1
00:00:01,990 --> 00:00:08,350
OK so now let's try and determine how many columns are being selected into this page.

2
00:00:08,350 --> 00:00:14,020
So how much information are being selected and displayed on this page.

3
00:00:14,020 --> 00:00:17,230
So to do that we're going to use the order by command.

4
00:00:17,290 --> 00:00:21,660
So we did order by one and that returned something that was acceptable.

5
00:00:21,820 --> 00:00:24,350
And Order by 100000 was an error.

6
00:00:24,490 --> 00:00:29,870
So let's try and do order by 10 and we still get an error.

7
00:00:29,940 --> 00:00:33,360
So I'm going to do an order by five.

8
00:00:33,610 --> 00:00:34,960
And that works.

9
00:00:34,960 --> 00:00:39,850
So let's try to do an order by six and that gives an error.

10
00:00:39,850 --> 00:00:47,890
So by doing this we know that there is five columns or are being selected from a certain table and it's

11
00:00:47,890 --> 00:00:53,690
the accounts table and displayed on this page.

12
00:00:53,700 --> 00:01:00,520
So let's try and build our own select statement and get it to be executed on the target computer.

13
00:01:01,850 --> 00:01:05,710
So let's come here and try to will do so at the moment.

14
00:01:05,750 --> 00:01:12,610
The statement is select star from accounts where your user name is equal to zayd.

15
00:01:12,830 --> 00:01:14,540
And we're doing an order by one.

16
00:01:14,810 --> 00:01:19,880
So let's see if we can fix that and get it to select something that we like.

17
00:01:21,670 --> 00:01:29,830
So the normal way to select stuff is using this format but because we're trying to do multiple selects

18
00:01:29,830 --> 00:01:35,850
and we're trying to do it from the or else we're going to have to use a union first and then we're going

19
00:01:35,850 --> 00:01:42,320
to say select then we need to imagine what's happening on this application.

20
00:01:42,320 --> 00:01:47,160
So in this web application we know that there are five records being selected.

21
00:01:47,210 --> 00:01:50,210
So there are five columns that are being selected.

22
00:01:50,210 --> 00:01:57,180
So we're doing one two three four five and we got that from the order by command.

23
00:01:57,650 --> 00:02:00,790
So let's run this and see what happens.

24
00:02:12,170 --> 00:02:13,860
And I spilled Union wrong

25
00:02:25,120 --> 00:02:29,360
on as you can see now the selection was right and we got the first election.

26
00:02:29,360 --> 00:02:37,080
So the first election that this line does has been done and then it did the Union.

27
00:02:37,340 --> 00:02:42,580
So it's a combined election with another selection and they chose something else.

28
00:02:42,590 --> 00:02:46,070
And as you can see here we're only seeing two three and four.

29
00:02:46,220 --> 00:02:52,530
And what that means is whatever value you put in number two or three or four whatever you want to select.

30
00:02:52,640 --> 00:02:59,120
If you put it in there it's going to be displayed in this page and this particular location and you

31
00:02:59,120 --> 00:03:01,150
can see that here you have results for two.

32
00:03:01,250 --> 00:03:05,180
So whatever you put into will also be shown in here.

33
00:03:07,860 --> 00:03:10,590
So let's try to see our database.

34
00:03:10,620 --> 00:03:20,520
So instead of number two I'm going to say database and say number three I'm going to say user name or

35
00:03:20,550 --> 00:03:28,780
user and instead of number four I'm going to do a version and this will select the current database

36
00:03:29,080 --> 00:03:35,120
the current user privileges that we have and the version of the database.

37
00:03:35,140 --> 00:03:38,360
So let's see if this gets executed and then we'll talk about it.

38
00:03:44,940 --> 00:03:45,880
Ok cool.

39
00:03:45,900 --> 00:03:51,060
So the username is shown up as a last turn and that's that was number two.

40
00:03:51,060 --> 00:03:55,000
So that is the database that we're looking for.

41
00:03:55,470 --> 00:04:02,490
So the database is a wasp then the current users that were logged in as root at localhost so were the

42
00:04:02,490 --> 00:04:05,200
root user and and the signature.

43
00:04:05,280 --> 00:04:06,350
So this stuff.

44
00:04:06,450 --> 00:04:11,410
I actually don't mean anything we're only concerned about this and what we injected and we injected

45
00:04:11,410 --> 00:04:14,420
the version and we can see this is the version of Manusky L.

46
00:04:14,460 --> 00:04:17,100
So it's five point 0.5 one.

47
00:04:17,130 --> 00:04:22,330
So at the moment we know that our database that we're connected to is was 10.

48
00:04:22,450 --> 00:04:25,630
Usually in most real life scenarios.

49
00:04:25,920 --> 00:04:28,670
Each database is assigned to a certain user.

50
00:04:28,770 --> 00:04:36,550
So usually you're only able to select stuff tables columns data that is located in this current database.

51
00:04:37,580 --> 00:04:39,650
At the moment you are logged in as rude.

52
00:04:39,680 --> 00:04:44,810
So this web application has been connected to the database as root.

53
00:04:44,900 --> 00:04:50,720
So therefore we can actually access other databases but this doesn't really happen in real life scenarios.

54
00:04:50,810 --> 00:04:55,770
Usually each user has their own path their own database.

55
00:04:55,880 --> 00:05:02,180
So when they connect a web application to a database they connect it to one database and therefore you

56
00:05:02,180 --> 00:05:04,390
won't be able to access other databases.

57
00:05:04,400 --> 00:05:10,880
So we're going to consider that we're going to assume that we all have access to all US standard which

58
00:05:10,880 --> 00:05:19,430
is our current database for this current web site and the user name is ruined at local post.

59
00:05:19,650 --> 00:05:26,050
And the next videos we'll see how we can further exploit this and do more power for us like statements.