SQL Injection - Lab #12 Blind SQL injection with conditional errors

  Рет қаралды 14,817

Rana Khalil

Rana Khalil

Күн бұрын

Пікірлер: 43
@RanaKhalil101
@RanaKhalil101 3 жыл бұрын
Interested in supporting me and gaining early access to the Web Security Academy videos when they're recorded? Consider buying my course: academy.ranakhalil.com/p/web-security-academy-video-series! ✨ ✨
@RanaKhalil101
@RanaKhalil101 3 жыл бұрын
After recording the video, I realized the SQL payload can be much more simple. We don't need a CASE expression in order for it to work. The following is the alternative payload: ' || (select TO_CHAR(1/0) FROM users WHERE username='administrator' and SUBSTR(password,1,1)='a')|| '
@deletedaccount2580
@deletedaccount2580 3 жыл бұрын
Great explanation mam,keep it up
@hackadvisermxyt
@hackadvisermxyt 3 жыл бұрын
effectively that way works too. In the other hand, on github notes, in last query apperars substr(password,,1)='a'), instead of substr(password,1,1)='a'), but in the video is ok. Thanks congtratulations amazing content.
@padaloni
@padaloni 3 жыл бұрын
Hi Rana. Any chance you could explain how the concatenation works here? I get it when concatenating username and password for output, like in your previous vids, but i can't quite figure out how it works as part of a select statement. I imagine the query looks something like this, which doesn't make sense to me: select TrackingID from tracker where TrackingID = 'ddd' || (select '' from users where rownum=1) || '
@RanaKhalil101
@RanaKhalil101 3 жыл бұрын
@@padaloni Yup, you're correct, the query would look similar to what you mentioned. To better understand it, I would recommend either installing an oracle database or using this link to run the following queries: livesql.oracle.com/. Query 1: select 'a' from dual where 'a'='a' -> This outputs the letter 'a' because the where clause is true. Query 2: select 'a' from dual where 'a'='a' || (select 'b' from dual) -> This outputs nothing b/c the where clause is no longer true. Query 3: select 'a' from dual where 'a'='a' || (select '' from dual) -> This outputs the letter 'a' b/c we're only concatenating a True with an empty string and so the where clause still evaluates to True. In a similar way, if the questions we are asking the application in the exercise evaluate to True, then it outputs nothing which doesn't break the where clause / SQL query.
@padaloni
@padaloni 3 жыл бұрын
@@RanaKhalil101 Thanks so much for the explanation. I think i get it now, and i'll have a play on livesql ❤
@youtalkify
@youtalkify Жыл бұрын
I love it when Rana says "Here we go" . Thanks Rana for your videos. Helps us a lot.
@martinflavell3045
@martinflavell3045 6 ай бұрын
amazing tutorial thanks a million Rana!
@tylercouch4763
@tylercouch4763 2 жыл бұрын
Thank you, Rana, you explain things so well, more so than every video about SQLi! please keep it up!
@nanabrightatsiatorme1348
@nanabrightatsiatorme1348 4 ай бұрын
Thank you Miss Rana, your videos has been helping me a lot
@fatinsirat5372
@fatinsirat5372 3 жыл бұрын
Assalamu Alaikum! Just to let you know that you're awesome :) . Keep up the good work mate!
@thepetiteotaku
@thepetiteotaku Жыл бұрын
I don't fully understand why we have to concatenate before AND after the select SQL query that we are running? why can we not comment out anything else that comes after our query?
@Esola11
@Esola11 3 жыл бұрын
YOU ARE THE BEST!!! thank you so much for your time and efforts doing all this.
@codebeta_cr
@codebeta_cr 3 жыл бұрын
Thanks for making such useful content. Did learn a couple of new things that made the script I was working on a lot better. The part of using the decimal value for a character fixed the issue I had were the # character would generate the error and the script would return that as the character.
@snipeSec351
@snipeSec351 3 жыл бұрын
Thank you very much for sharing with us, Great explanation. If i may, why did you use the || symbol in this Injection and not "AND", compared to Lab #11?
@manojkatkar1132
@manojkatkar1132 Жыл бұрын
I like the way in details you shown everything how conduct penetration and python logic, I would like to learn more about cyber security. Can you help?
@missclaptrap
@missclaptrap Жыл бұрын
@RanaKhalil101 hello! Thank you so much for these videos! I'm learning so much and it's super exciting. I wondered if you'd mind doing an explanation on how to set up the lab environment to be accessed via the VScode terminal? I'd like to start being able to do that but I'm not sure how. Thank you so much!
@lifeofsq5653
@lifeofsq5653 Жыл бұрын
Hi as I remembered for blind SQLi the error is no return by application response but in this the error is given on adding ' character. We could have use UNION but why we have use conditional responses
@jackyazul3110
@jackyazul3110 3 жыл бұрын
guys if this error occurs: "ValueError: check_hostname requires server_hostname" download urllib3: pip install urllib3==1.25.11 it worked for me :)
@dinderint
@dinderint 3 жыл бұрын
my man doing god's work here. thanks!
@cheikhelghawthe8868
@cheikhelghawthe8868 2 жыл бұрын
THANK YOU!
@Kdaddyis
@Kdaddyis 3 жыл бұрын
Ma'am why the script is not working on my system..
@cybersec-radar
@cybersec-radar 3 жыл бұрын
I am trying for a way to extract username as we extracted password because alot of times admin, administrator, root etc usernames don't exists... need help or please make a video on that if may possible. Thanks alot.....
@gergelydetar1946
@gergelydetar1946 3 жыл бұрын
why we need the second || expression?
@Zephyr-tg9hu
@Zephyr-tg9hu 3 жыл бұрын
It's there to concatenate the ' and close the other apostrophe when the query is executed
@Pentester_cybsec
@Pentester_cybsec 7 ай бұрын
how to determine table and column names in real situation? This lab is provided table and column name with username data. But in real situation we need to find table and column names manually. pls teach me how to write the query for find table and column names for this blind error based sql injection
@harshadreddy725
@harshadreddy725 6 ай бұрын
Check the labs before this. There U have to find the table name and column name yourself
@AliKhan-om5st
@AliKhan-om5st 3 жыл бұрын
Why are you using double pipes instead of AND operator?
@kbhushan12
@kbhushan12 2 жыл бұрын
Because she is concatenating not ANDing. Reason being, when you concatenate 'something' with NULL/Blank, you get 'something' back.
@hibohi
@hibohi 2 жыл бұрын
I tried the last step and noticed that I would be able to get the correct response if using substr() but it wouldn't work if using substring(). Anyone know why? I know in previous videos Rana used substring().
@therelatableladka
@therelatableladka Жыл бұрын
Because what we are dealing with is Oracle database. And the substring keyword is 'substr(*,*,*) in it. You can check the database by using union in the parameter Query:- ' union select banner from v$version--
@hibohi
@hibohi 3 жыл бұрын
Can anyone please explain why the following doesn't produce an error? Since the user 'administratorzxcxzcz' doesn't exist, I would think this should produce an error? '|| (select CASE WHEN (1=1) THEN TO_CHAR (1/0) ELSE '' END FROM users where username='administratorzxcxzcz') ||'
@hibohi
@hibohi 3 жыл бұрын
ah I think I figured it out..'The application does not respond any differently based on whether the query returns any rows."
@ankitparajuli5663
@ankitparajuli5663 3 жыл бұрын
hey buddie !!!''' in oracle database at first from statement will run and it check if the user table exist or not and after it checks if the username is admiisdfsdfgsdf ) if this user doesn't exist than the case statement will not run so it doesn't produce any errors .
@sudipdutta9349
@sudipdutta9349 3 жыл бұрын
trakingid' and 1=2-- This doesn't show error messg...why???
@kbhushan12
@kbhushan12 2 жыл бұрын
Because injecting different Boolean conditions makes no difference to the application's responses.
SQL Injection  - Lab #13  Blind SQL injection with time delays
19:26
How Strong Is Tape?
00:24
Stokes Twins
Рет қаралды 96 МЛН
How to treat Acne💉
00:31
ISSEI / いっせい
Рет қаралды 108 МЛН
Hacking Websites with SQL Injection - Computerphile
8:59
Computerphile
Рет қаралды 2,4 МЛН
Blind SQL Injection Made Easy
11:39
The Cyber Mentor
Рет қаралды 36 М.
SQL Injection Beginner Crash Course
30:00
zSecurity
Рет қаралды 66 М.
Blind SQL injection with conditional responses (Video solution)
7:15
Michael Sommer
Рет қаралды 16 М.
Blind SQL Injections with SQLMap against the DVWA
8:53
How Strong Is Tape?
00:24
Stokes Twins
Рет қаралды 96 МЛН