Web App Penetration Testing - #8 - SQL Injection With sqlmap Video Lecture | Get to know Ethical Hacking (English) - Software Development

[Music]
hey guys hack is Floyd here back again
with another video and welcome back to
the web application penetration testing
series in this video we're going to be
looking at SQL enumeration with SQL map
all right so we're going to be focusing
on the format that I explained to you
guys link to you guys in the previous
videos in the series where we'll be we
will be following following the wasp top
10 format all right and if you don't
know what I mean
right now as you can see on my screen I
have the material day open which is what
we're going to be using and if you go to
the or top 10 you can see that the first
section is injection and we're going to
be looking at extraction of data or
enumeration of databases and how to dump
databases good stuff like that we'll
then move on to cross-site scripting and
then we're looking at a session
management CSRF so on and so forth
alright so we'll be following the earth
top 10 format so let me just explain to
you the environment that we're going to
be using so we are using Metasploit able
to as our vulnerable operating system
that does have motility pre-installed if
you want to install motility locally you
can go ahead and do that as for the
penetration testing distribution I'm
using candy Linux okay so let me now
explain or let me just tell you the
tools that we'll be using will be using
SQL map and we'll be using burp suite so
you might be a little bit confused and
you might be wondering if we aren't
performing any injection or
brute-forcing
why do we need a burp suite or an
intercepting proxy the reason is is will
be using web suite to capture a request
a request that will be then used in SQL
map to enumerate the database in the
first place okay so let me just explain
now what a why SQL SQL injection or the
SQL a why SQL is really is really
vulnerable when it comes down to
websites now well for you can keep it
really simple and let me explain why
this happens in the first place so
in the most cases one would find that
SQL injection is very very common
because the site is not monitoring user
input and they are able to enter in
values that can then either enumerate
delete or add of value to the database
which as you know can be very very
dangerous now we are going to be using
SQL map as our primary tool like let me
explain what SQL map does because a lot
of people have a few misconceptions
about it and they really don't
understand what it does SQL map
essentially automates the in from the
reconnaissance and the exploitation of
database all right so its purpose is to
print out or enumerate the databases
that currently exist and to help you in
the exploitation of these databases now
again I am going to pass a warning on to
you that do not use this for any illegal
purposes in terms of SQL injection or
just enumerating data that might be on a
database because it is highly illegal
and a lot of sites of vulnerable to SQL
exploits even if you're just talking
about and the enumeration of data so we
are going to be using Mattila day and to
get started I'm just going to make sure
I have my OS top ten open here and I'm
going to go into a one injection and SQL
I extracted at the extraction of data
and we'll click on the page that is
vulnerable so use the info all right so
you can see that this is a lock in page
or in this case a view account details
page that allows us to enter a name and
a password combination which we can then
use in SQL map so make sure you have web
suite fired up you can use the Community
Edition will work just fine all right so
let's start up web suite and it appears
my JRE is is the latest version and it's
not fully tested no problem just launch
it I don't have an issue with that you
can also use zap if you wanted to but
we're going to be sticking with web
suite because that's what most of you
are comfortable with so you can use the
Community Edition just fine since you
all we are doing is we intercepting the
request that is being sent in this login
form right here so let web suite start
and we want to make sure that intercept
is on and it is on fantastic so now we
need to go into our preferences here and
into our connection and we make sure
that we are using a proxy the proxy
configuration the web suite proxy which
is localhost at port 8080 excellent now
we need to capture the request that is
being sent you know from the my web
browser to the server we need to
intercept that and we can then use that
with a scroll map to enumerate the
database first of all all right
excellent so we can just test we can
enter a random value in here so let's
say we enter a name and something like 1
2 3 4 and we can just hit view account
details so we should have intercepted
the request with but if not just give it
a few seconds and it should intercept
the request if it does take a while you
can reload the page but I think any time
now
we should get the was for some reason
I'm not getting all the information here
I'm not too sure why this is happening
what I'm gonna do is I'm just gonna
reload the requests if I can let me just
try and do that again so I'm just gonna
let these packets through and I'm just
gonna reset it again it's gonna tell me
a name and let me enter the password
again and for some reason okay so we
need to allow intercept on again now and
we're gonna try that again so you can
use whatever value you want at the end
of the day it's going to be used for the
enumeration process so let's see what
they do were able to capture the request
here for some reason it isn't displaying
everything alright so yes this is the
request so it is get there we are we
were able to intercept it excellent
there was some anomalies with the first
one so what we need to do now is we need
to save this request so to save it this
is a quick tip for you guys you can just
right-click or on the on the raw format
here of the request and just hit save
item alright so I'm gonna be saving my
request on the desktop so I'm just gonna
call it request
dot txt make sure it's dot txt that
usually works best with SQL map so I'm
gonna hit save all right excellent we
have saved it and now we have no use for
bub sweet so you can just minimize that
and we can disable the proxy and we
should have disabled intercept so no
proxy here and let me just disable
intercept excellent so now we can
definitely tell that that user name and
password does not exist but now we have
to use SQL map so let me just fire up my
terminal here and let me expand it
because a lot of you guys have asked me
to do that so there we are and and now
we need to use SQL map so let me explain
something about this what's the word for
this this syntax behind SQL map the
syntax is really very simple and I hope
to explain it to you as we use more and
more commands because really I can't do
justice you know to the syntax or I
can't explain it to you just by talking
about it so you can see that the usage
options here are all in the form of a
few letters and words but I'll be
explaining what each of them does as we
move along alright so let's start off
with first of all enumerated data bases
using the request that we were able to
intercept and the request that we were
able to save so to do this we use the
SQL map command alright and we specify
the request using the r command and now
we specify the location so mine is saved
root desktop and request dot txt alright
you could have saved it wherever you
wanted to the process still remains the
same make sure you specify the exact
directory we then use the D the DPS
command which enumerates any databases
with or in regards to the request that
is being sent so I'm gonna hit enter and
it's going to start a numerating and it
looks like there were multiple injection
points so there are multiple injection
points so it's going to ask us to select
the one that we want to use since we're
not doing any injection we're just going
to use the get parameter and the type
which is the first option here which is
option zero I'm going to enter and there
we are we were able to get information
in regard
to the database version which as you can
see the back-end database is MySQL it's
gonna tell you the web server operating
system Linux Ubuntu web application
technology is using a PHP five point two
point four and Apache two point two
point eight and the backend the database
is MySQL version five it was able to
fetch database names so we were able to
get let me see seven databases we have
the dime vulnerable web application
information schema
Metasploit mysql or aspect of ten that's
the one we are focusing on right now and
we have Tiki Wicki this all in regard
these other databases are all related to
other web applications that were
installed on the Metasploit able to
virtual machine so we want to focus our
in power we want to focus our attention
on the OS database so how do we do this
so now we need to select a database we
need to check for tables in this
database so again we're trying to get
more information here so we can say the
command will be SQL map alright and we
are still using the request because this
is our way in or this is our way of
getting information in regards to the
database so root sorry yes root desktop
and request
alright so request dot txt and now we
need to select our database so to do
that we use the capital D command and
now we select the name of the database
which in this case is OS 10 excellent OS
10 and now we want to enumerate the
tables so that is done using the tables
command and we hit enter all right
hopefully we are able to enumerate the
date the tables if you get this it's
pretty much asking you how you want to
use the request to enumerate the
information we won't use the default way
because that has the get it's a get
request with the parameter of password
first all right so that is the default
ones who will use that and we're going
to enter and there you are so we're able
to get the tables for the database os10
we were able to get six tables we're
able to get accounts blog stable capture
data credit cards mmm interesting hit
lock and pen test tools so come from
open testers you know from a pen
Esther's mindset or a black attackers
mindset this would be the most enticing
thing right here hmm interesting but
first let's start off with accounts
because I know there is some juicy
information in there and this will show
you the real threats that can be caused
even with the enumeration of a database
and without performing any injection
really ok so now we want to dump the
database more specifically the table in
the database so to do this we use SQL
map again and we are still using the
request that we saved which is route
very very important to capture the
request route desktop and the request
dot txt we no need to select the
database so was OS 10 and we now need to
select the table which we are specifying
the table is the accounts is that the
name yes accounts woops sorry about that
guys accounts and I was about to do one
of my classic mistakes here a type of
accounts and we want to dump so we use
the dump command I'm pretty sure that's
the command anyway let's see if this
works I have to brush up on my SQL map
skill so I'm going to enter and if it
gives you the same request don't worry
just use the default request here I'm
gonna enter and voila hmm hmm hmm very
interesting information we were both
gather here so we have the user names we
have the admin whether the user name the
user is an admin and the password the
the the the the thing owner explained
here is you might be asking and saying
well hahaha this was designed to be one
you know vulnerable that's why you can
see the passwords well let me just point
out that I have performed SQL
enumeration before and some companies or
some websites store passwords in
clear-text in clear-text
and you if you think I'm lying you can
check out how many of the other websites
like Ubisoft that were hacked their
passwords were stored and credit card
numbers was stored in clear text this is
how dangerous this can be and again
that's why I'm trying to say please
use this information you know for in for
the right reasons and learn about these
things and hopefully we'll be looking at
how to mitigate them although you you're
you are going to be quite limited the
whole power comes in the terms of for
the from Thakur's perspective all the
power is in the login forms because that
is where they can really play around
with requests and you know they can
enter information into the system which
if not monitored correctly can be
processed by the server off by the
backend in this case the databases so
you can see the real danger here so we
can just try one again now instead of
using the accounts which is good
information anyway we can try credit
cards alright so let's try credit cards
now and again we'll be using the same
syntax so you don't need to worry about
anything except this time we're just
going to be changing the the name of the
table from accounts to credit cards
what's the exact name of the of the
table credit cards alright excellent so
credit cards let me just enter that
right now credit and cards and I'm gonna
enter let's see what we were able to
dump here donate oh and yeah so there
you are credit card numbers and the
expiration date of them even the CCV
number which as you know is probably
like your security for the credit card
when trying to perform transactions
online so in clear-text and you can
imagine the damage that can be done here
because your ventually you have every
piece of information and usually what
happens is that the hackers who hack
websites and get this type of
information what they do with these
numbers is they sell them on the Deep
Web or on any other types of
marketplaces that being said I'm not
putting any ideas in your head this was
the first section of using the SQL
injection vulnerability and using SQL
maps so I hope you guys found value in
this video if you did please leave a
like down below if you have any
questions or suggestions let me know in
the comments section or on my social
networks or my website and yeah that's
gonna be it for this video guys thank
you so much for watching and I'll be
seeing you in the next video peace
[Music]