Interested in supporting me and gaining early access to the Web Security Academy videos when they're recorded? Consider buying my course: academy.ranakhalil.com/p/web-security-academy-video-series! ✨ ✨
@RanaKhalil1013 жыл бұрын
After recording the video, I realized the SQL payload can be much more simple. We don't need a CASE expression in order for it to work. The following is the alternative payload: ' || (select TO_CHAR(1/0) FROM users WHERE username='administrator' and SUBSTR(password,1,1)='a')|| '
@deletedaccount25803 жыл бұрын
Great explanation mam,keep it up
@hackadvisermxyt3 жыл бұрын
effectively that way works too. In the other hand, on github notes, in last query apperars substr(password,,1)='a'), instead of substr(password,1,1)='a'), but in the video is ok. Thanks congtratulations amazing content.
@padaloni3 жыл бұрын
Hi Rana. Any chance you could explain how the concatenation works here? I get it when concatenating username and password for output, like in your previous vids, but i can't quite figure out how it works as part of a select statement. I imagine the query looks something like this, which doesn't make sense to me: select TrackingID from tracker where TrackingID = 'ddd' || (select '' from users where rownum=1) || '
@RanaKhalil1013 жыл бұрын
@@padaloni Yup, you're correct, the query would look similar to what you mentioned. To better understand it, I would recommend either installing an oracle database or using this link to run the following queries: livesql.oracle.com/. Query 1: select 'a' from dual where 'a'='a' -> This outputs the letter 'a' because the where clause is true. Query 2: select 'a' from dual where 'a'='a' || (select 'b' from dual) -> This outputs nothing b/c the where clause is no longer true. Query 3: select 'a' from dual where 'a'='a' || (select '' from dual) -> This outputs the letter 'a' b/c we're only concatenating a True with an empty string and so the where clause still evaluates to True. In a similar way, if the questions we are asking the application in the exercise evaluate to True, then it outputs nothing which doesn't break the where clause / SQL query.
@padaloni3 жыл бұрын
@@RanaKhalil101 Thanks so much for the explanation. I think i get it now, and i'll have a play on livesql ❤
@youtalkify Жыл бұрын
I love it when Rana says "Here we go" . Thanks Rana for your videos. Helps us a lot.
@martinflavell30456 ай бұрын
amazing tutorial thanks a million Rana!
@tylercouch47632 жыл бұрын
Thank you, Rana, you explain things so well, more so than every video about SQLi! please keep it up!
@nanabrightatsiatorme13484 ай бұрын
Thank you Miss Rana, your videos has been helping me a lot
@fatinsirat53723 жыл бұрын
Assalamu Alaikum! Just to let you know that you're awesome :) . Keep up the good work mate!
@thepetiteotaku Жыл бұрын
I don't fully understand why we have to concatenate before AND after the select SQL query that we are running? why can we not comment out anything else that comes after our query?
@Esola113 жыл бұрын
YOU ARE THE BEST!!! thank you so much for your time and efforts doing all this.
@codebeta_cr3 жыл бұрын
Thanks for making such useful content. Did learn a couple of new things that made the script I was working on a lot better. The part of using the decimal value for a character fixed the issue I had were the # character would generate the error and the script would return that as the character.
@snipeSec3513 жыл бұрын
Thank you very much for sharing with us, Great explanation. If i may, why did you use the || symbol in this Injection and not "AND", compared to Lab #11?
@manojkatkar1132 Жыл бұрын
I like the way in details you shown everything how conduct penetration and python logic, I would like to learn more about cyber security. Can you help?
@missclaptrap Жыл бұрын
@RanaKhalil101 hello! Thank you so much for these videos! I'm learning so much and it's super exciting. I wondered if you'd mind doing an explanation on how to set up the lab environment to be accessed via the VScode terminal? I'd like to start being able to do that but I'm not sure how. Thank you so much!
@lifeofsq5653 Жыл бұрын
Hi as I remembered for blind SQLi the error is no return by application response but in this the error is given on adding ' character. We could have use UNION but why we have use conditional responses
@jackyazul31103 жыл бұрын
guys if this error occurs: "ValueError: check_hostname requires server_hostname" download urllib3: pip install urllib3==1.25.11 it worked for me :)
@dinderint3 жыл бұрын
my man doing god's work here. thanks!
@cheikhelghawthe88682 жыл бұрын
THANK YOU!
@Kdaddyis3 жыл бұрын
Ma'am why the script is not working on my system..
@cybersec-radar3 жыл бұрын
I am trying for a way to extract username as we extracted password because alot of times admin, administrator, root etc usernames don't exists... need help or please make a video on that if may possible. Thanks alot.....
@gergelydetar19463 жыл бұрын
why we need the second || expression?
@Zephyr-tg9hu3 жыл бұрын
It's there to concatenate the ' and close the other apostrophe when the query is executed
@Pentester_cybsec7 ай бұрын
how to determine table and column names in real situation? This lab is provided table and column name with username data. But in real situation we need to find table and column names manually. pls teach me how to write the query for find table and column names for this blind error based sql injection
@harshadreddy7256 ай бұрын
Check the labs before this. There U have to find the table name and column name yourself
@AliKhan-om5st3 жыл бұрын
Why are you using double pipes instead of AND operator?
@kbhushan122 жыл бұрын
Because she is concatenating not ANDing. Reason being, when you concatenate 'something' with NULL/Blank, you get 'something' back.
@hibohi2 жыл бұрын
I tried the last step and noticed that I would be able to get the correct response if using substr() but it wouldn't work if using substring(). Anyone know why? I know in previous videos Rana used substring().
@therelatableladka Жыл бұрын
Because what we are dealing with is Oracle database. And the substring keyword is 'substr(*,*,*) in it. You can check the database by using union in the parameter Query:- ' union select banner from v$version--
@hibohi3 жыл бұрын
Can anyone please explain why the following doesn't produce an error? Since the user 'administratorzxcxzcz' doesn't exist, I would think this should produce an error? '|| (select CASE WHEN (1=1) THEN TO_CHAR (1/0) ELSE '' END FROM users where username='administratorzxcxzcz') ||'
@hibohi3 жыл бұрын
ah I think I figured it out..'The application does not respond any differently based on whether the query returns any rows."
@ankitparajuli56633 жыл бұрын
hey buddie !!!''' in oracle database at first from statement will run and it check if the user table exist or not and after it checks if the username is admiisdfsdfgsdf ) if this user doesn't exist than the case statement will not run so it doesn't produce any errors .
@sudipdutta93493 жыл бұрын
trakingid' and 1=2-- This doesn't show error messg...why???
@kbhushan122 жыл бұрын
Because injecting different Boolean conditions makes no difference to the application's responses.