00:00:00
[Music]
00:00:15
hi everyone I hope you all are doing
00:00:17
good and having a wonderful day in this
00:00:19
video I'm going to show you some of the
00:00:20
four most awesome way of how you can use
00:00:23
SQL map that will help you to find SQL
00:00:25
injection vulnerabilities but before
00:00:27
going to this video if you haven't
00:00:28
checked out my previous video then go
00:00:30
ahead and check it out the link of the
00:00:32
video is given in the description as
00:00:33
well as you can see it at the right side
00:00:35
of the screen and now with that being
00:00:37
said let us get
00:00:43
started so a very interesting way of
00:00:46
using SQL map with your methodology is
00:00:49
directly using the request body and
00:00:51
paste it into SQL map that will help you
00:00:53
to not only you know use SQ map with
00:00:55
ease but it will also help you to you
00:00:58
know establish all the essential headers
00:01:00
cookies and all those you know necessary
00:01:03
values that are required to test an
00:01:04
authenticated endpoints directly into
00:01:06
the request so SQ map is directly going
00:01:08
to feed all those data and you don't
00:01:10
need to do anything at all let me show
00:01:12
you how we can do that okay just an
00:01:14
example let me just go to my browser
00:01:19
here okay so you can see we are right at
00:01:22
our browser over here I'm just going to
00:01:24
see if my intercept is off yes and now
00:01:27
I'm going to show you something very
00:01:28
interesting for example
00:01:31
let us say that I'm testing this
00:01:33
particular uh web application
00:01:36
okay
00:01:42
1.31
00:01:47
dvwa and let me just quickly log into
00:01:49
this application
00:01:53
here now you can see I'm loging I'm just
00:01:56
doing the authentication part and then
00:01:58
only I'm allowed to you know access all
00:02:00
the internal content right so to test
00:02:02
for these for vulnerabilities in
00:02:04
authenticated endpoints we basically
00:02:06
need to specify the cookies or all the
00:02:08
necessary values so an easy way is to
00:02:10
directly copy the request body and send
00:02:12
it directly to SQL map let me show you
00:02:15
and just going to give you a very simple
00:02:18
example and I'm just going to skip this
00:02:20
to low just to show you the exact
00:02:23
demonstration save this SQL injection
00:02:27
just going to add a random value okay
00:02:30
you can see this is the URL that we've
00:02:32
got if I copy this URL and if I paste it
00:02:34
in a new incognito tab where I am not
00:02:37
you know logged in you'll see I will be
00:02:38
redirected to the admin to the login
00:02:41
panel right so let's try to see that how
00:02:44
we can get around this particular uh you
00:02:46
know scenario okay the very basic thing
00:02:49
is let's open our B
00:02:53
first and I'm simply going to
00:02:57
just send all my request to the B proxy
00:03:01
and then we are simply going to just
00:03:03
capture the request okay just going to
00:03:06
turn on the intercept and let's specify
00:03:09
user ID one you on submit and you can
00:03:13
see this is a request going on I'm
00:03:14
simply going to send this to the
00:03:16
repeater and then what I'm going to do
00:03:18
is I'm simply going to copy all of this
00:03:20
request
00:03:21
body okay and then I'm going to create a
00:03:24
new file
00:03:30
and I'm going to Simply paste everything
00:03:32
right over here just do control+ s so
00:03:36
let us go ahead and type SQL map minus r
00:03:40
demo. txt and minus minus DBS okay now
00:03:44
when we'll hit enter so this particular
00:03:45
method is going to test every parameter
00:03:48
which is present inside the request body
00:03:50
okay it will be gu get parameters it can
00:03:52
be the post parameters and even the Json
00:03:54
body it's going to do everything for you
00:03:56
so you just need to pass this minus r
00:03:59
flag hit enter and then you'll see that
00:04:01
we have successfully got the database
00:04:03
information right so this is one of the
00:04:05
interesting way of using SQL map using
00:04:07
this minus r u flag okay let's try to
00:04:11
see that how we can use some other cool
00:04:13
features of SQL
00:04:19
map now let me show you another cool
00:04:23
feature of SQL map do you guys know that
00:04:25
we can use SQL map to directly escalate
00:04:28
SQL injection into remote code execution
00:04:30
okay now this can be only done if the
00:04:33
file read and write features are enabled
00:04:36
by the backend but if it is enabled then
00:04:38
make sure to go ahead and check this
00:04:40
particular uh flag that I'm going to
00:04:42
show you okay for example let us say
00:04:46
that this is our Target and we want to
00:04:49
identify SQL injection here so let me
00:04:50
just quickly
00:04:52
do the request ending part there it is
00:04:55
I'm just going to copy everything from
00:04:57
the request body
00:05:01
and let's open our
00:05:03
terminal and now let's go ahead and
00:05:05
create a
00:05:12
file let us paste all the request body
00:05:14
Here and Now what we're going to do is
00:05:16
we're simply going to type SQL map minus
00:05:20
r for the request file testing. PHP
00:05:22
sorry testing. txt then minus- OS
00:05:28
os- shell
00:05:30
okay this is what we need to do and
00:05:31
simply you can just hit enter right
00:05:33
after that okay and as you can see it
00:05:35
will ask you for which we application
00:05:37
language that this web server supports
00:05:39
so by default you can see it will
00:05:40
automatically detect the you know back
00:05:42
end language but in case if it is not
00:05:44
able to detect it in that scenario just
00:05:46
go ahead and select any one of this okay
00:05:48
then hit enter and then as you can see
00:05:51
in our case the file upload
00:05:52
functionality was enabled and as a
00:05:55
result we are able to call out the sell
00:05:59
Command right right and now we have
00:06:00
complete access on the web application
00:06:02
server we can simply type commands like
00:06:04
who am
00:06:05
I okay just type why we can you can see
00:06:09
we are the www data we can also type
00:06:12
LS again you can see we we are getting
00:06:15
all the files present on that particular
00:06:17
server this is how you can use SQL map
00:06:19
to escalate SQL injection into remote
00:06:22
code
00:06:28
execution another interesting way of
00:06:30
using SQL map is to you know check out
00:06:34
all the functionality that we have that
00:06:35
we can use to bypass the web application
00:06:38
firewall misconfiguration and to check
00:06:40
that like how many uh features that we
00:06:42
have that can bypass application
00:06:44
firewall we simply need to type one
00:06:46
command which is SQL
00:06:49
map minus list tampers hit enter and
00:06:54
then you will see all the available
00:06:56
files or functionalities that we can use
00:06:59
to you
00:07:00
tackle multiple application firewall
00:07:02
misconfiguration for example you can see
00:07:04
that it will replace this int Union with
00:07:06
in this particular value then you can
00:07:08
see it is going to replace this single
00:07:11
code into this uh you can say uh
00:07:15
counterpart with counterpart something
00:07:17
like that right then we have this
00:07:19
between like replaces greater than
00:07:21
operator with non between and hash okay
00:07:24
so these are some things that you can
00:07:25
use actually like let's say that uh
00:07:27
there's a we application file wall that
00:07:29
is only allowing the character encode
00:07:31
characters okay in that scenario you can
00:07:33
go ahead and use this one okay similarly
00:07:36
once you have identified the target like
00:07:39
uh what type of values are getting
00:07:42
detected by the we application firewall
00:07:44
then you can go ahead and use one of
00:07:45
these to prevent the application
00:07:46
firewall to get get triggered okay for
00:07:49
example let us go ahead and use this
00:07:51
character incode I'm just going to copy
00:07:53
this and again I'm going to use the same
00:07:55
lab just go ahead and type skill map
00:07:58
minus r testing
00:08:00
and you can simply type minus minus
00:08:01
tamper equals to and just paste out the
00:08:05
particular file that you have copied
00:08:07
okay and then simply let's do minus
00:08:09
minus PVS hit enter wait for a few
00:08:12
seconds and as you can see we have
00:08:13
successfully C the database so this is
00:08:16
one of the most interesting way of using
00:08:18
SQL map that you can simply go ahead and
00:08:20
see what are the available options you
00:08:21
have but first you need to understand
00:08:23
that what type of values are getting
00:08:25
flagged by the we application fi the
00:08:27
character to be specific only then will
00:08:29
be able to use it okay now let's go
00:08:32
ahead and jump to the next part of how
00:08:34
we can use SQL
00:08:41
map okay let me show you the last and
00:08:44
the interesting way of finding SQL
00:08:46
injections let me just go ahead and log
00:08:47
into my dvwa and then I'm going to show
00:08:50
you a concept of second URLs okay let me
00:08:53
just show you local
00:08:55
post let's go to dvw security and I'm
00:08:58
going to set the this to high okay and
00:09:01
let us try to understand this
00:09:02
functionality okay this is very
00:09:04
interesting and you can see once I have
00:09:05
written this id1 so this is what I'm
00:09:07
reflecting okay let's try to understand
00:09:09
this that you can see the value which is
00:09:12
getting submitted is on this particular
00:09:14
form okay but whatever is reflecting is
00:09:18
showing in the first URL okay so we have
00:09:21
the concept of multiple URLs so one URL
00:09:23
is used for uh sending the data and the
00:09:27
second URL is used to view the content
00:09:30
whatever we have got from that
00:09:31
particular data in that case we can use
00:09:33
a very interesting flag which is minus-
00:09:35
second URL okay let me show you how we
00:09:37
can do this first this is the injection
00:09:40
point right this is where we are adding
00:09:41
our value so I'm just going to turn on
00:09:43
my intercept and then I'm going to
00:09:46
Simply uh what you can say add the value
00:09:48
dat over here and simply I'm going to
00:09:50
click on submit button okay once we have
00:09:52
that we have the request body I'm simply
00:09:54
going to send this to debater and after
00:09:56
that I'm simply going to copy everything
00:09:58
from here and then let's create a
00:10:03
file let's paste every request body that
00:10:06
we have copied and the last thing that
00:10:07
we need to do is we can type SQL map
00:10:10
minus r f.txt minus- TBS okay once I'll
00:10:15
hit enter right now you can see that it
00:10:17
is say saying that uh post parameter ID
00:10:20
does not appear to be dynamic and might
00:10:23
not be injectable okay let's complete
00:10:25
this and you can see what it says that
00:10:27
post parameter ID does not seem seems to
00:10:29
be injectable which means that it's
00:10:31
saying that it is not vulnerable at all
00:10:33
okay but what we can do is since we know
00:10:36
that we can actually seeing we are
00:10:38
actually seeing the data on the first
00:10:40
URL okay so I'm just going to copy the
00:10:41
first URL over here okay and this
00:10:45
particular URL or this particular
00:10:46
endpoint is used to send the data right
00:10:49
so this will be our first URL and I'm
00:10:51
going to add a second URL parameter
00:10:57
okay and simply I'm going to past the
00:11:00
value right over here okay do that and
00:11:03
then simply hit enter and this time
00:11:05
hopefully we'll be able to see the
00:11:06
vulnerability and right now as you can
00:11:08
see it is saying that the back end dbms
00:11:11
is my SQL so basically we were able to
00:11:14
find this SQL injection so right now we
00:11:16
have indicated that you need to look for
00:11:18
the data or whatever result you are
00:11:20
looking uh in the second URL and the
00:11:22
first URL which is present in this
00:11:24
request body is used to inject the data
00:11:26
inject the SQL injection period Okay so
00:11:29
type enter and then we'll be able to see
00:11:32
the
00:11:33
DBS wait few seconds
00:11:36
here and you can see we have
00:11:38
successfully CAU the data so these are
00:11:41
some of the ways that we can use uh SQL
00:11:43
map to get SQL injection the first way
00:11:47
is we can use SQL map to directly fetch
00:11:50
the or directly find the SQL injection
00:11:52
with the request body itself that way we
00:11:54
don't have to specify cookies headers
00:11:56
and any other things it's going to fetch
00:11:57
all of that from the request body that
00:11:59
we have given okay then we have a lot of
00:12:02
ways like how we can bypass firewalls
00:12:04
and then you know how we can uh like
00:12:07
right over here how we can use the
00:12:08
concept of second URL and then we have
00:12:11
one interesting thing which is how we
00:12:13
can execute remote code execution so I
00:12:15
hope you all have understood uh this
00:12:17
video I hope you all have learned
00:12:19
something new from this video if you
00:12:20
have any doubts at any points feel free
00:12:22
to let me know and now with that being
00:12:24
said keep learning keep hacking and
00:12:26
thank you so much for watching
