sequal injections what are they and how
can you exploit them coming up right now
now before we can dive into a sequel
injection we first need to know what is
sequel well sequel or SQL stands for
structured query language and it's a
standard language use for accessing and
manipulating databases now what exactly
can sequel do well it can do a lot of
things it can execute queries it can
insert delete or update records you can
create new databases tables views stored
procedures and it can also change the
permissions for these tables views and
store procedures so let's look at a
basic example of a sequel query and
we'll use the example of a typical login
form at a website you'll enter in your
username and password and then you click
the submit button now once you do that
it's going to hit some code behind that
form that looks something like this
and what it does is its first gonna grab
the user name from the user name box and
store that and then it's going to store
the password into the password variable
and then finally we're going to build a
sequel query using the username the user
typed in now this is bad because there's
no sanitization on the user inputted
data and what that means is a user can
directly inject sequel queries or rather
sequel code to modify the sequel query
now once this code is complete our
sequel query would look something like
this it says select everything from the
users table where the username equals
admin now if we were to execute this
query against our sequel server we would
get a result as such we get one row
returned with the user ID username and
password fill field of the user and
and as you can see the user ID of one
username admin and password secret and
that's basically how a sequel query
functions so let's go back to our web
form now now let's insert a sequel
injection so inside the username field
go ahead and enter in a single quote or
one equal single quote one and then go
ahead and click Submit now through the
rest of this video just for your benefit
I'm gonna show you at the bottom of the
screen how the sequel server will
interpret the query from the input let
me say that again at the bottom of the
screen what I'm gonna do is show you the
sequel query that the sequel server is
actually going to execute so here you
can see how we cleverly injected some
sequel code now once we run this query
and hit submit the the application
returns back an error message it says
fill to login as admin then it says it
again for moderator and then guest and
ghost hmm that's pretty odd because we
did not type in any of these user names
and furthermore why did it spit out four
different error messages so let's take a
closer look at this query so if we were
to execute this on our sequel server the
query would look like the following
select everything from users where
username equals nothing or one equals
one so as we can see there are no user
names with a blank username so that part
is false and it's not going to find
anything the second part says or one
equals one
well one equals one returns two
so if that were to be executed the
sequel server is basically going to see
that query like the following select
everything from users where true and
basically there's no where clause it's
not searching for anything so the query
is basically just saying select
everything from users and the sequel
server does exactly as you asked and it
returns all the users and passwords from
that table
now our error as we can see is dumping
all of the user names in the table now
that's great however it would be very
useful if we could get the password for
these accounts now how exactly are we
going to do that we don't have passwords
and we want passwords so what we can do
since we're able to inject sequel code
we're going to first try to find the
database name that this application is
using so what we need to do is modify
our sequel injection and this is our new
sequel injection and basically we're
going to use the Union select statement
to add additional information into the
Select statement by the application and
what we're going to do is we're going to
select the database names from the my
sequel information schema dot tables
table now one thing I want to point out
is this value right here table schema
while it says table schema it might lead
you to believe that this is information
on tables but this is actually the
database names inside the sequel server
so just note that table schema basically
means database name
now once I executed this sequel
injection the application then spit out
the following message and it says the
use of select statements have a
different number of columns well when I
go back to the sequel query on the
server I can see that the table has
three fields user ID username and
password
however our query was only selecting one
field and that was the database name or
the table schema field so what we're
gonna do is let's modify our query so
let's modify the injection query to
always return three values so all I had
to do was just add 1 comma 1 comma table
schema to our query which gives us the
following and then execute it on the
application however once again I got the
same error message no dice
ok let's modify our query one more time
now if you looked at the query you would
have seen that we have two Union
statements the first Union statement is
trying to select the database names from
the my sequel server and then the second
Union statement is purely here to
provide an end a proper end to our
sequel query if we did not include this
Union select 1 comma 1 comma single
quote 1 then the query would query would
break so that is required now to ensure
that this query always returns 3 values
we need to make sure that all of our
Union statements returned 3 fields 1 2 3
and our second Union Select returns 1 2
3 fields perfect
now when I ran this injection against
the application I received the following
results our injection worked however the
only thing it returned was the value one
which that's not very useful for us so
let's go ahead and try something else
this time let's change the values that
we're setting inside of our injection
query so what I did is I changed 1 1 2 3
4 and then 1 1 2 5 6 7 so let's go ahead
and run this query and
so we're going to modify our query we
just moved table schema and the value 4
we just switched them back and forth
executed our query and bingo we were
able to enumerate all the databases on
the sequel server and the database that
we're interested in is the SQL I
database so now that we know what
database were after let's start to
enumerate it to figure out what tables
and what columns are inside those tables
so we can access the information we want
specifically the username and password
so to enumerate the SQL database we're
going to inject the following sequel
injection now take note that we modified
the value here to be table name which is
what it says it is it's the name of the
table and then we also included a where
clause so we're only searching from the
SQL database that way we don't see all
the tables from all the databases now
once I executed that I then received the
following output and was able to find
the tables profile settings and users
now this last output where it says 6 can
be ignored as actually just coming from
our union select right here so awesome
now we know that there are three tables
in there and one of them is named users
well I want the username and password so
I'm going to speculate that they're
inside the users table so now let's
figure out what fields or columns are
inside the users table so we're going to
need to modify
our query again so this time we're gonna
change the value to column name and
change our where clause to a table name
to where we're only searching for the
table users once executed I received the
following results of with column user ID
username and password and as we know
from previously those are in fact the
column names for the users table so
awesome now we have all the information
we need in order to dump out the
usernames and passwords but we have one
problem so the problem is is we're only
able to return one value inside this
Union Select query but see we need to
pull the username and the password and
stick them both inside this one field we
couldn't just put user name here and
then password because then only user
name would show and vice-versa so this
is what we're going to do in order to
dump the user names and passwords in one
go
what we want to do is combine the user
name separated with a delimiter in this
case it's a colon with a password so to
accomplish this we're going to use the
following injection for the username and
how we accomplish this is using the my
sequel function called con cat and all
it does is concatenate strings together
and that's perfect
because what we're gonna do is we're
going to use that to concatenate the
user name with the semicolon and a
password and it's gonna take all of that
and spit it out as one field and that is
exactly what we're looking for so
perfect and our query will look like a
following and once I executed it bingo I
was able to dump all the usernames and
passwords from this table via a sequel
injection
as you can see the men pass word is
secret moderator password 1 2 3 guess
his password and ghosts password is
secret awesome so that's it guys that is
the basics of carrying out a sequel
injection attacks now there's actually
many different types of sequel
injections and this is just one type in
future videos I'll go into the various
types of sequel ejections and give you
some examples of how to exploit that
before you go do you want to download a
sequel injection lab so you can try out
the skills that you learned in this
video today well check it out if I get a
hundred people to comment on this video
then I'll create a sequel injection
capture-the-flag lab and upload it to
this video for everybody to enjoy so go
ahead and comment now but that's gonna
do it for today guys but if you enjoyed
this video please click that subscribe
button if you liked this video give me a
thumbs up don't forget to click the bell
to get notifications of my new videos
and as always I will see you the other
side
[Music]
