YouTube Transcript:
SQL Injections are scary!! (hacking tutorial for beginners)
Skip watching entire videos - get the full transcript, search for keywords, and copy with one click.
Share:
Video Transcript
SQL inj? No, no, no. Let's use a SQL injection to hack into a website. Here is our Target Al Toro Mutual and online banking site that is totally real. We're going to use a SQL injection to hack into this website and gain admin privileges. You'll be able to hack this website in like 30 seconds. Now, one of the scariest uses of SQL injection is that bad actors can use a simple login form like this to dump a database of user names and passwords and then put them on the dark web with a for sale sign and you'll never know about it. Nothing you can do. Well, actually, you could probably try dalan, the sponsor of this video. Dashlane will actually monitor the dark web and see if your usernames and passwords are for sale. And if they are, they will alert you. And I have a lot. I need to fix that. And then using dalan, you can generate a completely random password, unique, different from your other passwords, right? You don't use the same password for every website, do you? Anyways? And Dalan will store for you. And this right here is definitely my favorite feature of Dashlane. They'll do passwords and they'll also do multifactor authentication right there in a stinking app. I love that. So all your stuff is in one place, keeping you safe and making it a bit more simple to log into sites. I use Dashlane personally for everything and also for my business. And check this out, I get an admin console giving me a dashboard of all my employees, password health scores, and it'll tell me whose passwords are compromised so I can basically force my employees to be secure, which you have to do that. They're not gonna listen. So start securing your passwords for free right now. Check it out. Link below dashlane.com/network. Chuck 50, use the code network, Chuck 50 and you'll get 50% off. And did I mention you can secure your passwords everywhere? Phone, tablet, computer. Yeah, it's awesome. So again, here's the website. It's a simple login form and we won't need any fancy tools. All we'll need is a keyboard and some coffee. Chuck.coffee. Now our goal with this login form is to use it in a way that will give us access to the underlying database. When you try to log into this website, or really any website when you hit enter, the website will connect to a database and run a search to see if your username and password exist on the database. If they do, you're in log in successful. So here is where a SQL injection comes in, and it's kind of crazy. We know that a lot of websites will do this very thing, query a database and possibly have a query that looks similar to this. And this may look familiar if you watch my previous SQL video, we'll use statements like this to find information in a database. But here we're gonna use the beauty of SQL against them. Now, in our scenario, we don't know the username and passwords. So let's take that out. Now let's first just brute force it. Let's guess, and maybe we'll get lucky. Now as I'm typing this, notice what happens to our query. This will be important for our next step. The username could be admin, it's a popular username for administrative accounts. And we'll try the password. Password, 1, 2, 3. Let's click log in. Oh, failed. It was worth a try, but did you keep an eye on our statement? Notice that whatever we typed in was entered here in the query between single quotes. Now here is why that's important and programming. And in sequel, when you have a string of characters between quotes, like this can be single or double quotes, that's referred to as a string, it's a data type. So looking at our query down here, anything inside quotes is going to be a string. And everything outside of it is a sequel query. And we know that whatever we enter here in the username field and the password field will end up becoming a string inside that query. But what if we could make it not do the <laugh>? And this is where the hacking comes in. What if we could send not just a string, but some more sequel query to change? What happens to hack? What happens? So let's try this. Let's type in our username once more geared admin. But at the very end, we're gonna add a quote, a single quote, and let's try to log in. Okay, didn't work. We haven't hacked it just yet. But notice something. And this will tell you if a website is vulnerable to SQL injection, that's a great way to test that and pay close attention to the air. We have a syntax error because if you look at our query, did you notice what happened? We have another quotation mark right here, a floating quote. And this is fantastic news for us because the reason it got a syntax error is, you know, a string is between two quotes. If you only have one quote, then it's not complete. It's we got a syntax error, it's like freaking out. But now we know that we can insert some extra stuff besides just our string. So now that we know this application is vulnerable to SQL injection, let's try a few SQL injection payloads, which is actually pretty easy. It sounds scary, but it's not too bad. Now, before I show you the payload, let's reexamine why our first login failed. I mean, it's obvious, right? The username and password word incorrect. But I want you to look at the logic of this query, this sequel statement. What it's saying is both the username admin and the password, password 1, 2, 3, have to exist together just like this. If both of those are true, it will evaluate to true and we get a successful login. But in this case, they're not there. It's a different password. So it evaluates to false. So now here's where the magic comes in. Here's where our payload comes in. What if we can make this sequel statement always evaluate to true no matter what we put in? Let's try it out. This first payload is what's known as an OR payload, and it's gonna look something like this. Enter is your name field right here. I'll do our opening quote. I'll do a space and I'll type in or, and I'll do another string. I'll do one as a string. One equals, and another string one. Now obviously something cool is happening here, but what are we doing? Well, why are we doing this? Two reasons. First, notice that we added some more sequel code in there by breaking outta the string with our extra quote, we were able to add some extra SQL query language stuff here. Magic. And here's the fun fact about how SQL will process the operators. Like and, and or, and, and or. Um, that's confusing. When evaluating a statement like this to see if it's gonna be true or false, it will first do the, and that's the precedent and first and then after that or so now when we try to log in, here's how it will process this logic. And this will all make sense right here. It will first say, Hey, does use your name equal admin and password equal password? 1, 2, 3. Does it? Well, no. So false. But it's not done yet because we added something extra. And this is the hack, then it will say this. But does the username equal admin or one equal one? Let me ask you a question. Does uh, does one equal one? Duh. Yeah, right? Will it? Will one always equal one? Yes, <laugh>. And that's why we added this nonsensical statement here. This statement will always evaluate to true because no matter what one equals one <laugh>. So we added some extra arguments in extra operators saying, Hey, does one, oneika one? Then it's true <laugh>. And that's the hack here. When it comes to evaluate our or statement, it'll always be true. Let's try it out. Let's click a log in. Well, dang it, it didn't work, but why? It's actually pretty easy. Watch this. Let's take a closer look at it. Do you notice anything weird about our query? Now here's a hint. Count the strings. So we have a string here cuz we have two quotes. We have a string here, two quotes and a string here. Two quotes, well <laugh>, there's an extra quote and that's why we got that syntax error. So let's fix that. It's actually not too bad. <laugh> just right here. It seems like we have an extra quote at the end. So let's take that one off the end. So now with our syntax looking nice and clean, all complete strings, no errors, let's try to log in. Log in. And we did it. We got in. We successfully injected SQL query code by tricking the login prompt. That's pretty nuts right? Now here's a bonus question. Your homework, What if we didn't know the username? What if the username wasn't admin? Would this still work? Comment below. How would you do it now using payloads like or to sub birth the logic of this query, I like it, but it's complicated. There's another way we can do it. And this way is kind of scary, powerful. Watch this because instead of using or to like mess the logic, we're gonna add a simple comment. When you're writing code, whether it's Python or sequel, things can get kind of complex. So you often want to make a comment about what you're doing with it. So when people look at your code, they're not like what? You can kind of tell them why you're crazy. So you'll use a special character like the pound sign or in my sequel's case, which is what we're using right now, you'll have two dashes and a space and whatever comes after that, no matter what it is, will be ignored. It won't be processed. So what do you say? We use this good thing for a bad thing, <laugh>. We're gonna turn a comment into a hack and watch how simple this is here in our username field. We'll break out of our string once more with an opening quote, and then we'll simply do two dashes and a space. Notice what it did to our query. Let me blow it up real quick. Right after username equals admin, we have a character for comment and SQL telling it to ignore the rest of the code. So where before it said the username, whatever it is, and the password, whatever it is, has to be in the database. Now the statement is simply, Hey, is the username admin cool? Come on in, no password needed. And that's what's happening. It's ignoring the rest of the the statement. And when we try to log in, we're in log in successful. So here's your homework. I want you to break into Al Toro Mutual. The link is below. Can you break into this website with what you learned in this video? Try it out and let me know in the comments if you actually do it. I would love to hear that you did this. It's kind of fun right now, I will say this. This is basic SQL injection. It's often more complicated and a lot crazier. And again, while it is an old hacking technique, it's been around for a long time, it still ranks number three in the top list. It's still crazy dangerous. And the reason is because companies are lazy or the company has coders that are lazy and they may not even know what to look for as far as SQL injection because SQL injections can be avoided pretty easily. I'll have some links below, but some things you can do are, hey, use prepared statements with parameter. Can't say that parameterized queries, use an allow list for input, validation, escape user input before putting it into a query. So what we tried here in this video, that would definitely stop it and use store procedures. I will not go into detail on all those and frankly I don't know how to do any of that. So check the link below and you can learn more. If you're developing, you're like, Oh crap, do, am I <laugh>? Am I vulnerable? You should probably just double check that real quick just to make sure if you think you're safe, you're not. Now, where do you go from here? Now again, what we did here was basic, but there are a lot more payloads like on here. If you look at payloads, all the things, look at all the different payloads you could possibly try for a website. And also there are different types of SQL injection. Like now we just did inand error based SQL injection, which is the easiest and most common. But there's union based, there's blind SQL injection, there's, it's all kinds of things. And I'm hoping that this video gave you a taste for how cool sequel injection is. And you can go off and learn a lot more, dive deeper, get lost in it, which union based queries are crazy cuz you can add additional sequel queries on top of what's already there and possibly dump all the information from a table or just drop the table and watch the world burn. Anyways, that's all I got. Get you guys later.
Share:
Paste YouTube URL
Enter any YouTube video link to get the full transcript
Transcript Extraction Form
How It Works
Copy YouTube Link
Grab any YouTube video URL from your browser
Paste & Extract
Paste the URL and we'll fetch the transcript
Use the Text
Search, copy, or save the transcript
Why you need YouTube Transcript?
Extract value from videos without watching every second - save time and work smarter
YouTube videos contain valuable information for learning and entertainment, but watching entire videos is time-consuming. This transcript tool helps you quickly access, search, and repurpose video content in text format.
For Note Takers
- Copy text directly into your study notes
- Get podcast transcripts for better retention
- Translate content to your native language
For Content Creators
- Create blog posts from video content
- Extract quotes for social media posts
- Add SEO-rich descriptions to videos
With AI Tools
- Generate concise summaries instantly
- Create quiz questions from content
- Extract key information automatically
Creative Ways to Use YouTube Transcripts
For Learning & Research
- Generate study guides from educational videos
- Extract key points from lectures and tutorials
- Ask AI tools specific questions about video content
For Content Creation
- Create engaging infographics from video content
- Extract quotes for newsletters and email campaigns
- Create shareable memes using memorable quotes
Power Up with AI Integration
Combine YouTube transcripts with AI tools like ChatGPT for powerful content analysis and creation:
Frequently Asked Questions
Is this tool really free?
Yes! YouTubeToText is completely free. No hidden fees, no registration needed, and no credit card required.
Can I translate the transcript to other languages?
Absolutely! You can translate subtitles to over 125 languages. After generating the transcript, simply select your desired language from the options.
Is there a limit to video length?
Nope, you can transcribe videos of any length - from short clips to multi-hour lectures.
How do I use the transcript with AI tools?
Simply use the one-click copy button to copy the transcript, then paste it into ChatGPT or your favorite AI tool. Ask the AI to summarize content, extract key points, or create notes.
Timestamp Navigation
Soon you'll be able to click any part of the transcript to jump to that exact moment in the video.
Have a feature suggestion? Let me know!Get Our Chrome Extension
Get transcripts instantly without leaving YouTube. Install our Chrome extension for one-click access to any video's transcript directly on the watch page.