SQL Injections are scary!! (hacking tutorial for beginners)

Video Notes:

Is your password for sale on the Dark Web? Find out now with Dashlane: https://www.dashlane.com/networkchuck50 (Use code networkchuck50 to get 50% off) 

In this video, we’re learning one of the oldest, yet most dangerous Hacking Techniques out there, SQL Injection. Despite SQL Injections being over 20 years old, they still rank number 3 on the OWASP Top 10 List….why? Even fortune 500 companies are still vulnerable to these attacks!! So, in this video, NetworkChuck will show you how to run an SQL Injection attack. Running a basic SQL Injection attack is pretty easy but will often become more complex with trickier targets. 

Stuff from the Video


TARGET SITE (Altoro Mutual): https://demo.testfire.net/index.jsp

MORE practice: https://play.picoctf.org/practice/challenge/304?page=1&search=sqli

How to protect against SQL Injection attacks: https://www.crowdstrike.com/cybersecurity-101/sql-injection/

🔥🔥Join Hackwell Academy: https://ntck.co/NCAcademy

0:00   ⏩  Intro

0:39   ⏩  Sponsor – Dashlane

1:43   ⏩  How Websites work with Databases

2:08   ⏩  What is a SQL Injection??

2:51   ⏩  Strings in SQL Queries
3:25   ⏩  Is a website vulnerable to SQL Injection?

4:14   ⏩  SQL Query Logic

4:45   ⏩  the OR SQL Injection Payload

7:13   ⏩  the COMMENT SQL Injection Payload

8:42   ⏩  how to protect against SQL Injections

SQL inj? No, no, no. Let’s use a SQL injection to hack into a website. Here is our Target Al Toro Mutual and online banking site that is totally real. We’re going to use a SQL injection to hack into this website and gain admin privileges. You’ll be able to hack this website in like 30 seconds. 

Now, one of the scariest uses of SQL injection is that bad actors can use a simple login form like this to dump a database of user names and passwords and then put them on the dark web with a for sale sign and you’ll never know about it. Nothing you can do. Well, actually, you could probably try dalan, the sponsor of this video. Dashlane will actually monitor the dark web and see if your usernames and passwords are for sale. And if they are, they will alert you. And I have a lot. I need to fix that. And then using dalan, you can generate a completely random password, unique, different from your other passwords, right? You don’t use the same password for every website, do you? Anyways? And Dalan will store for you. And this right here is definitely my favorite feature of Dashlane. They’ll do passwords and they’ll also do multifactor authentication right there in a stinking app. 

I love that. So all your stuff is in one place, keeping you safe and making it a bit more simple to log into sites. I use Dashlane personally for everything and also for my business. And check this out, I get an admin console giving me a dashboard of all my employees, password health scores, and it’ll tell me whose passwords are compromised so I can basically force my employees to be secure, which you have to do that. They’re not gonna listen. So start securing your passwords for free right now. Check it out. Link below dashlane.com/network. Chuck 50, use the code network, Chuck 50 and you’ll get 50% off. And did I mention you can secure your passwords everywhere? Phone, tablet, computer. Yeah, it’s awesome. So again, here’s the website. It’s a simple login form and we won’t need any fancy tools. All we’ll need is a keyboard and some coffee. 

Chuck.coffee. Now our goal with this login form is to use it in a way that will give us access to the underlying database. When you try to log into this website, or really any website when you hit enter, the website will connect to a database and run a search to see if your username and password exist on the database. If they do, you’re in log in successful. So here is where a SQL injection comes in, and it’s kind of crazy. We know that a lot of websites will do this very thing, query a database and possibly have a query that looks similar to this. And this may look familiar if you watch my previous SQL video, we’ll use statements like this to find information in a database. But here we’re gonna use the beauty of SQL against them. Now, in our scenario, we don’t know the username and passwords. 

So let’s take that out. Now let’s first just brute force it. Let’s guess, and maybe we’ll get lucky. Now as I’m typing this, notice what happens to our query. This will be important for our next step. The username could be admin, it’s a popular username for administrative accounts. And we’ll try the password. Password, 1, 2, 3. Let’s click log in. Oh, failed. It was worth a try, but did you keep an eye on our statement? Notice that whatever we typed in was entered here in the query between single quotes. Now here is why that’s important and programming. And in sequel, when you have a string of characters between quotes, like this can be single or double quotes, that’s referred to as a string, it’s a data type. So looking at our query down here, anything inside quotes is going to be a string. And everything outside of it is a sequel query. 

And we know that whatever we enter here in the username field and the password field will end up becoming a string inside that query. But what if we could make it not do the <laugh>? And this is where the hacking comes in. What if we could send not just a string, but some more sequel query to change? What happens to hack? What happens? So let’s try this. Let’s type in our username once more geared admin. But at the very end, we’re gonna add a quote, a single quote, and let’s try to log in. Okay, didn’t work. We haven’t hacked it just yet. But notice something. And this will tell you if a website is vulnerable to SQL injection, that’s a great way to test that and pay close attention to the air. We have a syntax error because if you look at our query, did you notice what happened? 

We have another quotation mark right here, a floating quote. And this is fantastic news for us because the reason it got a syntax error is, you know, a string is between two quotes. If you only have one quote, then it’s not complete. It’s we got a syntax error, it’s like freaking out. But now we know that we can insert some extra stuff besides just our string. So now that we know this application is vulnerable to SQL injection, let’s try a few SQL injection payloads, which is actually pretty easy. It sounds scary, but it’s not too bad. Now, before I show you the payload, let’s reexamine why our first login failed. I mean, it’s obvious, right? The username and password word incorrect. But I want you to look at the logic of this query, this sequel statement. What it’s saying is both the username admin and the password, password 1, 2, 3, have to exist together just like this. 

If both of those are true, it will evaluate to true and we get a successful login. But in this case, they’re not there. It’s a different password. So it evaluates to false. So now here’s where the magic comes in. Here’s where our payload comes in. What if we can make this sequel statement always evaluate to true no matter what we put in? Let’s try it out. This first payload is what’s known as an OR payload, and it’s gonna look something like this. Enter is your name field right here. I’ll do our opening quote. I’ll do a space and I’ll type in or, and I’ll do another string. I’ll do one as a string. One equals, and another string one. Now obviously something cool is happening here, but what are we doing? Well, why are we doing this? Two reasons. First, notice that we added some more sequel code in there by breaking outta the string with our extra quote, we were able to add some extra SQL query language stuff here. 

Magic. And here’s the fun fact about how SQL will process the operators. Like and, and or, and, and or. Um, that’s confusing. When evaluating a statement like this to see if it’s gonna be true or false, it will first do the, and that’s the precedent and first and then after that or so now when we try to log in, here’s how it will process this logic. And this will all make sense right here. It will first say, Hey, does use your name equal admin and password equal password? 1, 2, 3. Does it? Well, no. So false. But it’s not done yet because we added something extra. And this is the hack, then it will say this. But does the username equal admin or one equal one? Let me ask you a question. Does uh, does one equal one? Duh. Yeah, right? Will it? Will one always equal one? 

Yes, <laugh>. And that’s why we added this nonsensical statement here. This statement will always evaluate to true because no matter what one equals one <laugh>. So we added some extra arguments in extra operators saying, Hey, does one, oneika one? Then it’s true <laugh>. And that’s the hack here. When it comes to evaluate our or statement, it’ll always be true. Let’s try it out. Let’s click a log in. Well, dang it, it didn’t work, but why? It’s actually pretty easy. Watch this. Let’s take a closer look at it. Do you notice anything weird about our query? Now here’s a hint. Count the strings. So we have a string here cuz we have two quotes. We have a string here, two quotes and a string here. Two quotes, well <laugh>, there’s an extra quote and that’s why we got that syntax error. So let’s fix that. It’s actually not too bad. 

<laugh> just right here. It seems like we have an extra quote at the end. So let’s take that one off the end. So now with our syntax looking nice and clean, all complete strings, no errors, let’s try to log in. Log in. And we did it. We got in. We successfully injected SQL query code by tricking the login prompt. That’s pretty nuts right? Now here’s a bonus question. Your homework, What if we didn’t know the username? What if the username wasn’t admin? Would this still work? Comment below. How would you do it now using payloads like or to sub birth the logic of this query, I like it, but it’s complicated. There’s another way we can do it. And this way is kind of scary, powerful. Watch this because instead of using or to like mess the logic, we’re gonna add a simple comment. When you’re writing code, whether it’s Python or sequel, things can get kind of complex. 

So you often want to make a comment about what you’re doing with it. So when people look at your code, they’re not like what? You can kind of tell them why you’re crazy. So you’ll use a special character like the pound sign or in my sequel’s case, which is what we’re using right now, you’ll have two dashes and a space and whatever comes after that, no matter what it is, will be ignored. It won’t be processed. So what do you say? We use this good thing for a bad thing, <laugh>. We’re gonna turn a comment into a hack and watch how simple this is here in our username field. We’ll break out of our string once more with an opening quote, and then we’ll simply do two dashes and a space. Notice what it did to our query. Let me blow it up real quick. 

Right after username equals admin, we have a character for comment and SQL telling it to ignore the rest of the code. So where before it said the username, whatever it is, and the password, whatever it is, has to be in the database. Now the statement is simply, Hey, is the username admin cool? Come on in, no password needed. And that’s what’s happening. It’s ignoring the rest of the the statement. And when we try to log in, we’re in log in successful. So here’s your homework. I want you to break into Al Toro Mutual. The link is below. Can you break into this website with what you learned in this video? Try it out and let me know in the comments if you actually do it. I would love to hear that you did this. It’s kind of fun right now, I will say this. This is basic SQL injection. 

It’s often more complicated and a lot crazier. And again, while it is an old hacking technique, it’s been around for a long time, it still ranks number three in the top list. It’s still crazy dangerous. And the reason is because companies are lazy or the company has coders that are lazy and they may not even know what to look for as far as SQL injection because SQL injections can be avoided pretty easily. I’ll have some links below, but some things you can do are, hey, use prepared statements with parameter. Can’t say that parameterized queries, use an allow list for input, validation, escape user input before putting it into a query. So what we tried here in this video, that would definitely stop it and use store procedures. I will not go into detail on all those and frankly I don’t know how to do any of that. 

So check the link below and you can learn more. If you’re developing, you’re like, Oh crap, do, am I <laugh>? Am I vulnerable? You should probably just double check that real quick just to make sure if you think you’re safe, you’re not. Now, where do you go from here? Now again, what we did here was basic, but there are a lot more payloads like on here. If you look at payloads, all the things, look at all the different payloads you could possibly try for a website. And also there are different types of SQL injection. Like now we just did inand error based SQL injection, which is the easiest and most common. But there’s union based, there’s blind SQL injection, there’s, it’s all kinds of things. And I’m hoping that this video gave you a taste for how cool sequel injection is. And you can go off and learn a lot more, dive deeper, get lost in it, which union based queries are crazy cuz you can add additional sequel queries on top of what’s already there and possibly dump all the information from a table or just drop the table and watch the world burn. 

Anyways, that’s all I got. Get you guys later.

Check Out Network Chuck's Coffee and MERCH Shop