officer i swear what i did wasnt illegal, i gave myself permission to rob him!

@@elisttm ok ur free

XDDD

@@elisttm this reads like a privilege escalation exploit lol

I'm using it

what that means ?

oh now that makes sense :D Thanks

Being the pedantic developer I am, it's more like XML since HTML doesn't support a tag.

What are u doing here if u don't know that?? lol

@@sirturnables learning.

Well, at least you would be able to win your own money. Thats more than what can be said for some married / divorced folks.

You’re pretty damn right m8

mmmMM the court fee and if you have 1000 iq your lawyar takes about 30%

Then become mr robot

Write it off as a tax deduction.

Hehehe... funny. It's like the first Unix systems where you couldn't have a user named "Ed".

@@bsvenss2 Would it start the editor?

@@karldavis7392 it would lol

Underrated

Interesting and informative, but the other guy is almost as basic as "So, what's that in front of you? Is it a computer?"

lowkey joke

You just wasted 2 years

@@sachinfulsunge9977 hahaha

Prince Benny it’s usually not their fault. Having worked with Tech Mobs for the Gold Coast commonwealth games, it’s just how IT dudes are and there is actually a job for people to take what the IT guy says and explains it to the project manager in a way that makes sense.

Yeah he's a great teacher too

Or with a foreign accent so heavy you can't even tell they are speaking English.

Yeah we do 😎

Yes we are

He's the cool version of Peter Parker, from Spiderman 3

Underrated post

I thought I was the only mofo thinking he looked like Peter Parker from Spider-Man 😂

Or Frodo from the lordof the rings

FRODO!

Both.

releasing the information is illegal.

attacking someone without their permission is illegal by law making shitty apps is illegal by community

Making your application insecure towards attacks and putting your user's sensitive informations at risk of being stolen and released is illegal. @jan harald: What is "illegal by community" supposed to mean?

I wonder if you could change your legal name to that.

Got Same feelings haha

i feel attacked

Just came back after 5 years and I'm second year into IT

I noticed his excitement as well.

I loved when he nervously asked...so where are u typing that now....as if the whole world was going to blow up >^

you know he probably knows but he just asks for the content right?

He knows

at least he's willing to learn

That's what he did

Imagine he has schizofrenia and fires a lawsuit against himself.

Or simply changes his mind.

*Mr. Robot intesifies*

😂

That sounds more like xss than sql injection

You need some of that htmlspecialchars(), a stripslashes() and str_replace()

htmlspecialchars() for the output as xss protection. in case of php & mysql it would be mysql_real_escape_string() against sql injections in quoted values. but people shouldn't think they would be save when just using these functions. someone can do an sql injection without using any control chars at all if you didn't put quotes around the variable in the query: for example "SELECT * FROM posts WHERE postId = $postId"... the value of $postId could just be "1 UNION (SELECT 1, 2, 3)-- " without any quotes. in this case you would be save with casting the variable to an int, but best practice in general is using prepared statements.

meh, forgot about the ; in the example injection - but you get the point... use prepared statements / stored procedures :-)

No, it is a SQL injection attempt, not an XSS attack, the hacker was using the comments form as a gateway to the database, just like Michael in the video used the search box to send malicious queries. The difference is a comments form will store those requests as comments while a search box doesn't store search queries.

Just wait until you learn MySQL and Javascript. Then you'll be able to learn some very interesting things.

BlackenGames lol, I can program in over 20 languages, including those two. The point is not to learn them, but to learn against them. Possible weaknesses you have to remember when programming.

>Javascript When I'm feeling like a masochist perhaps.

Blaze I really hate Javascript, but you should try typescript. I have made my peace with javascript that way

SuperManitu1 Then you should be able to exploit things easily. I don't know how to program in a lot of languages. Only 2 and I know how to do some nice exploits.

Travis Petit probem is, you should rather imagine that names of people would contain else than alphabet (numbers and symbols)

Why is PHP better then Python please?

^^^^^^^^^^

US government sites use Drupal which uses PHP, so US government actually uses PHP

my birth name is actually ':-- DROP DATABASE

Only criminals need search boxes.

The best defence is to take down your own website, destroy your computer, isolate yourself from technology & civilisation and go live in the woods.

No client can't hack you if you have no clients #LifeHack @@saeedbaig4249

Nah, silly lol Just ban "UNION" from your search box...

From memory it's possible to use your browser search bar to run an SQL query

😂😂😂

John Doe FAV hahahahaa

😂😂😂

WTF HOW DID YOU GET NSA OUTSIDE YOUR HOUSE OBVIOUSLY YOU UNDERSTOOD THE INSTRUCTIONS ARE YOU IN PRISON NOW?

blackham7 wooosh

oh snap i've been pronouncing it incorrectly

Us in the UK dont tend to prononce it sequel...

@@jackrogers1115 Well isn't Tom Scott from the UK, though? You see, he's the one in question who tends to do so.

@@13am22 what

In the uk, we tend to say s q l, not sequel. Thats what i'm say. And yes hes from the uk

peas give me website address and permission to practice pen test

@@211212112 This was well over 10 years ago. That website no longer exists.

anti/HUMAN Designs :(

Baldeep Birak so what website you run.? Asking for a friend lol

Cheeky.

Hey now, let's none of us go Ball Deep on Baldeep.

mind if I take a look on your website?

@@Rosson311 but even as a joke you shouldnt try it cause when police will be at your door ,it wont hold honestly. like, i go with a knife at your house and you call police and i tell them 'oh ,its was just a joke,for fun,didn't mean to do anything'. not so sure someone will bite that even if it would be truth.so yea, don't even think to try just to see if it works.you would be the dumbest hacker in that jail yard.

Wordpress has never been secure in any way And it should never be used commercially

Iceborn Gauntlet probably you.

Chase Brower no, not just me. EVERYONE.

Frank zapper

you don't go to jail if you never try to learn this stuff. * makes the meme face *.

That's what Hillary told me.

XD

What was the salt?

The whole hash is $1$V32.4G/.$0PKnjhXYUmYLJZZ8vEt/b/ so i guess the salt is 'V32.4G/.'. I'm not familiar with the format of md5, but in bcrypt that would be the salt.

vinkuu So, essentially, if you get into the database, you can use the salt that is with the password to crack it by brute forcing it?

Yes correct. And that is the reason md5 is considered a bad choice of hashing algorithms to use for hashing passwords. It's very fast to brute force md5 hashes compared to eg. bcrypt with a cost setting of 15. It directly equates to cost (€) of the brute force cracking setup.

Or just type in administrator??????

rchandraonline I know of that site, but this is a full in depth explanation as to exactly how it works.

I will name my son as Little Bobby Tables

I suddenly remember a man named "null"

Where's the "Students" table?

Oh, I love that comic. "Oh little Bobby Tables, we call him."

Funny haha

LOL I miss-typed 2 instead of 3 hahaha

Bobby Tables would be proud of you!

Little Bobby Tables!! :)

2rd ? "secord" ? :))

CuZoSky twoerd

Juan2003gtr why are you calling him a noob?

Like gambling.

here to remind you of that unfinished cube lol

😭

Product name: G E O R G E

actually underrated 😂

Oof 😅

SurprisedPikachu.jpg

"anyway..."

If you're still learning PHP, SQL and all that stuff and didn't already - please have a read on PDO and prepared statements. It's the "new" easy way of dealing with everything. :)

make it return what they would want to see, but the wrong information. a fake error or a fake full table

Thats bad

:D

OMG...

Only if the account has been granted DROP permissions. For a site that just shows records it should only be created and given SELECT permission.

+Chris Ellis Do you really think someone who isn't going to escape user input, would think about that? Because I honestly don't.

but did you though?

I got executed for MITM attack.

I got a two days torture for changing the input type from password to text

I got sentenced lethal injection for typing on console

@@sieghart0515 I did a year and a half for getting on my teachers computer, taking a screenshot of his desktop, saving that screenshot as a jpeg then making that his desktop background... then removing his shortcuts and lowering his task bar.. so no matter how much he clicked, he got no where.

Depends on the school were you at.

Totally agree.

That wasn't alway a thing before sadly. As of today, it's the only way to go basically. :)

Ur joking, right? :)

@@romankrivocheev4434 Yes. But i saw some people in the wild who actually think that way :D

Or just use Tor

@@ItsAstie `would that work tho?

On a serious note does using free vpn work?

Coming soon - using a 4x Titan X GPU server ;)

Usually you need to find out what type of hash they use. Then you could try a dictionary attack. Have a program try each word until the hashed value = the one you got.

md5 :)

I think you're misunderstanding what salting does, you can reverse lookup a hash by having a list of hashed common words/used passwords, lists of billions upon billions of possible passwords...what salting does is change each hash with a "salt". So having two of the same passwords would produce two different hashes, thus making reverse lookup a less likely decryption method.

Is this the actual Michael from the video. If it is I'm happy you're reading the comments. These videos have been quite refreshing on computerphile.

Abbass: you'r right! That cross my mind too! :)

That would be pointless, first injection could be command to drop all tables and there would be nothing in the database and no fun for others. You can download XAMPP and create a simple database like this and do all queries like that inside web interface for PHPmyadmin on your own computer without even creating a separate website.

well if he would put it up somewhere, it could be taken down pretty easily in seconds: someone drops all tables, and voila, you can't even do anything anymore. This is like putting a bottle out on the street for everyone to break, if someone breaks it at first, then noone else can do it anymore because it's already broken.

Yeah I realized very soon after posting that comment that it would have to be "refreshed" very often or just done so that it doesn't break for everyone and basically would be a pain in the ass to do.

Actually you can write your own script to do it. It's really just basic coding.

Check out hackthissite.org, they have some easy and some hard websites for you to hack into!

i guess it would work but it would make the search engine much less accurate. either that or you'll be writing 300 tags for every item. It also can't work in every search box, what if you're searching for a student by name, or a movie?

Yeaa haha I don't have the paid version though😭

@@ankithabhayan324 you can use VScode. It's better than Sublime text in my opinion.

Rohith R Pai I like atom I don’t pay for sublime either

@@RohithRPai but isn't vs code a heavy ide? My pc is potato with 1gb ram.

@@ankithabhayan324 oh man... With 1gb RAM I would go with vim or emac. But VScode (not Visual Studio IDE) is a not an IDE. It's a general purpose text editor that can act like an IDE with right extensions. I switched from Sublime text to VScode about 2 years ago. Haven't looked back since.

Amazing band

take my like hahahaha

I'm serious tho.

sublime text

Atom is better

Seriously

🤔

Whats that, a text editor? And the letters that you type on this key device appears on it ? Fantastic !

Maybe the best thing to do is to ignore the comment. Though, more better way of dealing with it is , maybe, to thank that "basic" guy for the work he is doing.

@@mbarekzacri4973 he could do better thats what the comments wants to say

Are you talking about Tom Scott?

He asked it for the audience. He run this channel. Obviously he would know about Sublime text.

yeah, I hate it when I accidentally hack a database.

per

yeah it may seem like a joke but in reality breaking into your own house can land you in jail.

@@Sharpless2 wait wtf