0:03 hi everyone welcome back to another
0:06 video in the web security academy series
0:07 in the previous video we described the
0:10 theory behind sql injection attacks so
0:12 we covered what a sql injection is the
0:14 different types of sql injection
0:15 how they detect and exploit them and
0:17 then we ended the video with how to
0:19 prevent them i've added the link to the
0:21 previous video in the description if you
0:22 want to check it out
0:24 in today's video we'll be covering lab
0:27 number one of the sql injection module
0:29 in the web security academy if you do
0:30 not have an
0:33 account you can get one by visiting the
0:36 url portsweger.net
0:38 web security and clicking on the sign up
0:40 button now i already have an account
0:43 and i am logged in so to access the academy
0:44 academy
0:47 i'm going to click on academy
0:52 scroll down and select the
0:54 learning path this is the path that
0:56 portswigger recommends you follow when
0:58 learning about the topics
1:01 that the academy covers and this is the
1:02 path that we'll be following in our
1:07 videos so go down and select the first
1:10 option which is sql injection
1:13 we've already covered the theory portion
1:15 in the last video so we won't be
1:16 covering it again
1:18 in this video instead we'll jump right
1:20 ahead to the first lab
1:22 which is titled sql injection vulnerability
1:23 vulnerability
1:26 in the where clause allowing retrieval
1:31 now the way that the academy is
1:33 structured is it gives you a description
1:35 of the exercise it wants you to complete
1:37 and the vulnerability that it wants you
1:39 to exploit it also gives you the
1:40 solution we're not
1:41 going to look at that because we're
1:42 going to try to solve the solution on
1:43 our own
1:45 and then it gives you access to the lab environment
1:46 environment
1:49 to run the exploit
1:53 before we go ahead and look at the
1:55 apple at the vulnerable application
1:57 notice that i have a
2:00 text document on the right and the
2:02 reason i keep one is because i'm trying to
2:03 to
2:05 train myself to always keep notes when
2:06 it comes to pen testing engagements and
2:08 so we'll be doing that
2:11 in the videos as well
2:12 so let's look at the description this
2:14 lab contains a sql injection vulnerability
2:15 vulnerability
2:18 in the product category filter so that's important
2:18 important
2:21 sql injection vulnerability and it's in the
2:22 the
2:27 when the user selects a category the
2:30 application carries out a sql query like
2:31 the following
2:33 so it actually gives us the back-end sql
2:34 query that
2:38 gets executed which is great because we
2:39 know the structure of the query that
2:40 means we know
2:43 um how to automatically build our sql payload
2:44 payload
2:46 and we'll see that in a bit um and then
2:49 to solve the lab perform a sql injection
2:51 attack that causes the application to
2:52 display details of all
2:55 products in any category both released and
2:55 and
3:04 is to display all products regardless of
3:05 their category
3:08 uh both released
3:16 so what's likely happening is that the
3:18 application displays the release
3:20 products to the user however there are
3:21 unreleased products that are not
3:22 displayed to the public
3:24 and what we're going to try to do is
3:26 exploit the sql injection vulnerability
3:28 and display the unreleased products
3:32 so let's click on the link over here
3:37 shopping application and you could refine
3:38 refine
3:40 what you see depending on category so
3:42 there is one two three
3:46 four one two three three times four so
3:48 12 products that you could buy however
3:50 if you refine your search to for example
3:51 just spats
3:53 um it'll display three products which are
3:54 are
3:57 somehow related to paths
4:04 you'll see that the category that you selected
4:05 selected
4:08 gets populated in a parameter in the url called
4:08 called
4:12 category so this is the
4:14 the category filter that has a sql
4:15 injection vulnerability so this is the
4:16 one that we need to exploit
4:19 now you might be wondering well in a
4:21 real pen testing engagement you're not
4:23 given which parameter is exploitable so
4:25 how would you know and the answer would be
4:26 be
4:28 to follow the general methodology that
4:30 you would when you're pen testing
4:31 applications so the first thing that you
4:32 would do
4:34 would be to map the application and what
4:35 that means
4:37 is uh visit the application and learn
4:39 how it works learn the logic in the application
4:40 application
4:42 uh find out all the different endpoints
4:43 in the application
4:46 find out all the different input vectors
4:48 that could potentially talk to the back end
4:48 end
4:50 of the application and when you do that
4:51 you'll discover the
4:53 category field so that is an input
4:55 vector that talks to the backend because depending
4:56 depending
4:58 on the value that you give it it'll
5:00 display different results
5:03 um and then once you've discovered this
5:05 field it's just a matter of fuzzing
5:07 so if you think it's talking to a
5:10 back-end sql database then you'll
5:12 enter sql characters that could
5:14 potentially break the back-end query
5:17 and this way uh if if it breaks the
5:19 back-end query then depending on how the application
5:19 application
5:22 is configured um and how it's uh coded
5:24 it could give you different response
5:27 codes it could give you different
5:29 responses of the application it could
5:30 give you errors and so on and then
5:33 depending on the response
5:35 you could infer the fact that it might
5:37 be vulnerable to a sql injection
5:39 and then once you've detected the fact
5:41 that it might be vulnerable to a sql
5:43 injection it's a matter of giving the application
5:44 application
5:46 iteratively different payload until you've
5:47 you've
5:49 figured out at least approximately how
5:52 the sql query works at the back end and
5:53 then this way you could
5:55 build your payload and successfully
5:58 exploit the sql injection now since this
5:59 is a beginner video
6:03 we're already given the sql injection
6:06 sorry the sql query that is happening at
6:08 the backend but even if you're not this
6:08 is easy
6:11 to figure out depending on how you fuzz
6:13 the application
6:16 so um what's happening over here
6:20 let's have an analysis
6:24 section when you
6:26 entered paths what's happening is it puts
6:27 puts
6:30 pets in the category field and it runs
6:32 this query and what this query does is
6:33 it says
6:35 select all the rows from the products table
6:36 table
6:38 where the category column is equal to paths
6:39 paths
6:41 and the released column is equal to one
6:43 so what it'll show you
6:45 is um is all the products that are in
6:48 the category pets but also they have
6:50 to be products that have been released
6:52 so if released was equal to for example zero
6:53 zero
6:54 then you wouldn't see the product over
6:56 here because it's not released to the public
6:56 public
6:59 so now um remember when i said fuzzing
7:00 let's try
7:03 a common sql character that if the
7:04 application doesn't properly
7:07 uh validate user input and doesn't use
7:09 parameterized queries then
7:11 um then chances are it is vulnerable to
7:13 sql injection and a way to
7:16 detect that is to add sql characters
7:17 that might break the
7:20 query and one of the most used ones is the
7:21 the
7:24 uh the quote character or the double
7:25 quote character so let's try that and
7:27 see what happens
7:30 okay so we get an internal server so
7:31 right away i'm thinking this is
7:33 vulnerable to a sql injection
7:35 and the reason i think that way is
7:36 because what's happening
7:42 instead of having pets over here we
7:44 entered a single
7:46 quote and so it broke the application
7:47 because the way it
7:50 sees it is select um all the rows from
7:52 the products table where the category
7:53 field is equal to
7:55 nothing so this quote over here that we
7:56 added closed
7:58 uh the other quote for the category field
8:00 field
8:01 and then all of a sudden it has a single
8:03 quote that likely
8:05 uh resulted in a syntax error which resulted
8:06 resulted
8:08 in an error in the web server and
8:11 internal server error in the web server
8:12 and so we broke
8:14 the application so this is an indication
8:16 that it's vulnerable to sql injection we
8:17 don't know
8:19 yet that it is so let's try to build a
8:21 sql injection payload
8:27 and to do that we i need the application
8:28 to respond
8:30 properly instead of responding with an
8:32 error so what i'm gonna do
8:35 is this quote over here that i added it
8:37 closes this quote over here
8:39 and so i'm gonna add the comment field
8:41 in order to tell it to ignore the
8:44 rest of the query and this way it won't run
8:44 run
8:47 into this single quote and it won't
8:48 generate an
8:51 error so let's put that payload
9:00 and before i run it what's what what
9:02 needs what would happen at the back end
9:02 right now
9:05 is it'll literally just run this query
9:06 over here
9:08 so select all rows from the products
9:10 table where the category is equal to
9:12 nothing and then because this is a
9:13 comment field it'll
9:15 ignore the rest of the query and this is
9:16 the valid query so it shouldn't give me an
9:16 an
9:20 error let's run it and here we go so we
9:22 don't get an error we also don't get any
9:24 search results because the category
9:25 field is set to
9:28 nothing so it works now i'm
9:31 confident that it is vulnerable to a
9:33 sequel injection vulnerability
9:36 and so the next thing to do is to
9:39 try to solve the exercise so we said the
9:41 end goal of the exercise is to display
9:43 all the products both released and unreleased
9:44 unreleased
9:47 um so let's copy our
9:50 query again and try to solve this exercise
9:52 exercise
9:55 okay so um i needed to display
9:58 all the products so i'm going to add an r
9:59 r
10:01 one is equal to one so a conditional
10:03 statement so what this will do
10:06 is it will say select all the rows from
10:07 the products table
10:09 where category is equal to where either
10:11 category is equal to
10:13 nothing or the conditional statement one
10:14 is equal to one
10:18 evaluates to true now one is equal to
10:20 one will always evaluate to true
10:23 and so um it will display
10:25 all the rows in the products table so
10:26 let's try that out
10:29 this is our query over here sorry our
10:41 and hit enter and here we go it says
10:43 congratulations you've solved the lab if
10:43 we go
10:46 down you can see that we can see one two three
10:47 three
10:50 four one two three four five so that's
10:51 five times four
10:53 twenty entries whereas before we were
10:54 only able to see
10:58 twelve um
11:12 and just select gifts for example sorry
11:13 we select
11:16 all these are the entries that we could
11:18 normally see
11:20 so safety first folding gadgets and so
11:22 on but then when we exploited the vulnerability
11:24 vulnerability
11:37 we're able to see much more vulnerable
11:42 much more products
11:44 i believe uh roulette drinking game was
11:45 not one of them and so on
11:48 um anyways so we've successfully exploited
11:49 exploited
11:52 the sql injection vulnerability manually
11:53 now let's try
12:00 okay so if you haven't watched my
12:01 introductory video
12:03 on this the reason i i script the attacks
12:04 attacks
12:06 is because in your pen testing career
12:07 you will run into
12:10 scenarios where doing things manually is
12:11 not going to cut it and it's a bit unrealistic
12:12 unrealistic
12:16 and so as a way of training myself
12:18 i i script all my attacks and this way
12:19 when i do come across
12:21 a vulnerability that requires scripting
12:23 like a blind sql injection vulnerability
12:25 which we'll do in the future i already
12:26 know how to do it
12:30 and my language of choice is python
12:40 so the first thing that i do is
12:44 import the requests library
12:45 this will allow you to make http
12:47 requests and will be your best friend
12:48 when it comes to
12:50 application pen testing and next i'll
12:53 import the sys library and
13:00 the url lib3 library
13:07 what i also do is i usually
13:10 uh set the proxy setting in all my
13:12 scripts most people don't do that and i
13:13 don't understand
13:15 why because it's a great way of
13:16 debugging why your
13:18 script doesn't work and i'll show you
13:35 set it for 8080 and then
13:52 and so what that will do is whenever the
13:54 script runs it'll pass it through
13:57 my proxy uh which is burp i'll show you
13:58 that in a second
14:01 and then if i allow it in the bird proxy
14:02 to relay it back to the web server it'll
14:04 do that and then any response from the
14:05 web server
14:07 will get passed through my proxy again
14:08 and then back to the
14:11 application so it's a great way of
14:12 debugging uh
14:15 scripts and we'll do that in a second
14:16 and then next
14:18 i've got all my configuration settings ready
14:19 ready
14:31 now let's create the main method
14:32 i'm going to have a conditional
14:45 okay so the way that i want the script
14:47 to work is when i run it
14:49 i give it two command line parameters
14:52 one is the url of the application
14:54 into the payload that i want to so the
14:57 sql injection payload that i want to
15:00 use and so it takes in two parameters uh
15:00 now if
15:03 it if it doesn't find these two
15:05 parameters or you don't enter the
15:07 correct number of parameters or so on
15:07 it'll throw an
15:09 exception and when it does that i want
15:12 it to display a nice error instead of the
15:13 the
15:16 exception code so let's start out with the
15:16 the
15:20 with the try um with a try condition
15:25 so url is equal to the first argument
15:33 and then the second argument would be
15:48 and we have an error over here okay
15:50 now if you run into an exception then i
15:51 wanted to
15:55 print the usage instructions
16:05 so the name of the program
16:26 and then i also wanted to give me an example
16:28 example
16:34 it just this way the code is a little
16:35 bit cleaner
16:41 and the url is www.example.com
16:44 and let's say the payload is 1 is equal to
16:45 to
16:47 1. now because i'm using it as a string
16:48 over here
16:51 i need to convert this into single
16:53 quotes so that it doesn't interfere with it
16:54 it
17:05 program
17:18 and then exit the program since we ran into
17:19 into
17:26 okay awesome all right so
17:30 if um if you gave it the correct command
17:32 line arguments it'll set the first one
17:34 to the url parameter and it'll set the
17:35 second command line argument to the payload
17:36 payload
17:38 if you didn't give it the correct number
17:40 of command line arguments it'll
17:41 print these statements over here what
17:43 we're gonna do is we're just gonna run it
17:45 it
17:52 python3 sqlib01.py
17:53 and here we go so because i didn't give
17:55 it the correct number of
17:58 arguments um it printed the usage instructions
17:59 instructions
18:02 and an example of how to run the program okay
18:02 okay
18:05 up next i want to create a function that
18:07 if it evaluates to true
18:09 that means i have a sql injection and if
18:12 it evaluates to false that means
18:14 my sql injection exploiting the sql injection
18:15 injection
18:17 was not successful so it takes in the
18:24 and if it evaluates to true then it's
18:29 going to print
18:38 however if it evaluates to false it's
18:54 okay awesome now the next step is to
18:57 create the function itself
19:12 now before we fill out um what the
19:12 function does
19:15 so it does nothing right now uh we need
19:17 to learn more about the request that is
19:18 happening when we
19:21 click on a category to do that we're
19:22 going to use our
19:27 favorite proxy tool which is burp suite
19:28 and if you don't know how to use this
19:30 tool it's definitely worth investing the
19:32 time to use it because i don't know
19:34 anyone who works in the web app pen
19:35 testing field that
19:43 and i'm using the community edition so
19:44 you don't have to buy the
19:49 professional edition to do this okay
19:52 so a bit of background on what this tool does
19:53 does
19:56 is uh if you configure it what it can do
20:00 is it sits as a middleman between the
20:03 application and your browser and so when
20:04 i click
20:06 on anything in the browser and it makes
20:08 a request it'll send it first to my proxy
20:09 proxy
20:11 which is burp and then it'll send it to
20:12 the web server
20:14 and then when a response comes back from
20:16 the web server it'll pass it through my
20:18 proxy again and then through the web server
20:19 server
20:21 and uh the reason this is nice is
20:22 because um
20:24 this way you could manipulate the
20:26 request before it uh goes back to the
20:28 web server uh you'll see it
20:29 happen with things like client-side
20:31 validation and so on but also you get to see
20:32 see
20:34 exactly what is happening in the request
20:35 which you can
20:36 technically see in the browser if you
20:38 look at developer tools but just so much
20:40 easier to use a proxy for it
20:43 now i already have the proxy set at a localhost
20:43 localhost
20:46 8080 and that is why in the script
20:47 you'll see over here that i set it a
20:50 localhost 8080. i also need to configure
20:51 my browser to
20:55 use it and so i use foxyproxy which is a
20:57 great extension that allows you to
20:59 enter a bunch of proxy settings and then
21:01 you select which one you're using
21:03 i have burp over here i'm going to click
21:06 on options and show you how it's set
21:08 so again i've got it set at localhost
21:11 and then port 8080.
21:13 now you could do that from the proxy
21:15 settings of the browser but
21:19 it just toggling it on and off becomes
21:21 becomes unrealistic to go back to your
21:23 settings every time and so it's so much
21:24 easier to just
21:25 turn it off and turn it on whenever you
21:28 want so let's see if this is still
21:31 working you could see over here that it
21:33 intercepted the request so it hasn't
21:34 sent it back to the web server yet
21:36 instead it intercepted it and it tells
21:38 me that this is a get request
21:41 and i'm requesting product id three now
21:42 i'm gonna forward the request
21:44 and it timed out in the reasons because
21:46 we haven't touched this application in a
21:47 bit while we were
21:49 scripting and so we just need to load it
21:51 one more time
21:53 let's do that and i'm going to turn the
21:55 proxy off so that it doesn't intercept
21:56 every single request and you'll see over
21:58 here that there are so many
22:00 requests that are happening um and it'll
22:01 log all of them
22:05 in the http history tab
22:07 and i usually like to filter on the most
22:10 recent request
22:11 so you see over here that's something
22:12 that you didn't see in the browser
22:14 itself that it's calling js scripts it's
22:18 calling images and so on
22:21 okay so i want to intercept what happens
22:22 when i select
22:30 here we go and i'm going to send it to repeater
22:32 repeater
22:44 it's a get request and this is the uri
22:46 that it's using
22:47 so what we're going to do is we're going
22:49 to turn the proxy off
22:52 we don't need it anymore go back to repeater
22:53 repeater
22:57 and we'll use this to build our code
23:01 okay so let's remove that does nothing
23:04 and then put uri is equal to
23:09 filter categories equal to
23:20 and then we'll make a get request
23:25 request request.get and that would be
23:31 the url plus the uri plus the payload
23:32 so what this will do is it'll take the
23:40 blahblahblah.wapsecurity.net or dot com
23:42 whatever it was and then it'll
23:44 concatenate the uri to it
23:46 and then it'll also can candidate the
23:47 poi load after the
23:51 equal sign i'm going to set verify to be
23:52 equal to
23:56 false and proxies
24:06 okay and then i want a way to figure out
24:10 if the application if if we successfully
24:12 exploited the vulnerability and one way
24:12 to do that
24:15 is if we check if the response code
24:19 has um has an item so an
24:21 unreleased item that is not normally viewable
24:22 viewable
24:25 by the public and so we're going to go
24:26 back over here
24:30 and look at all so these are all the
24:31 items that
24:34 are available to the public
24:36 now let's look at the items that are not
24:47 to do that this is our sql injection
25:14 so i believe if i'm not wrong uh
25:17 the cat grin product was not there
25:19 before so let's go back
25:26 yeah it wasn't there before so we could
25:27 filter out
25:30 on that payload itself let's do that again
25:43 okay so let's say if
25:51 the string cat grin is in the response code
25:52 code
25:56 r.text then return true that means we've
25:58 successfully exploited the sql injection
25:59 vulnerability because we can see an item
26:00 that we're not supposed to see
26:04 um as a regular user
26:07 otherwise return false which means that
26:10 the sql injection vulnerability filled
26:12 so let's compile this see if there's any errors
26:18 there are errors and over here save that
26:21 run it again
26:22 okay awesome it looks like there's no
26:25 errors it's clear
26:28 okay so let's run
26:32 our program lab 3
26:34 and then we give it the url which is
26:52 and then the sql injection vulnerability
26:55 which is right over here and this is why
26:56 it's good to keep notes
27:18 okay and let's run it see if it was successful
27:19 successful
27:22 now first of all it is successful which
27:23 is great but
27:26 notice that we do get an error over here
27:36 and to do that it's url lib3
27:39 dot disable warnings
27:42 url lib3
27:47 dot exceptions dot insecure
27:51 request warning okay
27:52 so now it shouldn't display this error
27:57 okay perfect let's clear this and run it
27:59 again all right
28:01 so what this does is we're calling the
28:03 program we're giving it the url to the
28:05 application and we're giving it a sql payload
28:06 payload
28:09 and so it builds um it built the request
28:09 for us
28:12 it runs it and then if it sees the product
28:12 product
28:16 category um it will uh
28:18 return true which will print out sql
28:19 injection is successful
28:21 if it doesn't see that product that
28:23 means we we didn't display any on release
28:23 release
28:25 products and therefore it'll return
28:26 false and uh
28:29 run and print the command sql injection
28:31 unsuccessful so this is a true case
28:34 in this case it is successful now if we
28:35 run it again but with
28:37 i don't know just a single quote which
28:39 should just display an internal server
28:41 error it should say sql injection
28:44 unsuccessful okay perfect so
28:47 we've successfully completed the
28:48 exercise to recap
28:50 in this video we first manually
28:52 exploited a sql flaw in the category
28:53 filter field
28:55 of the application this allowed us to
28:56 view products that have not yet been
28:58 released to the public
29:00 uh we then scripted that exploit so that
29:02 it automatically does that for us
29:04 i'll add the link to the exploiting
29:05 github in the description
29:09 of the video if you liked the video hit
29:11 the subscribe and share button so that
29:12 it reaches a wider audience
29:14 also comment below what you learned in
29:16 the video and what you would like to see
29:17 more of in the future see you in the
