1
00:00:12,260 --> 00:00:17,000
Welcome back to another episode on How to Hack, so today we'll be discussing about school map, which

2
00:00:17,000 --> 00:00:23,150
is an automated SQL injection to a platform that could actually help speed up the process for us to

3
00:00:23,150 --> 00:00:27,450
actually gain access to the website and be able to pool the database information.

4
00:00:27,980 --> 00:00:33,440
So, of course, over here we go to page sort of first thing want to go into is to enter man school

5
00:00:33,440 --> 00:00:36,950
map to see what are the options available in a school map.

6
00:00:36,980 --> 00:00:42,170
So again, this is a way for us to speed up the whole process of performing SQL injection in an automated

7
00:00:42,170 --> 00:00:42,510
way.

8
00:00:42,770 --> 00:00:46,940
So you have not a really check out a privacy school injection lecture and tutorial.

9
00:00:46,940 --> 00:00:52,100
Please go check that first, because you have to have a basic understanding of how SQL injection work.

10
00:00:52,400 --> 00:00:55,940
And from thereon you can actually begin how you want to automate it.

11
00:00:55,940 --> 00:01:00,770
You can take off all the scripts that you could be using Python because you already understand about

12
00:01:00,770 --> 00:01:02,390
how the manual injection works.

13
00:01:02,410 --> 00:01:06,920
So this is the part where we're going into an advanced to and we've understanding the foundation of

14
00:01:06,920 --> 00:01:07,010
it.

15
00:01:07,010 --> 00:01:09,380
It will be challenging for us to go into the advanced tools.

16
00:01:11,450 --> 00:01:16,580
So, again, a quick recap of our whole school Tabors work, so school tables are like your Excel sheet

17
00:01:17,060 --> 00:01:21,660
rows and columns, so of course, on the left side we can see a unique key.

18
00:01:21,680 --> 00:01:26,800
So, again, this is a unique value, so called customer ID and we have customer name.

19
00:01:27,050 --> 00:01:30,370
We have the contact name, address, card postcode in country.

20
00:01:30,380 --> 00:01:33,920
So again, this is how it is structured, structured almost like an Excel sheet.

21
00:01:34,250 --> 00:01:38,660
But on the back end, of course, in many databases, they have millions or in fact some of them have

22
00:01:38,660 --> 00:01:39,730
billions of records.

23
00:01:40,100 --> 00:01:43,890
So those are the places that we can actually try to retrieve some of this information.

24
00:01:44,300 --> 00:01:47,620
And of course, each of the role could be unique to the table.

25
00:01:47,630 --> 00:01:52,190
And, of course, they could be joined together with other tables as well to be able to perform some

26
00:01:52,190 --> 00:01:53,600
of the other analytics.

27
00:01:56,410 --> 00:02:01,060
So here we go, some of the basic critical statements, so selecting is the retrieval of data, pulling

28
00:02:01,060 --> 00:02:05,190
data out from the database, from the tables dropping is to deliver a table entirely.

29
00:02:05,470 --> 00:02:08,770
Inserting is to key in values into the table.

30
00:02:09,070 --> 00:02:12,340
And update is, of course, to change desisting value in search of a role.

31
00:02:12,370 --> 00:02:18,160
So, again, this is the basic SQL statements that could actually help us be able to control and manage

32
00:02:18,160 --> 00:02:19,270
many of these databases.

33
00:02:21,880 --> 00:02:26,160
So when we were performing a school statement, for example, here we got select all from customers.

34
00:02:26,560 --> 00:02:30,400
So here are this would actually pull out all the records from the table of customer.

35
00:02:30,640 --> 00:02:36,130
And of course, we select we can select specifically on the columns that could actually pull out only

36
00:02:36,130 --> 00:02:39,310
specific information while retrieving all of the roll.

37
00:02:39,340 --> 00:02:42,800
So, again, different kind of statements can produce different kind of results.

38
00:02:45,000 --> 00:02:49,940
So, of course, moving back into the basic concept, Bohol Web servers are working, so of course,

39
00:02:49,950 --> 00:02:55,080
at a very front you have your client HTML where you have these tax forms that could actually allow you

40
00:02:55,470 --> 00:03:00,240
to be able to Kiene data and the data is Santita Web application server and from the Web application

41
00:03:00,240 --> 00:03:00,670
server.

42
00:03:01,020 --> 00:03:06,700
This would allow us the ability to actually insert data and it will process information.

43
00:03:06,720 --> 00:03:12,330
So over here on the web application and we can select from user what user name equals a game.

44
00:03:12,660 --> 00:03:15,690
This is a check trying to check what kind of information are there.

45
00:03:15,870 --> 00:03:18,180
And again, from here, you can see what we are trying to do.

46
00:03:20,610 --> 00:03:24,510
So, of course, SQL injection is the whole idea of bypassing many of these mechanisms, they're working

47
00:03:24,510 --> 00:03:31,620
and be able for us to actually pull in different kind of information, be able to get data or all of

48
00:03:31,620 --> 00:03:34,320
the databases from the otherwise intended operation.

49
00:03:34,350 --> 00:03:39,330
So, again, all these sort of ways that we can use SQL injection for so we can modify data, we can

50
00:03:39,330 --> 00:03:42,060
insert data, we can drop tables, we can do a lot of all these things.

51
00:03:44,780 --> 00:03:49,250
So another example here of SQL injection on the right site, we can actually see the singer could do

52
00:03:49,250 --> 00:03:53,150
actually and a statement and from ending the statement we have they all true.

53
00:03:53,160 --> 00:03:55,570
And then, of course, we have comments and we have and password.

54
00:03:55,580 --> 00:04:02,330
So again, we are trying different kind of payloads to bypass the original intention after tax forms.

55
00:04:04,400 --> 00:04:09,050
So this was bring us into school map, so again, school map very simply on the left site, it is,

56
00:04:09,050 --> 00:04:11,780
of course, built on Paten and here we go, Deshu.

57
00:04:11,780 --> 00:04:14,630
So Deshu is to specify your URL link.

58
00:04:14,750 --> 00:04:16,370
After that, we're going after.

59
00:04:16,400 --> 00:04:21,680
So from the server directly from here, we consider your link and from the early we just have to insert

60
00:04:21,680 --> 00:04:25,910
the URL and will be able to begin injecting information into the site.

61
00:04:25,910 --> 00:04:30,410
So it will be testing, for example, page page equal because there's a question mark that what you

62
00:04:30,410 --> 00:04:34,410
actually capture those content from the text form that has a question mark.

63
00:04:34,430 --> 00:04:37,660
So this allows us to actually pull data into the system very quickly.

64
00:04:37,670 --> 00:04:40,250
So helping us be able to get those information.

65
00:04:42,140 --> 00:04:46,580
So once again, over here, we have union tests, so again, they are doing all this different kind

66
00:04:46,580 --> 00:04:50,960
of test on behalf so that we can speed up the whole process of penetration testing.

67
00:04:53,400 --> 00:04:57,810
And again, is checking on all the vulnerable for you, so, of course, you're in this case, we only

68
00:04:57,810 --> 00:05:04,440
specify one specific vulnerable for so we can specify more vulnerable Few's for the system to actually

69
00:05:04,440 --> 00:05:04,980
check on.

70
00:05:07,400 --> 00:05:11,510
So in this case, for example, we're going to a login page, so this login page, help us check the

71
00:05:11,510 --> 00:05:12,240
account details.

72
00:05:12,240 --> 00:05:17,810
So from the account details, all we get to do is actually key in, for example, Igor Page, equal

73
00:05:18,140 --> 00:05:21,770
user dash in full and we have username and password.

74
00:05:21,800 --> 00:05:27,260
So again, we would check all these forms for checking whether they are sanitized, whether we are able

75
00:05:27,260 --> 00:05:31,430
to bypass the function of it and be able to inject certain commands.

76
00:05:33,600 --> 00:05:38,370
So, of course, here we can see we are targeting information, so we are specifying more question marks.

77
00:05:38,400 --> 00:05:43,290
The question mark, what actually a tests diffuse and see if the fuse could actually be injectable.

78
00:05:45,470 --> 00:05:49,340
And of course, in this case, we're seeing that we actually have a lot more information regarding the

79
00:05:49,340 --> 00:05:50,240
injectable Few's.

80
00:05:50,420 --> 00:05:55,490
So in this case, you can see from here is says that, OK, Page does not seem to be injectable.

81
00:05:55,880 --> 00:06:00,620
And of course, we seeing all this information and it helps us check what kind of Bekka database management

82
00:06:00,620 --> 00:06:01,410
system is it using.

83
00:06:01,430 --> 00:06:06,200
So in this case, we're seeing that it could be a possibly could be a mystical and is asking you whether

84
00:06:06,200 --> 00:06:10,730
you housekeep specific payload so that you can speed up the process of verifying what kind of database

85
00:06:10,790 --> 00:06:11,600
systems are there.

86
00:06:14,870 --> 00:06:19,800
So, of course, over here, we can see that it says that username appears to be or boolean based Blyer.

87
00:06:20,300 --> 00:06:23,330
So again, we're seeing that it is injectable and this is the part.

88
00:06:23,330 --> 00:06:29,540
Once it is injectable, we can further our attempt to get more information, polling data, all doing

89
00:06:29,780 --> 00:06:31,550
database dumping and so on.

90
00:06:33,630 --> 00:06:38,670
So likewise over here from the resources get username is vulnerable, do you want to keep testing others?

91
00:06:38,700 --> 00:06:42,000
And of course, your has the payload information that we can test out on.

92
00:06:42,510 --> 00:06:46,700
So in this case, we can see the different kind of test that was being put into the system, the different

93
00:06:46,800 --> 00:06:47,340
payloads.

94
00:06:47,790 --> 00:06:54,030
So here we have a test and in a singer could or not, and then followed by the follow, we got our we

95
00:06:54,030 --> 00:06:59,100
got time base line again, all this information helping us know what are the payload that was inserted

96
00:06:59,400 --> 00:07:03,300
that could actually be push into the system and ultimately pulling information out later on.

97
00:07:05,440 --> 00:07:10,840
So low here, once we are able to bypass the fuse, we can actually pull information like the database

98
00:07:10,840 --> 00:07:11,190
is tight.

99
00:07:11,470 --> 00:07:14,160
So over here we can see the number of available databases.

100
00:07:14,170 --> 00:07:18,190
So we got DeVita Blooey Information schema at a stoplight, my school and so on.

101
00:07:18,490 --> 00:07:23,980
So we are seeing all of the databases available that we can actually query more information in each

102
00:07:23,980 --> 00:07:24,850
of those databases.

103
00:07:26,840 --> 00:07:32,570
So from here, again, we are trying to enumerate the tables inside the databases, so again, remember,

104
00:07:32,570 --> 00:07:36,710
again, databases, tables and information inside each of the tables.

105
00:07:37,100 --> 00:07:42,500
So in this case, we are acquiring a particular database and then going into the table.

106
00:07:42,500 --> 00:07:48,020
So you can see on the bottom left we can actually see all the tables available inside a particular database.

107
00:07:50,360 --> 00:07:55,160
So once we get the information, we want to be able to actually retrieve the information and content

108
00:07:55,160 --> 00:07:56,330
inside each of the table.

109
00:07:56,660 --> 00:08:02,420
So this is the part where we are specifying Dashty to specify the table they're requiring, as well

110
00:08:02,420 --> 00:08:05,160
as dash, dash, dump to dump all those information.

111
00:08:05,660 --> 00:08:08,640
So in this case, we can actually see the username password.

112
00:08:08,660 --> 00:08:11,380
So in this case, the password is not being hash.

113
00:08:11,390 --> 00:08:13,700
There's no security mechanisms to actually protect it.

114
00:08:14,240 --> 00:08:16,930
So immediately we can pull out all those information from the table.

115
00:08:19,560 --> 00:08:22,710
So here we got school map so we can also have Interactive Squasher.

116
00:08:22,940 --> 00:08:28,230
So again, the interactive sequel shall allow us to do a different kind of commands directly into the

117
00:08:28,230 --> 00:08:28,900
database.

118
00:08:29,160 --> 00:08:32,250
So, again, all this helping us be able to pull all different results.

119
00:08:34,080 --> 00:08:35,870
So here, for example, we got a school statement.

120
00:08:35,910 --> 00:08:39,710
So we did a select all from information on the score scheme, all the tables.

121
00:08:40,050 --> 00:08:44,340
So once you have this interactive shell, we can begin thinking about all of the commands that you can

122
00:08:44,340 --> 00:08:49,260
use, all of the items that you can use to actually speed up the process, accelerate the whole pace

123
00:08:49,620 --> 00:08:51,060
of trying to find more information.

124
00:08:53,210 --> 00:08:58,310
So if you now think about it, what are the techniques, can you use a long school map?

125
00:08:58,310 --> 00:09:03,110
So again, all of this idea is about how can you advance some of these functions and features while

126
00:09:03,110 --> 00:09:07,790
using school map to perform and accelerate the pace of your penetration testing?

127
00:09:08,240 --> 00:09:15,260
So now let us go into the tutorial portion of this lecture sort of screen I have met Exploitable to

128
00:09:15,260 --> 00:09:17,240
running so I can actually enter.

129
00:09:17,240 --> 00:09:18,070
I have config.

130
00:09:18,080 --> 00:09:21,670
So this will tell us the IP address of the web server obsessing.

131
00:09:21,680 --> 00:09:25,260
So in this case is going to be one or two one six eight zero two one two.

132
00:09:25,910 --> 00:09:30,650
So going to the right side, we can actually open up any web browser and we can go into the same IP

133
00:09:30,650 --> 00:09:35,450
address that has been provided to us from anticipatable to so we can enter one or two one six eight

134
00:09:35,690 --> 00:09:38,600
zero dot to one to hit enter in debt.

135
00:09:38,900 --> 00:09:41,510
And of course we can actually zoom in and go to mutability.

136
00:09:42,140 --> 00:09:46,550
So once we go into Mutilates, this is the part where we can actually look at some of the potential

137
00:09:46,550 --> 00:09:53,690
vulnerable Few's that we can try to access into so we can go into Europe's top 10, we can go into injection

138
00:09:53,690 --> 00:09:56,960
and we can say go into user information from extract data.

139
00:09:57,510 --> 00:10:02,120
So click on that and we can see the information directly from here so we can copy the user link.

140
00:10:02,630 --> 00:10:04,310
And of course, we can open up terminals.

141
00:10:04,310 --> 00:10:09,110
So it's easier for you to see so we can zoom in a little more and we can enter men as map.

142
00:10:09,440 --> 00:10:11,890
So this would actually give us the manual page of Ezekial Map.

143
00:10:11,910 --> 00:10:16,850
So again, a very important command because it will actually help you understand what are the parameters

144
00:10:16,850 --> 00:10:22,400
that you can enter and access into which can help you and celebrate a pace of understanding more about

145
00:10:22,400 --> 00:10:24,020
how this platform function.

146
00:10:24,590 --> 00:10:29,780
So we Kodesh V for Bossidy, we got Desch Desh version, we got direct connection.

147
00:10:29,780 --> 00:10:31,300
You are your Elford S2.

148
00:10:31,310 --> 00:10:34,620
So again, all these are key usages of scale map.

149
00:10:34,670 --> 00:10:41,240
So in this case I enter you and actually enter the could and we can paste a clipboard of the user l

150
00:10:41,570 --> 00:10:43,850
and of course a duplicate and hit enter on debt.

151
00:10:44,090 --> 00:10:49,610
And this would immediately help us be able to do a direct attack against a page for you.

152
00:10:49,820 --> 00:10:52,970
So of course in this case we can enter session ID.

153
00:10:52,970 --> 00:10:53,360
Yes.

154
00:10:53,660 --> 00:10:55,640
So you would declare the cookies for us.

155
00:10:56,030 --> 00:11:01,310
So again, you may be checking now that is vulnerable to cross scripting, is vulnerable to file inclusion

156
00:11:01,310 --> 00:11:01,880
attacks.

157
00:11:02,360 --> 00:11:05,180
And of course, here it is testing the kind of database type.

158
00:11:05,690 --> 00:11:09,260
And of course, you're is recommended to perform only basic union test.

159
00:11:09,260 --> 00:11:11,930
If there is not one other technique follow.

160
00:11:12,500 --> 00:11:14,030
Do you want to reduce the number of requests?

161
00:11:14,030 --> 00:11:18,610
So, again, depending on the kind and the time that you have to perform tasks.

162
00:11:18,800 --> 00:11:19,910
So in this case, we enter.

163
00:11:19,910 --> 00:11:24,830
Yes, but in your own test lab, you could actually enter an end so that you can actually see what kind

164
00:11:24,830 --> 00:11:28,160
of commands and Paillot is sending over into the system.

165
00:11:28,160 --> 00:11:29,390
So we enter WI on that.

166
00:11:29,990 --> 00:11:34,610
So of course over here we see that the parameter may not be injectable.

167
00:11:34,610 --> 00:11:38,270
So in this case we may have to try other different kind of feel.

168
00:11:38,270 --> 00:11:43,850
So of course in this case, for example, name and password, I can enter task task and click view account

169
00:11:43,850 --> 00:11:44,420
details.

170
00:11:44,870 --> 00:11:50,960
So from here this would actually open up a number of fields that we can actually try to inject into.

171
00:11:51,620 --> 00:11:55,670
So from the earlier command that we use now, we are going to change it.

172
00:11:55,790 --> 00:12:00,530
We're going to change and update a U or L that has been provided to us now so we can actually go ahead

173
00:12:00,530 --> 00:12:03,170
and click view and actually paste this information on the edit.

174
00:12:03,710 --> 00:12:04,610
Basically bought.

175
00:12:04,760 --> 00:12:10,610
We have to double in, enter a debt and now it will continue checking whether the fuse are actually

176
00:12:10,610 --> 00:12:11,320
injectable.

177
00:12:11,810 --> 00:12:14,180
So in this case, immediately we get a result very quickly.

178
00:12:14,210 --> 00:12:19,430
We got a backend database is my school and from here we can actually see all the information regarding

179
00:12:19,430 --> 00:12:19,970
the system.

180
00:12:20,300 --> 00:12:25,730
So in this case, it says that parameter username and of course, it says that this is the payload that

181
00:12:25,730 --> 00:12:30,710
was used and this is the payload and managed to actually help us bypass the particular view.

182
00:12:30,710 --> 00:12:34,820
So again, we Yossef error base and we also have time base bylined.

183
00:12:34,820 --> 00:12:39,170
So again, all these are the payloads that we can use to try to find out more information about the

184
00:12:39,170 --> 00:12:43,190
database and see whether we are able to bypass the security mechanics of it.

185
00:12:44,300 --> 00:12:48,800
So over here, what we are going to do next is to, of course, be able to dump up information.

186
00:12:48,800 --> 00:12:51,890
So, of course, there are a number of parameters that we can use, a number of options that we can

187
00:12:51,890 --> 00:12:52,340
use.

188
00:12:52,340 --> 00:12:56,400
And in this case, what we can do is actually go back into the lecture slide.

189
00:12:56,420 --> 00:13:01,100
So in the very early part of the lecture, like we can see many, many different kind of techniques

190
00:13:01,100 --> 00:13:02,900
that we can use as part of the attack.

191
00:13:03,740 --> 00:13:10,040
So some of the key things that we want to find out is in terms of the databases, what databases are

192
00:13:10,040 --> 00:13:12,710
there so we can use a dash dash DBS.

193
00:13:12,710 --> 00:13:15,800
So this would actually tell us all the databases inside the system.

194
00:13:15,800 --> 00:13:20,810
So go ahead and enter in debt and it will pull out all the records regarding the databases inside the

195
00:13:20,810 --> 00:13:21,200
system.

196
00:13:21,680 --> 00:13:27,350
So in this case, we got a number of seven databases, so we got a information schema, meta supply

197
00:13:27,350 --> 00:13:27,800
and so on.

198
00:13:27,800 --> 00:13:32,420
So again, all of these are databases residing inside the server, inside the computer.

199
00:13:32,840 --> 00:13:39,170
So, of course, we can go ahead and change this dash capital D So this was specify the database that

200
00:13:39,170 --> 00:13:40,520
we are going to query into.

201
00:13:40,520 --> 00:13:46,010
So in our case, we were down to about ten and of course we can enter again, referring back to the

202
00:13:46,010 --> 00:13:46,790
lecture sleights.

203
00:13:47,030 --> 00:13:48,830
We can enter Desh table.

204
00:13:48,840 --> 00:13:51,710
So this would tell us all the tables available in.

205
00:13:51,710 --> 00:13:56,510
They cite this database so we can go ahead and enter in debt, so distractable table seen entering debt

206
00:13:56,720 --> 00:14:00,270
and it will show us all the tables, insight Ops 10.

207
00:14:00,680 --> 00:14:01,910
So here we got six tables.

208
00:14:01,910 --> 00:14:07,230
So we got a couple blocks, tables, credit cards, pant's tools and all these different information.

209
00:14:07,250 --> 00:14:12,660
So again, we can also now specify capital T and specify on accounts.

210
00:14:13,070 --> 00:14:14,740
And again, we can enter the storm.

211
00:14:14,780 --> 00:14:20,630
So this will actually pull all the records inside the accounts table, helping us find all this information,

212
00:14:20,810 --> 00:14:23,340
insight this table, so this would dump everything.

213
00:14:23,800 --> 00:14:26,570
And of course, we got 16 entries inside the table.

214
00:14:26,570 --> 00:14:32,630
So we got the username, we got a password, we got a signature, and we got all this different information

215
00:14:32,630 --> 00:14:37,910
very quickly helping us find all of the login details for us to access into the system.

216
00:14:38,330 --> 00:14:43,850
So now that we got all the details, all I got to do is, for example, and to summarize of my summary

217
00:14:44,030 --> 00:14:45,570
and we can view account details.

218
00:14:45,590 --> 00:14:47,810
So, again, we are able to login.

219
00:14:47,810 --> 00:14:49,760
We're able to see all the information.

220
00:14:49,970 --> 00:14:54,650
And for example, if I click log in here because we already got a username and and a password, we can

221
00:14:54,650 --> 00:14:58,530
also login as all those different uses directly by dumping out the databases.

222
00:14:58,940 --> 00:15:01,790
So once again, I hope you learned something valuable in today's tutorial.

223
00:15:02,030 --> 00:15:06,350
And remember the like share subscribe to the channel so that you can be kept abreast of the latest cyber

224
00:15:06,350 --> 00:15:07,120
security tarryl.

225
00:15:07,340 --> 00:15:08,570
And of course, you've got any questions.

226
00:15:08,570 --> 00:15:11,660
Feel free to leave a comment below and I'll try my best to answer any of your question.

227
00:15:11,870 --> 00:15:13,400
Thank you so much once again for watching.