds.

147
00:07:14,550 --> 00:07:17,300
And then the attacker is actually able to

148
00:07:17,300 --> 00:07:20,060
do further enumeration as well.

149
00:07:20,060 --> 00:07:22,670
Now the UNION query is the last one.

150
00:07:22,670 --> 00:07:24,790
And remember in the previous lesson

151
00:07:24,790 --> 00:07:27,440
when we're going over all
the different methodologies

152
00:07:27,440 --> 00:07:29,860
and UNION queries is basically one

153
00:07:29,860 --> 00:07:32,180
of the methodologies that attackers can do

154
00:07:32,180 --> 00:07:35,830
to concatenate other SQL statements,

155
00:07:35,830 --> 00:07:38,520
just like it's actually doing right now

156
00:07:38,520 --> 00:07:40,580
in an automated fashion of course,

157
00:07:40,580 --> 00:07:44,070
and this is causing additional behavior

158
00:07:44,070 --> 00:07:46,430
in the web application and the database

159
00:07:46,430 --> 00:07:49,860
that the attacker can then
leverage to reveal information

160
00:07:49,860 --> 00:07:52,730
just like we did a few seconds ago.

161
00:07:52,730 --> 00:07:57,010
Now that we know that the
database is called DVWA

162
00:07:57,010 --> 00:07:59,650
we can basically use the same exact tool

163
00:07:59,650 --> 00:08:03,460
so we can use exactly the
same file to read that

164
00:08:03,460 --> 00:08:06,410
get request, to send that get
request to the application.

165
00:08:06,410 --> 00:08:08,630
But in this case, what
we're gonna be doing is

166
00:08:08,630 --> 00:08:11,470
we're gonna specify the database name

167
00:08:11,470 --> 00:08:14,660
by using the uppercase D option.

168
00:08:14,660 --> 00:08:16,410
So dash uppercase D

169
00:08:16,410 --> 00:08:19,640
and then the name of the
database, which is DVWA.

170
00:08:19,640 --> 00:08:21,480
And then we are actually
gonna be trying to

171
00:08:21,480 --> 00:08:25,050
dump everything that the
tool can actually find.

172
00:08:25,050 --> 00:08:28,870
So in this case, I'm
using the dump all option.

173
00:08:28,870 --> 00:08:31,780
Right away it basically
went over different payloads

174
00:08:31,780 --> 00:08:35,020
as you saw in here, and it found a table,

175
00:08:35,020 --> 00:08:37,380
it found a table called users.

176
00:08:37,380 --> 00:08:41,910
And that table appears
to have a column called

177
00:08:41,910 --> 00:08:45,710
passwords that may be
possible password hashes

178
00:08:45,710 --> 00:08:47,720
that you can potentially save

179
00:08:47,720 --> 00:08:49,540
in a different file for other tools,

180
00:08:49,540 --> 00:08:51,650
to potentially crack the passwords

181
00:08:51,650 --> 00:08:55,130
with other tools like
Hashcat or John the Ripper.

182
00:08:55,130 --> 00:08:56,890
And some of the other tools that you learn

183
00:08:56,890 --> 00:08:58,260
in this course.

184
00:08:58,260 --> 00:08:59,310
Now, in this case, of course

185
00:08:59,310 --> 00:09:01,510
we can actually save
that to a different file.

186
00:09:01,510 --> 00:09:03,310
It saves it to a temporary file

187
00:09:03,310 --> 00:09:07,920
and you see the location here
and also the tool itself,

188
00:09:07,920 --> 00:09:10,100
so SQLmap comes

189
00:09:10,100 --> 00:09:15,100
with a functionality that is
able to crack those passwords

190
00:09:16,240 --> 00:09:18,600
Of course, depending on the compute power

191
00:09:18,600 --> 00:09:22,000
and many different factors,
like the effectiveness

192
00:09:22,000 --> 00:09:24,920
of the word list that it's
actually gonna be using

193
00:09:24,920 --> 00:09:26,160
and there's a built in word list

194
00:09:26,160 --> 00:09:27,760
that you're gonna see in a second.

195
00:09:27,760 --> 00:09:28,920
And of course the compute power

196
00:09:28,920 --> 00:09:31,010
and the password complexity
and so on, right?

197
00:09:31,010 --> 00:09:31,930
This can take anywhere

198
00:09:31,930 --> 00:09:36,930
between seconds, minutes,
days, weeks, months, or never.

199
00:09:37,970 --> 00:09:39,900
However, in this case,
these are very, very

200
00:09:39,900 --> 00:09:43,140
simple passwords that the
application is actually using.

201
00:09:43,140 --> 00:09:45,660
And of course, this is
a fictitious environment

202
00:09:45,660 --> 00:09:49,660
and I'm gonna say yes to
crack them automatically.

203
00:09:49,660 --> 00:09:52,500
And you see that it's
actually using a builtin

204
00:09:52,500 --> 00:09:55,760
word list that it comes with a tool

205
00:09:55,760 --> 00:09:59,040
or you can select a custom dictionary file

206
00:09:59,040 --> 00:10:01,620
or a custom work list, right?

207
00:10:01,620 --> 00:10:02,453
In this case

208
00:10:02,453 --> 00:10:03,910
I'm actually just gonna
select number one to

209
00:10:03,910 --> 00:10:05,610
use the default one

210
00:10:05,610 --> 00:10:08,420
or I could have actually
just pressed enter, right?

211
00:10:08,420 --> 00:10:09,253
And then it says

212
00:10:09,253 --> 00:10:13,040
do you want to use the common
password suffixes, maybe slow,

213
00:10:13,040 --> 00:10:16,100
in this case, I'm actually
just gonna use the default one.

214
00:10:16,100 --> 00:10:17,870
And you see that right away is actually

215
00:10:17,870 --> 00:10:22,030
determining the hashes and
it's cracking the passwords.

216
00:10:22,030 --> 00:10:24,450
And wow, that was actually fairly fast.

217
00:10:24,450 --> 00:10:25,940
Let me scroll up a little bit

218
00:10:25,940 --> 00:10:27,990
so you can see some of the results

219
00:10:27,990 --> 00:10:31,010
but this was the hash
for one of the passwords.

220
00:10:31,010 --> 00:10:34,320
The password was abc123,
this is another one.

221
00:10:34,320 --> 00:10:37,230
The other password was
charley, letmein and password.

222
00:10:37,230 --> 00:10:38,530
That's why it

223
00:10:38,530 --> 00:10:41,880
didn't take that long to of
course, crack those passwords.

224
00:10:41,880 --> 00:10:44,080
Now, in this case, you also see a table,

225
00:10:44,080 --> 00:10:45,720
the table of the users,

226
00:10:45,720 --> 00:10:48,320
and the formatting is a
little bit challenging here,

227
00:10:48,320 --> 00:10:50,440
I'll make it just a little bit tinier

228
00:10:50,440 --> 00:10:53,330
so you can see in the
screen, probably actually

229
00:10:53,330 --> 00:10:54,390
that's even worse.

230
00:10:54,390 --> 00:10:56,800
Let me make it a little bit bigger then.

231
00:10:56,800 --> 00:11:01,573
But the admin user, the
password is actually password.

232
00:11:02,470 --> 00:11:05,530
There's another user called Gordon Brown

233
00:11:05,530 --> 00:11:08,270
and the password is abc.

234
00:11:08,270 --> 00:11:09,460
There's another one called Hack Me

235
00:11:09,460 --> 00:11:10,450
and the password is charley.

236
00:11:10,450 --> 00:11:12,640
There's another one called Pablo Picasso.

237
00:11:12,640 --> 00:11:13,760
The password is letmein

238
00:11:13,760 --> 00:11:17,213
and Bob Smith and the
password is password.

239
00:11:17,213 --> 00:11:21,610
Now, if you keep going down
below, this is basically

240
00:11:21,610 --> 00:11:25,690
another database table that
was actually able to dump

241
00:11:25,690 --> 00:11:28,530
and we were able to actually
dump all the records.

242
00:11:28,530 --> 00:11:29,370
So think about that.

243
00:11:29,370 --> 00:11:32,920
This may be a sensitive
table getting some personal

244
00:11:32,920 --> 00:11:37,920
identifiable information or
some critical data in a system.

245
00:11:38,500 --> 00:11:42,080
And just like this, that has
been many different breaches

246
00:11:42,080 --> 00:11:46,420
in the industry because
of SQL injection attacks

247
00:11:46,420 --> 00:11:47,670
like this one, right?

248
00:11:47,670 --> 00:11:49,080
Now in this case was actually

249
00:11:49,080 --> 00:11:53,760
the guestbook application
or the guestbook table

250
00:11:53,760 --> 00:11:57,670
that is used by the guestbook
application within DVWA.

251
00:11:57,670 --> 00:12:01,640
And as a matter of fact,
you notice that one

252
00:12:01,640 --> 00:12:06,640
of the entries in this
table is the script tags

253
00:12:06,900 --> 00:12:10,720
or the script payloads that
we use in the cross-site

254
00:12:10,720 --> 00:12:15,400
scripting example
previously in this course.

255
00:12:15,400 --> 00:12:17,180
So remember that we were going

256
00:12:17,180 --> 00:12:19,840
over stored cross-site scripting.

257
00:12:19,840 --> 00:12:20,870
Well, you actually see

258
00:12:20,870 --> 00:12:23,350
that the payload is
stored in the database.

259
00:12:23,350 --> 00:12:26,970
And we were able to retrieve that using

260
00:12:26,970 --> 00:12:30,460
and leveraging an SQL injection attack.

261
00:12:30,460 --> 00:12:33,880
So again, these are very
popular tools that you can use

262
00:12:33,880 --> 00:12:35,270
in combination to find

263
00:12:35,270 --> 00:12:38,573
and exploit SQL injection vulnerabilities.