If I get 300 comments on this video I will upload a SQL Injection CTF lab for you to download and practice with. Did you like the new format of this video? 📌Get 5 Hacker Books for $1: goo.gl/DHEUYs
I liked it. Is this a continuation of your other project from last year? (Bushi Security course on Python for Network Surveillance if I remember correctly? Whats the status of that?)
Its not really a career. It doesn't take any hard work at all to bring up databases up. My PC is crawling google right now getting me the targets. It also does the vulnerability and then I run it through sqlmap. Boom all your databases are dumped. Its all automated for me I dont know about anyone else. I find databases all the time. And make money from going back to the companys and hope they reward me for my discovery's I hope they do but not really had success so I ask now if they going to pay me for my services first before I give them the database files back. SQLmap sorts all that out for me.
When you are teaching, please be doing it with the targeted url or web so we can get a clear ideas and error we are supposed to encountered and how to navigate our way out and get it right. this tutorial is for those who already have a basic idea.
Thank you for posting this tutorial. I'm wanting to transition into IT and am attending my first cybersecurity meetup at the end of January and the topic is SQL injections. At least I won't be entirely lost! Lol.
This video helped me so much, you explained everything perfectly and every step was great, I knew a little about SQL injection before watching, but now I feel like I can make much more use of SQL injection attacks in any future CTF's I do.
Great walk-through, thanks! I'd like to see a little bit of discussion added about passwords that are encrypted in the database. Just providing some additional context and pointers about that could be useful.
Thank you that was very helpfull! I am trying to write code that recognize SQL injection and prevent it. can you show how that works on live? i meen how sql injection works on real websites , and the code behind it.
demonstrate it with a real website so we can catch the real message and sink it. lets practice with a real url as you do it and we watch and follow you steps.
The explanation of the xxe as well as sql injection was awesome i think if you can start "SAST" course it will be very useful for the beginners. And by the way this was my first comment in the youtube not for course.(Because i got more things from your videos). Thank you.
I guess sql injections is already very known now and all developers use prepared statements to avoid this exploit, would be great if you also could inform people about how to prevent this as that is very important as well
@@bodolawale5448 Yes, but you have little control over users using weak passwords so hashing is no guarantee of security, and should never be considered as such. Matching a weak hash might not be too trivial. In reality, you'd probably never encounter plain-text passwords in a database the way is shown in this video (although there have been far too many high-profile instances of just that from large companies that should know better). If visitors to your site are able to insert dynamic queries into your database using SQL the damage is done. Bit like shutting the gate after the horse has bolted. Better to prevent this in the first place. Never insert user input into a query dynamically; you have absolutely no idea what that input will be. *My default approach when programming is to assume that all your end users have malicious intent. Just don't ever - EVER - trust user input.* Basically lazy coding opens the door to SQL injection. You can prevent it by doing things you should've been doing in the first place: Validation on input fields, sanitize the inserted data before working with it and completely separate the database query from the user data, using prepared statements or stored procedures. That way you can explicitly instruct what data type will be used in place of the temporary placeholders.
Subbed. Thanks for the guide! Constructive criticism: explaining what sanitizing is, why the SQLi DB is the target, how to ID a DB type for SQL syntax, and of course some disclaimer about usage. Look forward to watching your other stuff!
Thank you so much for breaking it down for me to a way I understood it, if I had seen this video 15years ago, my life would be so much better/different than it is now, I had the ambition to learn it but needed the breakdown like you did so I'd feel it was something I would be successful at because I'm sick of trying something for way too long then just giving up, that's just too much time wasted and I have no time available to waste
Love the way you explained with that calm voice. School kiddos also understand easily without any technical background. Waiting for the CTF lab materials. Thank you!! @HackHappy
I don’t know anything about coding...I just started getting into this all and trying to learn as much computer science type stuff as I can, so...how do you know what coding to type out while doing this? Is it always going to be this type of line to go through them? Or just from experience?
I don't really understand the need the the random numbers (at first all 1's, but then 3, 4, 5, 6, & 7).. Seems like a lot of people here understand it's purpose, it could be my lack of adequate experience with mySQL; what are those numbers used for ? also the random single quotation marks (like before 7; '7), not really sure what its purpose is. It was never explicitly explained.. thanks in advanced
Thank you for your video! It was very helpful but I'm curious to know how I can find the 2nd user from the table without knowing the userid and password? If you could answer that, I would greatly appreciate you!
He literally shows you on the screen. You put it where user input is expected. For example when you log on to your youtube account, you put the code where you would normally put your username or you can put it in as your password. You can even copy/paste it into a comment or the search bar. It can go wherever user input is expected. Now this obviously doesn't work on youtube. In fact it will not work on 99% of the sites you visit. It happens when the creators forget to sanitize their inputs but it is an extremely well known exploit and extremely easy to fix. Hard to explain to a non-coder what sanitized inputs are but I'll try if you even read this comment and ask 😅
Late but I don't understand how switching table_schema between 3 and 4 has anything to do with whether or not your injection works. Can OP or anyone else explain this for me please? The audio cuts out during this portion of the video for whatever reason.
Thanks for the tutorial. I have a question, after searching for matches in the database, what happens if the user and password validation is done with java, c #, javascript, etc? Would injection sql work?
If I get 300 comments on this video I will upload a SQL Injection CTF lab for you to download and practice with.
Did you like the new format of this video?
📌Get 5 Hacker Books for $1: goo.gl/DHEUYs
I liked it. Is this a continuation of your other project from last year? (Bushi Security course on Python for Network Surveillance if I remember correctly? Whats the status of that?)
i want it
md5('xxx') OR 1 = 1 -- ]');
105or1=1
I want SQL Injection CTF lab pleaseeeee
171 comments
Thank you. Now I hacked NASA and went to federal jail for it.
Thanks for watching bgSmurf4e and be sure to subscribe if you haven't goo.gl/6A36Fc
Great... I'll be sure to join you in a couple of minutes
Yoel Cabj lol snitch
@@COURTZRUclips man shut the hell up we're stressed out here
@@Happy-hc4se lmfao don't take jokes so seriously
SQL Injection attacks: *exist*
Prepared Statements: I'm about to end this man's whole career
Its not really a career. It doesn't take any hard work at all to bring up databases up. My PC is crawling google right now getting me the targets. It also does the vulnerability and then I run it through sqlmap. Boom all your databases are dumped. Its all automated for me I dont know about anyone else. I find databases all the time. And make money from going back to the companys and hope they reward me for my discovery's I hope they do but not really had success so I ask now if they going to pay me for my services first before I give them the database files back. SQLmap sorts all that out for me.
Devs: OOOOOOOOHHHHHHHH
When you are teaching, please be doing it with the targeted url or web so we can get a clear ideas and error we are supposed to encountered and how to navigate our way out and get it right. this tutorial is for those who already have a basic idea.
great comment im new to this and have a case abd still have no idea what im doing
Exactly what I wanted to ask..... Great job....!!
So, how can I learn the basic from Sql Injections?
Thank you for posting this tutorial. I'm wanting to transition into IT and am attending my first cybersecurity meetup at the end of January and the topic is SQL injections. At least I won't be entirely lost! Lol.
So vedio was uploaded 8 months ago but it is showing tutorial 2019 .
*GOOD JOB CREATER* 😂😂
Dreadnaught 717 thats stating it works IN 2019
Swoluigi where ! It just said 2019
This video helped me so much, you explained everything perfectly and every step was great, I knew a little about SQL injection before watching, but now I feel like I can make much more use of SQL injection attacks in any future CTF's I do.
Great walk-through, thanks!
I'd like to see a little bit of discussion added about passwords that are encrypted in the database. Just providing some additional context and pointers about that could be useful.
SQL Injection Lab is Here: ruclips.net/video/zYss5J56VBQ/видео.html&lc
Thank you that was very helpfull!
I am trying to write code that recognize SQL injection and prevent it.
can you show how that works on live? i meen how sql injection works on real websites , and the code behind it.
Looking forward to it.
could post some bypass way?
demonstrate it with a real website so we can catch the real message and sink it. lets practice with a real url as you do it and we watch and follow you steps.
Awesome format. i could easily follow the whole tutorial! Looking forward to the SQL Injection CTF Lab!!!!
Awesome videos, keep going pls!!
Can't wait for the lab
p.s
The format is super exciting, easy to follow, great job on that
Thanks, glad it was easy to follow Dabo8935. Thanks for watching!
finally a decent "how and why it works" tutorial... looking forward to trying your lab
Its really great bro,even a guy from other than computer science background can easily understand.keet it up.pls
This is the best explanation i have heard yet. But what's with the video just past the 9 minute mark. Your talking head just disappeared.
Very thorough explanation, thank you!
This tutorial is one the best out there
Yes, i want a CTF lab for practice and i liked the new format of the video. Keep doing...
Glad you found it useful ASH Sharma. Thanks for watching!
Thanks dude. You explained SQL injection very well. I understand it better now .
Finally someone how can actually explain SQLi :) Thanks!
Glad you found it useful PaTravel - TV. Thanks for watching!
The explanation of the xxe as well as sql injection was awesome i think if you can start "SAST" course it will be very useful for the beginners. And by the way this was my first comment in the youtube not for course.(Because i got more things from your videos). Thank you.
First time I clearly understand sql injection..Thanks men 👍
Love the video. Thanks for taking the time to make it.
Very informative.. I am now following your videos to elevate my career
More than 100, Can‘t wait to see your next video... by the way greeting from Switzerland 👍🏽
Awesome, simple video. Glad to have stumbled upon your channel. Thanks.
Wow you have made this so easy to understand! great work!
Awesome, Lovely Video. You are really good in lecturing as in you are a good teacher. and please, i will like to have the SQL Injection Lab Download.
nice i was able to use this to secure some areas of our site
Hey, thanks a lot for this video, you are a TEACHER ! Please keep it coming, waiting for the CTF Lab :)
I guess sql injections is already very known now and all developers use prepared statements to avoid this exploit, would be great if you also could inform people about how to prevent this as that is very important as well
Will hashing the password work?. Like storing a hashed value of the password in your database
@@bodolawale5448 Yes, but you have little control over users using weak passwords so hashing is no guarantee of security, and should never be considered as such. Matching a weak hash might not be too trivial. In reality, you'd probably never encounter plain-text passwords in a database the way is shown in this video (although there have been far too many high-profile instances of just that from large companies that should know better).
If visitors to your site are able to insert dynamic queries into your database using SQL the damage is done. Bit like shutting the gate after the horse has bolted. Better to prevent this in the first place. Never insert user input into a query dynamically; you have absolutely no idea what that input will be. *My default approach when programming is to assume that all your end users have malicious intent. Just don't ever - EVER - trust user input.*
Basically lazy coding opens the door to SQL injection. You can prevent it by doing things you should've been doing in the first place: Validation on input fields, sanitize the inserted data before working with it and completely separate the database query from the user data, using prepared statements or stored procedures. That way you can explicitly instruct what data type will be used in place of the temporary placeholders.
get cleaned data when saving forms to database
You mean mysqli_real_escape_string() function? Should it be a way how to attack this kind of escapes???
Great video! Labs are fun too, hopefully you get 100.
Thanks for watching enderst!! We did it!
Yeah I want SQL injection CTF lab... BTW Awesome video.. More stuff in this format please
Glad you found it useful Naveen Jain. Thanks for watching!
Honestly, This is the simplest Tutorial i will ever see. It's very simple, But there is a problem at 9:14.
Very useful and clear, Thanks! How many comments left to get the lab?
This was great, but I didn't understand how you were getting the coding.. But it gave me the basic understanding.
I want the sql injecton ctf lab!!!
Only 97 more comments to go, lol!
its already 100
@@HackhappyOrg i want the lab:)
Aashik Yadav now almost 400🙆🏻♀️
Very good
That was such a great tutorial , thanks.
You just earned a new subscriber...great content! Now I have to watch it again so I can create a cheat sheet.
Awesome tutorial. Awaiting for the lab
Very informative. Especially like the executing query displayed at the bottom. CTF lab would be great.
Great video,easy understanding, plz create a video on how to prevent from SQL injection also.
Hi, its there any free I can get a SQL injection?
very nice i could understand everything and follow it please keep going
0:00 neck jurk like a DJ.. that was good
That's a really cool tutorial sir!!!!
Thank you so much
i loved the way you teaching.....amazing keep it up...
Great video, Very nicely explained
can u suggest any reading material or videos for SQL
Subbed. Thanks for the guide! Constructive criticism: explaining what sanitizing is, why the SQLi DB is the target, how to ID a DB type for SQL syntax, and of course some disclaimer about usage. Look forward to watching your other stuff!
Great, thanks for the feedback!
Thanks buddy, very clear explanation.
Thank you so much for breaking it down for me to a way I understood it, if I had seen this video 15years ago, my life would be so much better/different than it is now, I had the ambition to learn it but needed the breakdown like you did so I'd feel it was something I would be successful at because I'm sick of trying something for way too long then just giving up, that's just too much time wasted and I have no time available to waste
Thank you it was good to learn the basics
Great job, fantastic video, very didactics. Thanks a lot !!
am just learning
Thank you for sharing the Idea 🧠🤯. Please upload the Practical SQL injection video. You are a amazing explainer
Very nice explanation! You got a new sub ;D
Love the way you explained with that calm voice. School kiddos also understand easily without any technical background. Waiting for the CTF lab materials. Thank you!! @HackHappy
I am new to this. your video is very useful to me. thanks for your vid.
4:25 YOOO IT’S A BOOLEAN THAT’S SICK
Great video and content clearly presented. Do you mind me asking what software you are using to edit and compose your videos?
I'm using camtasia and powerpoint in the video.
@@HackhappyOrg Thank you
Great vid! Looking forward to the lab!
You're the fucking Bob Ross of SQL injections!
Awesome and very helpful video 👍
Wonderful Tutorial, Always hope ahead.....!!
thanks a lot it was really a good job . I hope you continue .
Great video, keep up the good work :)
Great video!!
awesome vid, esay to understand, good job
Glad you found it useful XacT. Thanks for watching!
I watched it twice and i still dont get what you are trying to do :( thanks for trying to help people though.
I'll be waiting for that CTF, good stuff.
Hells ya! Thanks for watching Ty!
Me be like ha finally i can crack open someone's firewall
Sweet video, still waiting for the LAB!
lol same
Great video. Thank you for the help
Glad you found it useful Max Barkouras. Thanks for watching!
Very informative tutorial, thank you!
Thank you prefertoxic!!
I Learnt something new. Thank u
No problem!
I don’t know anything about coding...I just started getting into this all and trying to learn as much computer science type stuff as I can, so...how do you know what coding to type out while doing this? Is it always going to be this type of line to go through them? Or just from experience?
Please sir you how can I use web browser to try the injection
Thank you 😎
I don't really understand the need the the random numbers (at first all 1's, but then 3, 4, 5, 6, & 7).. Seems like a lot of people here understand it's purpose, it could be my lack of adequate experience with mySQL; what are those numbers used for ?
also the random single quotation marks (like before 7; '7), not really sure what its purpose is. It was never explicitly explained..
thanks in advanced
Great video, very informative!
Glad you found it useful K'Ci Beckford. Thanks for watching!
i llike your videos,plz update more
Thank you for your video! It was very helpful but I'm curious to know how I can find the 2nd user from the table without knowing the userid and password? If you could answer that, I would greatly appreciate you!
nice one... I teared down my login
Thanks for watching Abhishek kumar!
I need to practice this....
Where are you inserting all the codes to get such results? This was not clear
He literally shows you on the screen.
You put it where user input is expected. For example when you log on to your youtube account, you put the code where you would normally put your username or you can put it in as your password. You can even copy/paste it into a comment or the search bar. It can go wherever user input is expected. Now this obviously doesn't work on youtube. In fact it will not work on 99% of the sites you visit. It happens when the creators forget to sanitize their inputs but it is an extremely well known exploit and extremely easy to fix. Hard to explain to a non-coder what sanitized inputs are but I'll try if you even read this comment and ask 😅
wow, this is so intresting!
Late but I don't understand how switching table_schema between 3 and 4 has anything to do with whether or not your injection works. Can OP or anyone else explain this for me please? The audio cuts out during this portion of the video for whatever reason.
Thanks for the tutorial. I have a question, after searching for matches in the database, what happens if the user and password validation is done with java, c #, javascript, etc? Would injection sql work?
So why did we use the number 3,4,5,6 and 7?
But what do you do if the forms have required fields? I put the sql code in 1 field and can't even execute it because the other field is blanks :(
thanks got rusticated from my university
Hey, where is the lab??
Thanks for this 😊😊
Please help I don’t understand where the black board is supposed to be… html code when inspecting element???
very nice explanaiton ....bingo liked it
nice tutorial :) well explained
Very interesting
Good video... Just had to put the speed at 1.25 ;)
It was educational
nice work please upload sql injection ctf labs beginner to advance
Thanks for watching Ram Jasoria!!