SQL engine no no no[Music]let's use a SQL injection to hack into awebsite here is our Target alturo Mutualan online banking site that is totallyreal we're going to use a SQL injectionto hack into this website and gain adminprivileges you'll be able to hack thiswebsite in like 30 secondsnow one of the scariest uses of SQLinjection is that bad actors can use asimple login form like this to dump adatabase of usernames and passwords andthen put them on the dark web with a forsale sign and you'll never know about itnothing you can do well actually youcould probably try Dashlane the sponsorof this video Dashlane will actuallymonitor the dark web and see if yourusernames and passwords are for sale andif they are they will alert you and Ihave a lot I need to fix that and thenusing Dashlane you can generate acompletely random password uniquedifferent from your other passwordsright you don't use the same passwordfor every website do you anyways andDashlane will store it for you and thisright here is definitely my favoritefeature of Dashlane they'll do passwordsand they'll also do multi-factorauthentication right there in thestinking app I love that so all yourstuff is in one place keeping you safeand making it a bit more simple to loginto sites I use Dashlane personally foreverything and also for my business andcheck this out I get an admin consolegiving me a dashboard of all myemployees password Health scores andit'll tell me whose passwords arecompromised so I can basically force myemployees to be secure which you have todo that they're not going to listen sostart securing your passwords for freeright now check it out link belowdashlane.com forward slash networkchuck50 use the code Network chuck50 andyou'll get 50 off and did I mention youcan secure your passwords everywherephone tablet computer yeah it's awesomeso again here's the website it's asimple login form and we won't need anyfancy tools all we'll need is a keyboardand some coffeenow our goal of this login form is touse it in a way that will give us accessto the underlying database when you tryto log into this website or really anywebsite when you hit enter the websitewill connect to a database and Run asearch to see if your username andpassword exists on the database if theydo you're in log in successful so hereis where a SQL injection comes in andit's kind of crazy we know that a lot ofwebsites will do this very thing query adatabase and possibly have a query thatlooks similar to this and this may lookfamiliar if you watched my previous SQLvideo we'll use statements like this tofind information in a database but herewe're going to use the beauty of SQLagainst them now in our scenario wedon't know the username and password solet's take that out now let's first justbrute force it let's guess and maybewe'll get lucky now as I'm typing thisnotice what happens to our query thiswill be important for our next step theusername could be admin it's a popularusername for administrative accounts andwe'll try the password password one twothree let's click login oh failed it wasworth a try but did you keep an eye onour statement notice that whatever wetyped in was entered here in the querybetween single quotes now here is whythat's important and programming and inSQL when you have a string of charactersbetween quotes like this can be singleor double quotes that's referred to as astring it's a data type so looking atour query down here anything insidequotes is going to be a string andeverything outside of it is a SQL queryand we know that whatever we enter herein the username field and the passwordfield will end up becoming a stringinside that query but what if we couldmake it not do that and this is wherethe hacking comes in what if we couldsend not just a string but some more SQLquery to change what happens to hackwhat happens so let's try this let'stype in our username once more here atadmin but at the very end we're going toadd a quote a single quote and let's tryto log in okay didn't work we haven'thacked it just yet but notice somethingand this will tell you if a website isvulnerable to SQL injection this is agreat way to test that and pay closeattention to the error we have a syntaxerror because if you look at our querydid you notice what happened we haveanother quotation mark right here afloating quote and this is fantasticnews for us because the reason I got asyntax error is you know a string isbetween two quotes if you only have onequote then it's not complete it's we gota syntax error it's like freaking outbut now we know that we can insert someextra stuff besides just our string sonow that we know this application isvulnerable to SQL injection let's try afew SQL injection payloads which isactually pretty easy it sounds scary butit's not too bad now before I show youthe payload let's re-examine why ourfirst login failed I mean it's obviousright the username and password wereincorrect but I want you to look at thelogic of this query the SQL statementwhat it's saying is both the usernameadmin and the password password123 haveto exist together just like this if bothof those are true it will evaluate totrue and we get a successful login butin this case they're not there it's adifferent password so it evaluates tofalse so now here's where the magiccomes in here's where our payload comesin what if we can make the SQL statementalways evaluate to true no matter whatwe put in let's try it out this firstpayload is what's known as an or payloadand it's going to look something likethis in our username field right hereI'll do our opening quote I'll do aspace and I'll type in or and I'll doanother string I'll do one as a stringone equals and another string one nowobviously something cool is happeninghere but what are we doing why are wedoing this two reasons first notice thatwe added some more SQL code in there bybreaking out of the string with ourextra quote we were able to add someextra SQL query language stuff hereand here's a fun fact about how SQL willprocess The Operators like and and orand and orum that's confusing when evaluating astatement like this to see if it's goingto be true or false it will first do theant that's the Precedence and first andthen after that or so now when we try tolog in here's how it will process thislogic and this will all make sense righthere it will first say hey does usernameequal admin and password equal passwordone two three does it well no so falsebut it's not done yet because we addedsomething extra and this is the hackthen it will say this but does theusername equal admin or one equal onelet me ask you a questiondoes uh does one equal one duh yeahright well it will one always equal oneyes and that's why we added thisnonsensical statement here thisstatement will always evaluate to truebecause no matter what one equals one sowe added some extra arguments and extraoperators saying hey does one equal onethen it's trueand that's the hack here when it comesto evaluate our or statement it'llalways be true let's try it out let'sclick log in well dang it it didn't workbut why it's actually pretty easy watchthis let's take a closer look at do younotice anything weird about our queryhere's a hint count the strings let's gostring here because we have two quoteswe have a string here two quotes now astring here two quotes well there's anextra quote and that's why we got thatsyntax error so let's fix that it'sactually not too bad just right here itseems like we have an extra quote at theend so let'stake that one off the end so now withour syntax looking nice and clean allcomplete strings no errors let's try tolog in log in and we did it we got in wesuccessfully injected SQL query code bytricking the login prompt that's prettynuts right here's a bonus question yourhomework what if we didn't know theusername what if the username was anadmin would this still work commentbelow how would you do it now usingpayloads like ore to subvert the logicof this query I like it but it'scomplicated there's another way we cando it and this way is kind of scarypowerful watch this because instead ofusing or to like mess the logic we'regoing to add a simple comment whenyou're writing code whether it's pythonor SQL things can get kind of complex soyou often want to make a comment aboutwhat you're doing with it so when peoplelook at your code they're not like whatyou can kind of tell them why you'recrazy so you'll use a special characterlike the pound sign or in my sequel'scase which is what we're using right nowyou'll have two dashes and a space andwhatever comes after that no matter whatit is will be ignored it won't beprocessed so what do you say we use thisgood thing for a bad thingwe're gonna turn a comment into a hackand watch how simple this is here in ourusername field we'll break out of ourstring once more with an opening quoteand then we'll simply do two dashes anda space notice what it did to our querylet me blow it up real quick right afterusername equals admin we have acharacter for comment and SQL telling itto ignore the rest of the code so wherebefore it said the username whatever itis and the password whatever it is hasto be in the database now the statementis simply hey is the username admin coolcome on in no password needed and that'swhat's happening it's ignoring the restof the the statement and when we try tolog in we're in login successful sohere's your homework I want you to breakinto El Toro Mutual the link is belowcan you break into this website withwhat you learned in this video try itout and let me know in the comments ifyou actually do it I would love to hearthat you did this it's kind of fun rightnow I will say this this is basic SQLinjection it's often more complicatedand a lot crazier and again while it isan old hacking type technique has beenaround for a long time it's still ranksnumber three in the top list it's stillcrazy dangerous and the reason isbecause companies are lazy or thecompany has coders that are lazy andthey may not even know what to look foras far as SQL injection because SQLinjections can be avoided pretty easilyI'll have some links below but somethings you can do are hey use preparedstatements with parameter I can't saythat parameterized queries use an allowlist for input validation Escape userinput before putting it into a query sowhat we tried here in this video thatwould definitely stop it and use storedprocedures I will not go into detail onall those and frankly I don't know howto do any of that so check the linkbelow and you can learn more if you'redeveloping you're like oh rap do am I amI vulnerable you should probably justdouble check that real quick just tomake sure if you think you're safeyou're not now where do you go from herenow again what we did here was basic butthere are a lot more payloads like onhere if you look at payloads all thethings look at all the differentpayloads you could possibly try for awebsite and also there are differenttypes of SQL injection like now we justdid in band error-based SQL injectionwhich is the easiest to most common butthere's Union based there's blind SQLinjection there's all kinds of thingsand I'm hoping that this video gave youa taste for how cool SQL injection isand you can go off and learn a lot moredive deeper get lost in it which Unionbased queries are crazy because you canadd additional skill queries on top ofwhat's already there and possibly dumpall the information from a table or justdrop the table and watch the world burnanyways that's all I got catch you guyslater