[Music] hey guys hack exploit here back again with another video Welcome to the all new penetration testing or pent testing Diaries series uh pentesting Diaries is a new uh weekly series where I will be exploring various pent testing techniques and tools and you know some of the latest attacks uh that we're seeing in the cyber industry uh today now the primary objective of this series is uh to demystify the spend testing techniques and tools uh that again you may or may not be familiar with and we're going to be doing this in order to provide you with a deeper more holistic understanding of how specific attack techniques work uh what tools to use or when to use specific tools and more importantly how to correctly use tools uh to optimize your efficiency and consequently your proficiency as a penetration tester now in addition to that I'll also be using this video series as a way to uh share my own personal knowledge and experience from my uh escapades as a penetration tester so you know I'll be using it to give you a realistic view of what pen testing is like uh through some very very cool practical uh labs and I'll be touching on that uh shortly in this video so really exciting so again primary objective give you a realistic view of what it takes to be a proficient penetration tester now for this series and uh all other videos on the channel moving forward uh these videos will be underpinned by an augmented form of cyber security training and this is what I had alluded to uh in my channel update video and the uh you know the objective here is uh to give you a new uh or an improve improved um form of cyber security training where uh you can pretty much do what I'm doing in these videos uh in a matter of minutes uh in your browser uh you know without having to uh set up your own environment and uh that will sort of bridge the gap that uh you know uh you know I was having challenges with um uh as in when I wanted to you know dive into more complex topics uh or techniques so uh I'll be touching on this in a few seconds uh as I introduce you to you know the tool or platform we'll be using so really excited for that uh with that being said uh welcome to uh the first uh episode of pen testing Diaries uh and in this series or in this particular episode we're going to be taking a look at SQL injection and uh the objectives or the outcomes will become clear as we progress but uh hopefully you enjoy this series uh let me know uh again once you've watched the complete episode or the the video uh let me know what you think and I would like to uh I would like for you to share some recommendations for future episodes or topics that you'd like uh me to dive into but as I said uh just as a final word this is a going to be a weekly series um and it's going to be uh you know made um or built up by you guys and your recommendations on stuff you want to see uh with that being said uh let's get started with today's episode uh of pentesting Diaries and uh I'll see you in a few seconds all right so uh welcome back everyone and uh before we get started with SQL injection and you know what the scope of this video is going to be like or this episode uh I want to introduce you to the platform we're going to be using or I should say you're going to be using to again follow along with uh not just this video uh but other videos on uh the channel and that platform is cyber ranges now um again I'll introduce you to cyber ranges and I'll explain why cyber ranges or you know why I use cyber ranges um you know for a lot of uh my not only my own training but why I think it'll be a very useful tool for you uh in making that next uh step you know to becoming a professional or a seasoned professional um so what is cyber ranges well if you're not familiar with what a cyber range is uh cyber range is sort of a um more advanced version of some of the online platforms uh you know the online virtual lab platforms that you see like uh hack the box or try hack me and when I say they're a bit more realistic and complex uh that's inbuilt so uh the objective of a cyber range is to provide you uh whether you know you're a pentester or a sock analyst with an experiential uh experience or you know with experiential knowledge uh skills and abilities um you know that uh you require in order to operate uh proficiently within a particular role or career path in cyber security so um the difference as I said the reason why I'm using cyber ranges is firstly uh the ability to create and share with you guys my own Labs which allows me to provide you with you know pretty much the exact experience as what you're going to be seeing in these videos but more importantly into deeper more advanced topics like for example ad penetration testing uh you know purple teaming so on and so forth but uh with that being said the link to cyber ranges is in the description section uh the URL is just app. cyber rangers.com uh and again don't worry you don't not going to need to pay anything uh it's going to be absolutely free you know that the lab we're going to be using uh but you can uh create a an account if you don't have one already so you know just click on register and you'll need to provide a unique username and a functional uh or valid email address CU you will receive a confirmation email that will then uh take you to the next step of activating your account which just involves setting your password so you don't set your password here um you can leave the promo code uh section um empty and of course you can go through the terms and conditions so I know you're probably wondering what does it look like and how does it work well I'm just going to log in with my account and uh there we are so this is the Cyber Rangers platform now you're going to see a lot of labs uh displayed here and uh the section that uh again uh I'm going to be using in this video or the lab I'm going to be using is available under the free section um and you can see this here and uh there's a so for example this set of labs here is uh you know the M attack Defender adversary emulation Labs we're actually going to be using these for the um aders emulation um sub series part of the larger red teing series on the channel but these were Labs that I built uh and again we we'll be going through it but yeah these are pretty much the three Labs you can go through uh for the purpose of this video uh we're going to be using uh from SQL injection to Shell so uh this is an adaptation of the pentester um pentester Labs I believe uh lab on the same topic which again um I'm going to be using to demonstrate or to you know demystify SQL injection and I'm going to be explaining a lot of things so um there's you know various other ones that you can go through uh in the free section uh for example there's multiple uh vulnhub uh you know uh VMS or um uh you know boxes that uh have been imported here again credit going to the authors of them and these are available for free uh but the really cool thing and this is what I was referring to is is uh you know for example if I can go in here and click on that one I'll just going to start it um the great thing about cyber ranges is obviously the control of the environment you'll be provided with now this is not a complex environment uh because you know we only have two systems and that's what I was alluding to so you can pretty much um use or go through these Labs from directly from your browser with your own dedicated Cali Linux system uh without VPN now you do have the um you do have the option to uh again connect via VPN if you're using your own Cali Linux system uh but pretty much uh for uh all of the attack or offensive uh scenarios and the scenario is just a lab um in the Cyber ranges parin um so you know you'll be provided with a Cali Linux system and the target web server uh IP will be provided here so um the lab shouldn't take more than you know couple couple of seconds to a minute to start up so I'm just going to wait for the lab uh or for my lab to start up and we can then move on so I'll see you in a couple of seconds all right so once the lab is good to go you can just click on start right over here and it'll take you to the lab page so given the Simplicity of this particular lab um in terms of the objectives uh you can click on your service tab where you have your dedicated uh breach box or attack box as as it were cyber ranges is called the breach boox which is essentially you know Cal Linux system that again is dedicated to your session and um you can pretty much uh you know just click on the drop down under Services here and one thing is the IP annotated here is the IP address of the system within the private VPN network so uh if I just click on the service here where this will give you RDP access to the Cali Linux system from within your browser um as you'll see uh or as you can see here and um there we go so just give it a few seconds I don't want to authenticate but there we are you have a fully fledged uh C Lin system that's dedicated to you so there's no sharing and it starts up with the lab so you don't have to start it up separately um and secondly the network is SE uh segmented um and one of the things you'll see is consistency with the IP addresses but the bottom line is you then have your target web server which is what we're going to be targeting and you can also view the web server that's running on the target web server uh within your browser so not within the Cali Linux system so there we are you can actually see all you know that web server so if you want to use your own Cali Linux system and use the proxied um URL here you can um if you want to use the C Linux system that's been provided to you uh you can do that as well again it's fully configured uh and good to go so again we can pretty much start from this point so uh that is uh of course navigation on the Cyber ranges platform if you want to connect via VPN uh you can just click on the top right here uh on the VPN icon and uh you can either download the Cyber Rangers VPN client which is a GUI uh application for any operating systems you know Mac windows or BTU uh I mean V different uh variants or different Linux distributions or you can download your open VPN certificate uh so 2.4 2.5 and connect as you would uh you know if you're using any other platform and you then use your own Cali Linux system so up to you uh in my case you know I'll just be using this here um and yeah so now that we know how to navigate around um the Cyber Ines platform we're now going to be taking a look at our objective which is uh you know SQL injection and as you can see based on the title of the lab uh using SQL injection or leveraging a SQL injection vulnerability to gain a you know shell uh to gain a shell on the underlying uh server um so there we are um so I'm just going to uh switch over and we can get started with uh this episode of pentesting Diaries all right so we can finally get started uh with SQL injection so I do apologize for the long intro but as you expecting the first thing that I'm going to explain to you uh is you know what is SQL injection or SQL injection and uh uh what is SQL injection well SQL injection can be seen as a subcategory of attacks or vulnerabilities that fall under code injection so what is SQL injection all about well SQL injection is an injection more specifically a code injection technique uh that is used to exploit vulnerabilities in web applications um by injecting malicious uh they don't need to be icious but malicious SQL statements uh so that's the first point SQL what is SQL SQL is the structured query language now given that we're dealing with a structured query language uh and I'm sure you're already aware of this one of the prerequisites for this attack uh working or for you to even consider testing for SQL injection vulnerabilities is that the web application or the website that again you may be performing a pentest on um needs to or requires uh pretty much as a as a requirement uh you know to essentially be using a relational database in some um in some form uh now relational databases uh some examples of these are you know my SQL post gcle etc etc I can go on and on I do know that there are uh no SQL databases that's another exciting um idea for another episode of pentesting pentesting Diaries but uh what you're trying to do is you're trying to look at a web application and analyze uh input uh you know web application inputs or areas within the web application where you can input data so you can think of you know the common examples a login form right a registration form uh URL parameters uh you know if you take a look at the HTTP request um whether it's you know get or post you have various um options um in there that you can try and inject the SQL queries into but generally speaking that's the starting point so firstly you need to have a website that again is using a relational database management system or rdbms um some common examples I've already given you secondly you need to identify or start identifying areas uh within the application where you can input these uh SQL statements and um what you're trying to do is uh moving on or proceeding on from that uh you're trying to find web applications that are not filtering these SQL statements wherever you're inputting them whether it's a login form the you know URL parameters uh etc etc and uh in terms of weaponization of this technique uh it's fairly I think most of you already familiar with it SQL injection essentially allows attackers to you know view modify or delete database data or records and even gain administrative access to the database or the underlying server that's hosting it um so we'll talk a little bit about the types of uh SQL injection vulnerabilities but I just wanted to get that out um before we get started so uh that'll also give you an idea as to you know the methodology that you can start forming so in this particular lab we have the target web server it's running on 1921 68 uh 125 150 so I'll open up the Cali Linux system here and let's do you know what we usually do uh you know let's perform an nmap scan so I'm going to say n map and uh we can perform a sin scan here uh service version detection scan and let's perform a fast scan which will only scan 100 of the most commonly used ports and then 192 168 125 um if I can type that in .150 all right so there there we go um yep look at me silly me we need uh root privileges by the way the passwords for the Cali Linux system or the password I should say is listed here so it's just Cali and password um so I'll just type in password fairly simple there we are all right so objective here you know starting off with your basic Port scanning trying to see what services are running or what you know ports are open on the target uh web server uh what services are on running on those open ports and then you know commencing with our enumeration or information gathering if you will so there we are we can see that this is definitely a Linux server and we have an SSH Port open uh running open SSH um 5.5 P1 and we have a web server only on Port 80 uh so no SSL CT that's Apache httpd 2.2.1 6 now one thing I would like to correct in your methodology and especially if you're a beginner if you've been watching CTF videos or you know you've been using ctfs to practice uh because of how ctfs are designed your first inclination might be to try and search for vulnerabilities related to the service that's running whatever it may be in this case it could be Apache now um what you'll typically see uh is you know someone running search exploit uh or trying to search on Google for vulnerabilities related to that version of Apache so I would not recommend uh doing that or that's something that again I see a lot of people wasting time with now again I'm not challenging your methodology but first thing I like doing is let's just see what's running on the web server or you know and uh so I'll say 192 168 um 12515 let's just see what's going on all right and I would always recommend especially when doing when performing a web app pen test to approach it uh know as you begin approach the web application as a normal user would uh don't again try and make it uh too complicated and uh just try and see you know how this works now uh what I'm going to do here is um I just put in um you know I just put myself in full screen here let me just adjust that give me a moment all right that's much better but as you can see this is a fairly basic website it looks like an awesome photo log all right uh this looks very interesting this looks like an image itself ironic uh so the last picture is culu uh with not a very good image or representation of cthulu uh for those of you who know about cthulu uh let me know in the comments uh so we also have a menu of sorts very rudimentary so home we click on that and what I'm analyzing is the URL here to see if any parameters are being passed especially when deal dealing with um you know content management system or anything of the sort so we then have a test page and uh okay so the test page we have what appears to be two images that have been posted on this photo blog uh so Ruby hacker and thulu okay interesting we have roxon and I know you're seeing what I'm seeing so we have a picture of a hacker 2010 nothing in there pay attention very closely to what exactly is transpiring here uh you then have all pictures which lists all uh nothing interesting in this case but still something worth exploring and I want you to pay attention very closely uh to you know these errors uh may not really be related to what we're doing but uh just good to see what's going on and then of course we have a login page so you know uh you again may be very tempted to start running equal injection payloads and that's what I'm trying to correct here so before we even do anything um you know we can take various approaches from this point you may want to perform a directory Brute Force to see if there's any hidden directories Etc um and again I'm just going to be going through what uh I typically would do when I've seen interesting stuff like this here uh and there's a reason for that so the starting point I'm going to use is the UR L itself because this is very very very important so I'm just going to you know put it into mouse pad here and uh let me increase the font size so you can actually see this and I'll explain why I'm doing this so we have a URL um let me explain a couple of things so this section we obviously know the protocol that's fine but this could either be a domain name um or an IP address really doesn't matter but this section here and uh this one right over here uh this represents or specifies as you know the domain or IP and the resource that's being accessed on the server the resource being the file right so the file we're accessing is PHP and in order for PHP to be executed you know you need to configure PHP on the underlying server and obviously the web server that supports PHP but then what comes after it and you'll typically see this with PHP based web apps you have a question mark and then you know it could be ID or pretty much any other word in this case and uh that's equal to one so this is the penultimate example of uh SQL injection used to again teach SQL injection but we still need to dive a little bit deeper in here so whenever you're dealing with URLs and I know I'm explaining the structure of URLs here we have the resource and uh this resource is a PHP resource and um in this particular casee um what is ID and uh why is ID equal to one what does that mean just again in the context of the functionality of the web application so the uh this collection here or this uh these two um these two uh values I'll not call them values right now um are what you refer refer to as uh the query string parameter where ID is the parameter or the parameter name and one in this case is the value so what is essentially going on is that this script or this resource which is a PHP resource looks like it requires um a certain parameter and a value to be specified in order for it to do something now what is it doing in the web application it looks like it's uh displaying images here now again we're not going to dive into the functionality of how this web app was programmed or developed but that's what that means and the reason this is important is because um again going back to my earlier explanation when I was referring to what you need to check for uh before you start testing for SQL injection vulnerabilities what you need to check for is whether uh and this can be a bit difficult but it's fair easy you need to identify whether the web application is using a relational database regardless of the type um whether it's MySQL or pul grcu and uh one of the ways uh this tells us that there is a relational database being used um by this web app is because uh the ID parameter and again you'll see that is very common with PHP but the ID parameter is commonly used to reference a specific record and I'm sure you're aware of what records are in the context of databases uh so it can be used to reference a specific record or item or row in a database and uh again not always the case but you know for this for the sake of this example because the value of the ID parameter is numerical uh there's a very high possibility um and again in this case you know we don't know what it's referring to but there's a very high possibility uh that the um that the ID or the value of the ID parameter uh represents within the relational database uh it represents the unique identifier uh now unique identifier of what we don't know probably images but you know ID equals 1 displayed two images so that might not be entirely clear so we can proceed with a you know bit of testing but in this case it looks like um the ID parameter is used to specify a specific page uh or you know display a specific image um and uh these Pages or images are uniquely identified by the uh numerical value here now you may also see other instances where the um value of ID or whatever parameter uh can be in text format and that's very important uh because again you can also fetch data from a database uh you know with PHP using um you know using whatever whatever attribute of a particular entry or record in a database the point I'm making is this is arguably the simplest to understand so all right I've rambled for long enough I'm pretty sure you know what to do uh but the first thing you might be tempted to do is to see you know what you know what this does so if I say for example change the ID to three we can see it doesn't display anything so it's most likely pointing to blog posts um that again in this case just display images so if I go to four you get the idea doesn't look like we have any entries um if I say 100 same thing you get the idea now uh when testing for SQL injection and I again I know the rudimentary um I know the I know that this particular example is rudimentary when testing uh many people again maybe tempted to go directly to the admin and or login form and test it out there and start running payloads from GitHub but uh the first thing you want to do is run a few tests to see whether there is a database whether queries are being sent and more importantly whether the queries that you are sending um you know that you're injecting into the uh value of the parameter are being filtered or sanitized by the back end of the web application before being sent to the database to be executed so the way web applications work in the context of you know databases is uh when I uh hit or when I you know run this get request so you know I just hit enter uh we're essentially asking you know the back end PHP uh to reach out or to you know communicate with the database and fetch the data associated with this identifier in this case I'm pretty sure it's an identifier right of of a of a particular record now it's important to note that in uh properly developed web applications this identifier here um or this uh you know this type of request that again allows for specification of an ID identifier or data that's going to be again sent to the database the relational database in the back end uh this needs to be sanitized or filtered in order to prevent uh you know guys like me or guys like you from injecting very weird things in here because remember if it's not filtered what PHP does in the back end is it says okay uh this is the request uh we need to connect to the database you know there's always a config file uh that uh you know contains information how to interact with the database how to connect to it so if it's a remote uh database uh you know you're going to have the IP address there if it's Local Host that's fine the credentials and it's pretty much going to execute an SQL query that uh selects a particular record or information from a particular record from a particular table in a particular database and depending on you know how the web application is built uh and you know what the page does it's going to do something to that data so it can either display back the data or uh you know if you're logging in what the the query is essentially checking whether the user exists and the password matches uh in this case it's clear that uh what is happening is the web application you know in the back end sends the SQL query uh to fetch and uh what's sent back is an image right and that's what's displayed so given that this is how this web application is working and that you know it's uh you know the output of the query from the relational database in the back end is displayed on the page to a certain extent uh we can uh we can uh start using the infamous single quote where we would specify the value and I'll explain what that does uh and what we're trying to do here is to see whether errors from the relational database in the back end uh the errors are actually being printed out or again PHP uh is essentially printing them out for us which again should not be done so I'll let enter and there we are so just by doing that I'm able to uh firstly uh you know confirm that we do have a relational database being used or there is a relational database being used by this web application and secondly what we've just done here is error based SQL injection now I'll explain these types as we proceed and again you may be wondering why I'm ranting and rambling here but it'll all make sense so this is an SQL error right so you can see it says you have an error in your SQL syntax check the manual that corresponds to your MySQL server version for the right uh syntax to use near the uh quote here at line one so what this is telling you and again the the web application is been built poorly because it doesn't know how to handle errors there's no error handling and it's just the error is just printed out back to the user or reflected back so this is again as I said known as error based SQL injection um and in this case it's confirming that uh you know that uh um that the value of the parameter ID is where you know we can perform the injection from it's just one input we can perform the injection form and it doesn't look like there's any filtering being done by the PHP web application in terms of sanitizing special characters like single quotes right and that's typically what web application firewalls do uh they filter these you know well-known attack payloads or special characters regardless you know as to whether there's URL encoding or not uh but so that then begs the question and again this is the final thing I'll be explaining theoretically before we proceed that begs the question uh what exactly is the single quote doing now I'll explain this uh towards the end of the video and I'll explain why that is the case or why I'm going to do that and that's because we need to take a look at a an SQL query um but in essence uh what that does you know specifying a single quote in a URL parameter as we've just done here as you know as you've been able to see often results in an error due to the way SQL queries are constructed and interpreted by the database so again I'll explain what this looks like from you know the perspective of the SQL query and why um you know why the SQL U why the relational database is actually processing uh this here and uh in essence what you're doing um or what this does uh is uh it pretty much termin uh terminates or delimits uh um the string literal so what you're doing is is sort of like in a Linux command uh you're adding or appending another command to uh to a command so for example you know if I would to say who am I uh the single quote in the context of SQL or the structured query language is a delimiter so as you know if I run that that displays that but I can also use operators like the and operator and then you know provide another command after that and what um the single quote does is it's essentially terminating the string literal for the preceding SQL query and then running whatever you specify after so this is where you now specify your SQL query that again if you're an attacker can either be used to fetch uh the you know the tables within the database extract information so on and so forth so hopefully that makes sense as I said we'll revisit this uh in a few seconds all right so now that we know that uh the target web application is indeed running uh relational database in this case it's MySQL most likely um and you know we have verified that the the web application is vulnerable to SQL injection through the URL parameter that being one example uh what can we do well now I'm going to walk you through you know the typical technique that you'll see so you can go ahead and uh you know search for um SQL injection payloads on GitHub or look for cheat sheets and look for you know various PC payloads that allow you to verify that this is the case uh but this is where you know we have the use of the Tool uh SQL map or SQL map depending on how you want to pronounce it and what I'm going to do here is I am uh just going to disable the transparency here uh cuz I don't want to see what's uh behind this so there we are that's much better so I'll now zoom in and as you already know you may have used SQL map before but you hit enter is pretty much you know the go-to tool for performing or automating SQL injection and more importantly weaponizing the vulnerability the SQL injection vulnerability of identified to then do things that you know an attacker would want to do like extract data list dat you know just view data delete uh data from a database or you know particular tables Etc now there's a couple of uh you know you may be confused uh in the beginning um you know on what exactly to do uh but the way uh SQL Map works or the way it tells you you should use it is to provide uh the URL of the web application you want to test but also include um the resource the parameter and the value that you wouldd like to you'd like SQL map to perform the injection on okay so for example if I just run the default um you know SQL map U for URL and we know I'll just copy the URL here and uh we'll just say this is ID equals to 1 not 100 we can leave it as 100 but uh there we are so I'll just copy this this is what we want to test we've already confirmed that ID is is vulnerable to injection there's no sanitization so you typically this is your starting point you just specify that no other additional options and that's fine let's see what SQL map gives us so SQL map is going to throw out a lot of info and it's important that you understand what uh SQL map is telling you and uh again I'll cover the manual techniques after but uh there's uh something very important here so you can see at uh the breakpoint here it says testing for SQL injection on get uh parameter ID so get this is a get request it's obvious um the parameter is called ID so that is correct and then it says it looks like the backend dbms database management system is my SQL do you want to skip test payloads um specific for dbms's and this is very important because in um in other relational database Management Systems while they all use the structured query language to again get data delete data add a new record uh a lot of these rdbms's like my SQL Pogle Oracle uh have um or are uh have their own specific payloads uh just based on you know how they work and this is not related to the queries themselves but more so uh just the actual rdbms itself so for example uh enumerating the version info on my SQL or the enumerating the version of my SQL uh is very different in terms of the commands you type than what you do on an oracle uh you know on on an Oracle database so we'll just hit yes and th this is you know the primary advantage that you get with SQL map but you can see uh for the remaining test you want to include all tests for MySQL extending uh provided level one and risk one values uh so what this is asking or what SQL map is asking is do you want to run all tests now what all tests means is uh testing for various types of SQL injection vulnerabilities now I said I'll explain these because it's not uh it's very important that you understand or you you know you pretty much go through this uh empirically before you get into into the theoretical aspect but I just explained one um of those tests to you which is or SQL injection types which is um error based SQL injection now uh there's you know the other ones that you typically expect like Union based SQL injection uh which is essentially involves uh using or leveraging the union operator to combine results from two or more SQL statements um you also have you know a second category of uh SQL injection vulnerabilities which is blind SQL injection under blind SQL injection you're going to have your fan based blind SQL injection and time based blind SQL injection which are arguably two of the most common types of SQL injection vulnerability seen in real world web applications today so blind SQL injection uh is slightly different in terms of how it works and how you know again uh how exploiting the vulnerability works so uh in blind SQL injection and again I'm just doing this to clarify it uh what you're going to do is send a payload or a malicious SQL query um that is either this is where you have the nuances of using booleans uh or Boolean based queries or time based queries uh but what you're doing is you're not monitoring the output so as we did with error we put in a single quote and we were able to see the output of that query with blind you know most web applications will not throw back an error especially if it's coming from a database so how do you know if you know um if the web application is indeed vulnerable or that input is indeed vulnerable and secondly how do you know whether your query that you've injected is actually being processed by the backend database management system or relational database so in blind SQL injection you're injecting your SQL query wherever the input is and instead of monitoring the output that you know is either reflected back on the web page you're observing the response of the web application in terms of for example uh time so if you run a standard query like for example uh if we just run this one here um you can see uh the first thing would be identifying how long the web application takes to process legitimate requests and then using a a you know blind SQL injection payload uh that essentially sends a query that forces the database to wait or sleep for a specified period and so if the response uh you know takes time or uh pretty much uh takes longer to load in alignment with the Sleep duration you specify then you know that yes this input is not being sanitized and more importantly the database actually processed that uh SQL query that contained The Sleep command uh that told the database to sleep which pretty much made the web application hang and you're able to verify that aha all right so you know we know that um the web application is vulnerable to SQL injection so when it asks uh you know as to whether you want to run all tests it's Al also going to specify you the you know tell you the level and the risk values and I'll explain that as we proceed but I'll hit yes and um what you'll start seeing here is when we hit yes it's going to start off with the generic inline queries inline or inband SQL injection is the first category so I mentioned two we have inband SQL injection and blind SQL injection under inband SQL injection we have two techniques we have error based SQL injection and Union based SQL injection under blind as I've already explained we have Boolean based SQL injection and time based SQL injection so when it refers to in line it's referring to inband that's why you have error based error based error based here and also inclusions of um you know Union and let's see if it actually did this here so there we are you can see um a few Union tests there and you can see it says the get uh get parameter ID is uh my SQL greater than or equal to 5.0 and error based we're having order by or group um by uh what's this uh Clause is injectable and then it's going to test uh some additional inline ones so you can see the Stacked ones are what you'd consider uh so actually hold on my SQL inline queries here we have stacked uh queries there um and then you're going to have uh right over here we have uh the time based one here so the Sleep um and you can see the parameter uh is vulnerable to SQL injection by you know using uh time based blind um payloads and then you can see it's going to do the Union uh tests here uh so on and so forth and for pretty much um all of these tests it looks like the parameter ID is indeed vulnerable so it tells us yeah the get parameter ID is vulnerable you want to keep testing the others uh if any we're going to hit yes all right um you know and there we are so at the bottom here this is very important it's separated uh using um you know the separator there but it says the backend dbms is my SQL this is very important information don't worry about this error but you can see unable to connect to the URL blah blah blah it gives us the web server operating system debn 6 web server the backend DPMS and it fetched the data logged or whatever you saw on your screen under the following directory and yeah I know version of SQL map is outdated but if we just scroll uh just to this section above that one uh you're going to have uh this section here so SQL map or SQL map identify the following injection points with a total of 48 HTTP requests so it ran multiple tests or ran multiple payloads so just think of SQL map as a tool to automate the testing or use of those SQL injection payloads you typically see on GitHub or on you know cheat sheets or whatever so you can see these are all relevant to the parameter uh ID using you know get request CU we're not posting it's not a login form uh but you can see Boolean based blind and then it provides you with the payload that was used so ID and you know as standard with Boolean base SQL injection what you're doing is um you're sending a SQL query uh to the database uh and simply appending or using um uh using Boolean uh or a Boolean operation that again in most cases will be equal to it you're using a Boolean operation to uh um what's the best way of describing or explaining this to uh return a different result depending on whether the query returns true or false so in this case what we're saying ID equals 1 and uh 8,263 is equal to 8,263 which again is going to be equal to true so we can actually take this payload here and see what that looks like in the context of this web application so you know I'll just paste it in here um ID equals 1 let me get rid of this um duplicate ID there so we hit enter and you might be saying well what exactly is happening here I didn't see anything well what we're seeing is exactly what we should be seeing in that we know injectable this particular parameter is injectable we know that the database is processing these queries and we just provided a Boolean query that is always going to be equal to true so if true ID equals 1 is going to be displayed or that page is going to be displayed now if I say and 8263 is equal to 8264 which is not the case 8263 is not equal to 8264 what will happen there we are so because because that is false it uh you know it doesn't display that so you're essentially combining the initial query which is getting you know the page uh associated with or that has the identifier I of id1 and then combining or using um using a Boolean operation um to uh essentially see whether the application returns a different result and this is primarily you know very good for confirming um SQL injection uh especially when you're dealing with blind SQL injection and then of course we tested error and in this case it utilized uh quite a long payload here and I think in this case it displays the version I might be wrong let's actually test it so id1 uh let me replace this here and I know I'm taking time to explain this but uh this will make sense so there we are you can see this display um duplicate entry for the group key yeah so error base just displays an error which confirms that and then time based blind ID equals 1 and then you can see select 6,999 from select sleep for 5 seconds and so if this parameter or the web application was vulnerable to SQL injection and more specifically let's say it was not displaying any errors and we wanted to use you know time based SQL injection to see whether indeed it was vulnerable then uh this would we would essentially monitor the standard response time when we make a get request so you know PHP ID equals 1 if I reload it sorry let me go back here if I reload it you can see it's almost uh instantaneous and of course you can monitor this um if I go back um sorry I don't really use Firefox anymore where is it uh more tools um a control shift I my bad that's quite embarrassing but uh there we are so we take a look at performance here and um just going to reload this uh let's sorry let's stop that there okay let's reload this here so there we are we can see that there that loged let's try it again okay A bit of change there but yeah for the most part and uh let me stop recording that you can actually see how long it takes right over here uh and you know you're trying to see whether there's any deviation uh in the amount of time and in this case we expect this particular query to make the web application or rather the database sleep for 5 seconds before returning the result of the query so copy and we can now test it out so uh actually let me see uh I'm going to uh we'll actually maintain this here um uh no we don't want to toggle that so uh let's actually bring this up here um yeah so ID let me replace that so I will just uh paste this in here and uh that looks okay okay pay attention look how long it's taking so that's what you know time based blind SQL injection is you're just monitoring whether there's any deviation in the response time by specifying a query that an SQL query that you know tells the SQL database or the backend database to to actually sleep or to delay the response thereby confirming that you know uh you can you know that the web application is vulnerable to SQL injection via this input and you know there's no sanitization and whatever you're sending is actually being processed by the database so um we can actually compare that in the performance monitor here so I'm now going to uh start recording here and uh just pay attention so I'll reload and you'll see that should equate to 5 Seconds actually longer but there we are uh from the initial request to let's stop recording this here so this was uh there we are so we can actually see this to the uh yeah so from this point I would say let's just be fair here and uh you can see that uh there so now actually hold on um yeah that was cor to the point when it was returned um and of course if we just see the C tree here you can actually see that a bit more clearly um one moment so idle idle there we are actually let me get rid of that there um how do I unbind this oh there we go all right much better yeah and I can then zoom out so you get the idea and of course um let's take a look at the debugger here actually no let's uh go into the waterfall view here there we go and actually just to confirm this we can actually see the time taken so 5,000 milliseconds and if we now compare it to the standard query without uh the time based um payload there you'll see that speed here uh that was nearly instantaneous 3 millisecond let's go back and I'll reload this here there we are we should see you know you know 5,000 millisecond therefore confirming that so there we are anyway I just want to this is the stuff that a lot of people skip over and I wanted to ensure that that is clear so we also have a union query which I'll not run um and you know from this point if this is your first time or you're fairly new to SQL map this is where people start getting confused CU SQL map gives you the payloads it used to verify you know that the web application was or that parameter was indeed vulnerable to SQL injection and it tells the types here but we can actually tell um we can actually tell SQL map to do some stuff for us so for example if I wanted to list out the databases uh you know with SQL map and uh how would I do that well in order to do that we use the infamous DBS so that's double hyphen uh DBS right over here let me just increase the font size and I will clear the screen and now it will uh again perform the injection and then utilize specific payloads to extract information in this case the information we're telling SQL map to extract is the databases within the mySQL database uh So within my SQL we have the standard information schema database which is self-explanatory and one called photoblog which I assume is being used by the web application namely photo blog uh no coincidence there uh all right that that's fairly simple to understand um so what if we want to now extract info or view info that's stored in this database cu the databases have tables right well what can we do now well in this case we need to tell um we need to tell SQL map or SQL map to do something a little bit different so we're now going to say use the hyphen uppercase D option um this is going to allow us to specify the database that we want to interact with or extract information from so you know if I say the name was uh photo blog if I'm not mistaken and I just hit enter and don't worry I'm doing this for reason you can see it doesn't display anything and that's because again if you look at what you just told if you look at what you just told SQL map you just told it okay select this database but you didn't tell it to do anything else so you need to be very explicit so one thing you could do is you know you could uh dump all for example but there's also you know other options that you can use but let's go with the standard dump all uh and I'll use the um we can actually use the batch option here and don't worry I'll explain all of this but let's hit enter now and uh dump all as you probably would have guessed pretty much does what it says it dumps everything so if you can see from where I kicked off it will display uh the various tables in the database and in this case it started off with uh the uh what's the name of the table it's called pictures and you can see yeah the web application or the value of the parameter ID was the uh unique uh identifier of the record within the within the table here so you can see ID would um ID would print hacker uh you can see cat is two so it's referencing another one so it would also display the it would also display another image that had the ID of two and in this case the ID uh ID of two corresponds to Ruby so uh let's go ahead and open up you know ID equals 1 you can see that there r and the picture cthulu uh which is a little bit weird so there we are um ID cat uh yeah so by ID it's actually reversed my bad so uh an ID which is the identifier for the resource cat so cat takes in um an identifier using the parameter ID it is actually referencing this here so this column here so this is what is referencing that's why when the value of the parameter ID when using the resource cat. PHP is one it'll display uh cthulu and it'll also display ruby.png is that the case yes it is all right so we're understanding stuff if the value of the parameter ID is equal to to two when using or when loading the resource c.php then it will dis playay hacker. PNG so that's uh one mistake I made when I was explaining this I thought it was a unique identifier for the actual record or row within a table so if I say two hacker is displayed all right so there we are anyway proceeding on all this information is being saved uh into the following directories here and then uh it's going to fetch columns for the table user so on and so forth uh and yeah it looks like there's another table called uh users with only one entry and in this case you know this is obviously uh the ID is going to be the unique identifier of the record but we can see the ID uh there's only one user so the identifier will be one the name of the username is admin and the password thing has been hashed here but you know it's provided in a clear text here so not great uh password security or hashing um practices here uh but again this is typically what you see with you know some of those outdated or old websites that constantly are victims of data breaches uh they either using very weak hashing um algorithms um or you know they're not using salts or password Sal so you know we can actually try and log in now and by the way the login form could quite possibly be uh injectable so if I specify single quote for both uh no error uh but we can try and in so I'll say admin and I'll paste in the password there and we log in successfully and uh we can actually see the pictures that were posted so we can actually add a new picture delete so on and so forth so our objective since our objective was to gain access to the uh to the underlying web server I'm pretty sure you're guessing what I'm guessing we can upload files is there any are there any file upload filters well the only way to find out out is to find out so um just proceeding on here and I'll get into some of the other options that you can use with SQL map but I just want to go through and get uh access to the underlying server uh let me see whether we have uh user share um uh do we have no I want we should have this under web shells uh user sh we don't have it on this Cali Linux system that's fine I can always use my own Cali Linux system uh this is probably where you want to do that as well so let me um let me just uh get out of full screen here all right and uh now on my own Cali Linux system let me just uh uh what I wanted to do was uh let me open up a terminal cuz I think I have the standard Infamous PHP web shells so CD user share web shells there we are we have PHP uh actually hold on let's just go in here let's see whether I have it so yeah PHP reverse shell so I can easily just um you know I can easily just copy the contents of this so you know let me um actually do that so I'm just going to just copy it so copy PHP reverse shell and I'll copy it to my desktop um and let me check that out uh so there we are we'll just call it shell. PHP actually I don't know why I'm doing that um move uh PHP shell. PHP um all right so let me just copy it and you can again copy stuff to and from the attack box on Cyber ranges but save this on my desktop shells open and uh yeah so uh what we're going to be testing for now is fairly obvious we're going to be testing for um you know we're going to see whether we can upload files uh again with any extension in this case an executable extension but uh so I'm just going to bring this in here uh actually no for some reason that did not uh let me see if I can paste that in there there we are so you can use control shift alt cuz um the lab environment gives you RDP access via uh Apache guacamole so you can on your keyboard when in the Cali Linux system provided to you uh you can uh use the control shift and ALT keys to paste stuff into the keyboard so control shift alt you can see that there just provides you with a convenient way of doing that and there we are so I pasted it so we want to save this as a desktop I'll just say shell. PHP and uh make sure I set that to all files here and will not change the extension let's see if it actually works uh but first I want to change the IP here so we want to change this to the IP address of the Cali Linux system so just going to zoom in in this case the IP of the C Linux system in the Cyber Rangers lab is2 168 1225 um let's see Point um um I believe uh actually I can just check it out here what am I doing uh 00 so there we are so 200 and we'll just listen on you know with netcat on 1 2 3 4 so I'll go ahead and save this here and now we can go back to the web application we'll just call it uh you know test and again we're just testing things so there we are shell. PHP let me set up my netcat listener nvlp 1 2 3 4 the port uh what's this category very interesting so we can add it to a category uh let's add this no PHP ah all right so not as lucky as um I thought I was going to be so uh we uh we can probably try a few tricks uh let's try the most basic right which is just uh you know to see what type of filtering there is is it just the extension or file name filtering uh let me go to the desktop here let's move let's change the name to Shell do let's say p and the common trick as you know uh PHP like so uh something like that let's try that out here uh let's try this so okay new picture we'll call this uh bypass and uh let's go ahead and try this out uh by the way did I uh start up my netcat listener uh let me make sure I do that just don't want to miss any anything uh let's add it ah that worked so if I now click on bypass picture bypass ah okay interesting so I navigated to it oh know actually that was executed so interesting um and there we are so we have access to the underlying server and um I believe um let get a bash session you can now perform your standard enumeration I don't know whether we want to elevate our privileges but do we have net stat installed uh let's get another session I forgot no job control um go ahead and uh reload this there we go all right so yeah we pretty much got access to the underlying server and now we can obviously try and navigate to the default um d directory used by um Apache VAR HTML uh that's weird uh CD VAR um where's that stored uh oh yeah this is Debian and there we are no HTML and there we are so we have index.php admin let's go into admin let's see what we have in here uh index login new. PHP uh I want to see whether we can find the credentials uh that uh or the configuration file so we have admin all. PHP cat classes CSS images index uh we don't have it's probably in login most likely uh yeah probably so we'll just go into admin and we'll just say login do uh PHP where is the connection to the database uh classes db.php my bad so there we are CD classes there we go and uh cat db.php the reason I'm doing this is important so myql Local Host uh pentest lab and pentester lab so use a pentest lab password pentester lab so the reason I'm doing this is because we're now going to log in um into this uh mySQL database to show you what essentially happens when you put in for example that single quote from a query perspective so just give me a moment all right I just realized that uh there's no real way of elevating prives on the underlying server uh although we I tried to log into the the mySQL database again I could if I spawned a shell or you know used an SSH used SSH to connect and that's probably something I can cover in a follow-up video so I want to end uh this episode of pen testing Diaries by covering um some techniques that I use uh in identifying uh SQL injection vulnerabilities not to do with the SQL map which again I'll probably make followup videos on cuz I I know this is not that extensive uh but um uh one of the again as I mentioned one of the techniques I use in automating uh or during my workflow when finding SQL injection vulnerabilities or testing web application inputs is obviously to take uh you know for example um you know one of those uh lists of payloads SQL injection payloads you see with um uh you know provided to you B SEC list Etc um and actually I don't know whether we have uh this user share on the Cali Linux system uh so let's say word list user share do we have anything in here uh what do we have in here no word list all right so I'll actually show you what this would look like so what I'll do is let me just exit full screen all right there we are so I will uh download down load my VPN certificate um and I believe what version I think I'm running the latest version so I'll now use my own Cali Linux system to show you this is probably better so I'll open up a terminal here on my Cali Linux system so this is again on mine now I'll go into downloads and in here we have that so I'll say p sudo openvpn um this is the great thing about cyber ranges you can use whatever environment you're comfortable with uh to do whatever you want so there we are uh there we are okay so that means now from my own Cali Linux system I can say 192 168 125 Point what was the address of the target web server 150 just to test it out there we are works perfectly fine within my Cali system so what I was referring to was automating the testing with uh you know a tool like burp Suite so for example um I'll just open up burp suite and again using the Community Edition don't judge me uh this is not my uh you know this is not the VM I use for my work but uh what I use for hack exploit uh hence the uh the really cool wallpapers by the way um and anyway let's close this up here uh quite a few Windows opened anyway so we'll go into the proxy I'll open up my browser um and I'll open up the B browser here just to keep things nice and simple and I'm going to show you how I would test either you know a parameter uh within the URL or a URL parameter or anything included in an HTTP request regardless as to whether you know it's a a get or a post whatever input you're testing so you know I'll say 192 168 125 point I forgotten the IP again uh 150 um so let me go back in here uh 150 and I know you may be a bit confused with me switching back and forth but uh let me switch to test and uh there we are so I'm now going to intercept and I'll reload this sorry I'll reload this there and uh you can see uh let me increase the font size here user interface uh display uh yeah I think let's change this to 18 uh actually no that's the interface size my bad I think what we want is uh this right over here where is the uh user interface or Keys display appearance scaling uh huh where is this I believe uh hold on a second am I getting confused for nothing here there should be a way to modify the HTTP um the request tab uh table appearance [Music] scaling uh wait a minute it's appearance user interface yeah so I'm pretty sure this option was uh somewhere here uh hold on a moment proxy settings no it's not there uh I can believe I've forgotten where this is cuz I never usually modify cuz this was somewhere here so proxy uh proxy settings it should be in here uh proxy uh let me see why is my burp Suite slow today inspector yeah there should be somewhere here there we are it was just my fault did not see it but there we go so what I can actually do is send this to the the uh repeater which you know we already know we can use it for manual testing so for example let me send that uh we get the response and then of course you know I can render it and we can then test the the single quote here so to throw an error for error based SQL injection nothing too crazy but if I go back into the proxy here let me go into the proxy and I send this into the intruder uh which we can use for fuzzing I can specify uh this right over here as the payload so I can add this as a position so there we go um right over there if we s choose um you know uh and uh you know we'll have that inserted there uh let me just clear this out so we can just say one and as you know we can just highlight the value there obviously this is much simpler so I can add that as a position we'll use sniper uh for the payloads this is where you can now load the uh if I go to user user share and I go into SEC lists uh so I'm pretty sure you're familiar with SEC list but we have uh in here fuzzing under fuzzing you have your SQL injection fuzzing lists which essentially contain payloads so for example the that you can use to inject into any application input to test for various you know types of uh SQL injection vulnerabilities so you know I can uh start the attack and then obviously you're going to be monitoring the um the response so uh if we take a look at this one here you can view the response let me render there we are so in this case error based SQL injection or through an error here another error in this case we don't get an error but it looks like this was time based so we can actually if we take a look at the request here um you can actually monitor the performance which I'll not do let's go to the next one here so another so pretty much this is how I test for SQL injection automatically using different payloads or the payloads that I've been uh I've not been uh I've not been talking too well about them but you know the ones on GitHub or the ones in seist you can easily use a tool like BPU to test for spe uh specific application uh inputs uh whether it be you know in the URL Etc uh you can just uh you know set the parameter or the value of the parameters the position for the payload and then BB will do it for you and yeah so we're pretty much getting or confirming that the web application is vulnerable and that's what you want to do as a web app pen test or bug Bounty Hunter is you're just testing to confirm you know POC pretty much you're not doing anything malicious here in any case uh let me pause that there and let me terminate that I want to discard that and there you go so that's one tip uh obviously I know this video has gone on for long enough so uh thank you very much for watching do uh check out cyber ranges if you want to again go through this particular lab uh I'll post a link to the Cyber Rangers platform as well as uh a link to this particular lab uh which is equal injection to Shell which as I mentioned can be found under the Community section which are just free Labs um and uh yeah so you'll find that in the description section of the video there's other labs you can go through as I said I'll be publishing others again in the free section and others uh you know on the Cyber ranges platform but yeah there's a lot that you can check out uh this was just uh you know video to kick off this series and to get things going uh hopefully you enjoyed this series and the new format as said I'll be making improvements to the video format and the uh you know the transitions or the sections and obviously illustrations to make uh to essentially Aid your understanding um of what's going on but uh yeah hopefully you enjoyed this video found value in it if you did please leave a like down below i' would like to hear what you think about the new video format any suggestions for other episodes I said I'll probably have a follow-up episode tomorrow uh or 24 hours after publishing this video on um you know SQL uh although I don't think that'll be that uh too popular there's a lot of exciting stuff uh that's coming up anyway hope you found value in this video and if you enjoyed the video leave a like love to hear what you have to say and yeah great to be back and I'll be seeing you in the next video [Music] a