SQL Injections

00:00

sequel injections.

00:03

Learning objectives are to understand how to how to identify sequel injection vulnerabilities and demonstrate how to manually exploit sequel injections.

00:12

So sequel structured query language in relational databases, databases are everywhere in web applications. Have you ever been shopping for something on amazon? And you know, there's a price and there's an item, there's probably an underlying database for that.

00:27

Uh if you ever signed up for a forum, you know, if if you've signed up for PW K, you have access to

00:34

the Offensive Security forum and you have a username and password and you interact with other users in that forum, there's probably an underlying database there that's storing that information. And because there's so many databases out there and web applications that the a sequel injection attack has been around for a very very long time.

00:54

A sequel injection is basically being able to inject our own sequel statements, raw sequel statements into forms or the U. R. L. Itself. And that allows us to query the database, interact with a database. Delete things, add things

01:11

um and do very bad things. Like figure out user names and passwords

01:15

or other sensitive information in these databases.

01:19

It's also important to know what the underlying database is. Is that my sequel? Is it? M. S. Sequel is an oracle dB. Why is that important? Because the way you structure your queries is going to depend upon uh

01:34

the underlining database.

01:38

So how do we find it? Our most powerful tool is a single quote.

01:42

The single quote is going to close out a string and you'll notice that we may get verbose errors. It may say there's an error in our sequel statement. It may give us the version or the name

01:53

of of the underlying technology of my sequel. We saw that with um WAP Allies er a few lessons ago where it told us with the underlying database was was my sequel. That's great information because now we know if there's a sequel injection

02:09

we can write those queries using my sequel.

02:15

So you can also try this not only informs and the U. R. L. But also in uh in logins. And we're gonna have a whole other lesson on that as well.

02:27

I will say when I was doing bug bounty I did this with a single quote. And and when the web web applications I was testing and it gave me a whole lot of verbose information. It told me the name of the database. It told me how the columns and the tables and it was a very verbose stack trace. So

02:45

a single quote can be very powerful in finding uh sequel injections.

02:51

So you'll see here this image from D. V. W. A. Where I added a single quote and it says you have an error in your sequel syntax

02:59

and check my sequel server. So we already know is my sequel based on that air message is very helpful.

03:06

That is an error based sequel injection because we see an error blind based I bet you can guess is where you don't see an error like that.

03:15

Our most powerful tool with sequel injections finding them in enumerating databases

03:22

is sequel map.

03:23

It's a great tool. Great tool if you're going to be doing any of the learn uh exams, sequel map is is a great tool for that. Can't use it. No SCP

03:35

sorry. But uh you know sequel maps, great for labs and things like that.

03:39

Um But you cannot use it in. Oh SCP unfortunately.

03:46

So how do we manually enumerate

03:47

or manually use sequel statements to find out if there's a sequel injection and pull information?

03:55

So people say you know use the single quote or one equals one.

04:00

Um Which is a true statement. So you'll see here in D. V. W. A. For the user I. D. Or one equals one.

04:08

It's going to give you every single first name and surname

04:12

of everyone in that database.

04:15

That's a true statement. If you make it a false statement we're talking about bullying values. Right? True and false. If it's a false statement you get

04:24

nothing.

04:26

So obviously if you do one equals one and you get everybody in the database that's great.

04:30

But if you don't try using a false value and seeing if things change.

04:38

There's a great guide on exploit DB. I will tell you I did a hack the box

04:43

um where it had a sequel injection and I manually enumerated it and it was probably the greatest learning experience I had

04:50

in manually enumerating sequel injections and pulling information.

04:56

So let's dive into the demo now.

05:00

All right. We are back with the awesome photo blog. So like I said a single quote

05:05

here you have an error in your sequel syntax and we know it's my sequel. So what do we do we google sequel injections for my sequel? Right. That's our best friend.

05:17

I'm gonna try to get that bullying value I'm gonna do and one equals one

05:26

and I see I still get an error so I'm gonna try to remove the single quote

05:30

and see what happens. Okay

05:32

that's a true statement. Let's try a false statement.

05:36

I get nothing like we saw in the slides.

05:40

Okay so we're getting somewhere.

05:42

What I'm gonna do now is I'm gonna order

05:45

order by to see how many columns I have. I want to order by one,

05:50

ordered by two.

05:53

Order by three.

05:56

Order by four.

06:00

And I'm trying to see where I get an error order by five. Okay. Unknown column five. So we know we have four columns. Why is that important? Because when we do union select statements

06:10

we can inject,

06:12

we can inject information into

06:15

the union select statements to pull information from the database. What do I mean by that? So union select. I like to use null values and we know what we have four columns.

06:27

So if we have four columns,

06:30

we see that we don't get any errors. If I do 1/5 column, we'll get in there. Right.

06:34

The you select statements have different values in the number of columns.

06:38

So what do I mean by inject? So if I want to pull the version of put version here

06:45

and let's take a look down here.

06:48

So now we have the version 5.1.63 Squeeze one.

06:55

So if we wanted to get more information of course like I said, google is your best friend.

06:59

My sequel. That version.

07:01

Okay.

07:02

What if I wanted to get

07:05

the database?

07:10

I see I'm in photo blog.

07:13

Okay. Well that's that's all fine and good.

07:15

But let's further enumerate what's going on here.

07:21

I want to see all the databases that I'm working with here.

07:25

So what I'm going to do

07:30

the union select null. Can cat schema name

07:32

No, no from information schema. A schema to

07:36

what that tells me is we have information schema which we should have it all

07:41

my sequel databases and photo blog.

07:46

So I want to find out what the table names are in

07:49

in photo blog.

07:56

So I'll go

07:58

here.

08:00

You can select null. Table name. No, no from information schema, tables where table schema database, he was database.

08:07

And we'll see that we have categories pictures and users. Well,

08:13

users very interesting. Right?

08:16

Because if we have users we may have a user name and password. Right.

08:22

Okay.

08:24

So now we're doing a union select no column name. No, no from information schema columns where table name equals users.

08:35

And now we have these columns, ID, login and password.

08:41

So now we're really getting somewhere.

08:43

Of course we want to know what the login and password is. Right?

08:50

So now I have union select one can cat so captivating I. D. Leaving space, log in, leaving a space and password.

08:58

So they should give us the I. D. Login and password of the users.

09:03

And we see here we have the ideal login and password. Now this isn't obviously a clear text password. It's

09:13

is hashed with some kind of value.

09:16

I'm not going to use any fancy tools right now because we're we have a whole different module on cracking passwords. So I'm gonna do is

09:22

search for it in google

09:24

And I can see that this is an MD five hash for this very fancy password here.

09:33

All right. So you saw the hard, we had to do it how to manually enumerated.

09:37

Now, let's look at

09:43

my sequel

09:48

or I'm sorry, sequel map.

09:52

I'm gonna take off dBS right now.

09:56

And you can see simply with the push of a button

10:00

that

10:01

it already has found that idea that it's vulnerable to bullying based

10:07

air based time based union query

10:11

sequel injections. And if I want to enumerate the databases, I do do dBS

10:16

and like we saw before there's information schema and photo blog.

10:20

I'm going to do photo blog

10:26

and we want to dump the tables

10:30

categories. Pictures users We've seen this before. Right? But this is much faster.

10:35

Table users

10:37

now I can do dump.

10:39

Mhm.

10:41

All right.

10:46

We're going to try to crack the password and we did

10:48

and

10:50

it's that fancy password there.

10:54

So my sequel are so I'm sorry sequel map is a great tool to use but we cannot use it in. Oh SCP.

11:01

So knowing how to manually enumerate sequel injection. Vulnerabilities

11:07

is very important so that we can learn how to pull valuable information from sequel injection vulnerabilities.

11:20

So in summary we covered understanding how to identify sequel injection vulnerabilities and I demonstrated how to manually exploit a sequel injection.