 Hello, everyone. I am Sanjay Gupta. I welcome you on Sanjay Gupta Tech School. I hope you are doing good. And today is day 13 of cybersecurity bootcamp. And after understanding lots of bootcamp now, Somit is explaining like how we can secure Salesforce CRM, right? So I welcome Somit on the platform. So, Somit, let's start the session and explain some more concepts like how folks can understand to secure Salesforce CRM with the help of cybersecurity tools. Over to you. Welcome again on the cybersecurity bootcamp day 13. Today I'm going to discuss about how you can find a vulnerability called SQL injection. So guys, my name is Sumit Jain and I'm an ethical hacker and cybersecurity expert. I'm working as a Cinec red team and pent up a red team member where I'm finding some security vulnerabilities on various platforms. I'm also working as a senior security specialist at JITRO Networks, a company located in India. I have 10 plus years experience in this field and previously I am working as a guest instructor at Central Detective Training School. Right now I'm helping students, freshers and professionals to build their career in cybersecurity and related fields. So you can follow my YouTube channel. The channel name is Cyber Security Zone where I'm regularly creating content related to cybersecurity. How you can, how you can use, install and run some of the scripts or tools and various vulnerability. You can follow Sanjay Gupta Tech School as well and you can share a review or feedback about this bootcamp, how you like it. You can connect me on these platforms as well. I'm available on LinkedIn and Twitter where I am regularly posted some cybersecurity related tips. You can contact me on Telegram as well. The links are available in video description. So today we are going to learn about SQL injection. So what is SQL injection? So SQL injection called SQLI in short form is a code injection. Code injection attack where an attacker manipulates the data being sent to the server to execute malicious SQL statements to control a web application database server thereby accessing, modifying or deleting unauthorized data. This attack is mainly used to take over the database server. So what is SQL injection where we will inject some of the SQL statement in various application links and then we analyze if the application responds to our unauthorized SQL statements. And if we can connect to the database, we can retrieve or modify and delete some of the data. We have SQL injection types. So what is SQL injection types is invent SQLI, error based SQLI, union SQL injection, bind SQL injection, Boolean based content based blind SQLI, time based blind SQLI, auto-bend SQLI. So these all are the SQL injection types where you can inject using these techniques, you can inject SQL statements in your application. So how to test if your website or application is vulnerable to SQL injection by using a simple test, adding a simple code. Add this simple code in the end of URL like this. If you have an example URL like vulnerablewebsite.com and we have a page and a parameter called ID and then we have a value called 5. Then add a single code after the end of URL and if it responds some error, then we show that the SQL injection vulnerability is present. Then we can manually exploit it and find some database or some table names, column names and some data if the database has some data in it. So let's see with a manual practical how you can do this. So this is an application. This is a dummy application where you can test or practice for your SQL related queries. So in this website, we have multiple web pages like you can browse categories. So this is a page categories.php and we have a page called artist.php and these are all the artists like Artist1. You can find some artist name and if we change this value to 2, we find another artist. This is artist number 2 and if we put 3, then we have another artist. So this application have various pages. So if you clearly see we previously we collect all the URLs related to our Salesforce. So you can find all these parameters in your Salesforce CRM or the application that is using Salesforce CRM. If we can find these parameters that have some value in it or some alphabets or some digits parameter or some token, you can test your application for SQL injection and how you can test your application with SQL. You can put a single code after the end of URL and see how application behave. So if I enter a single code, you can see there is an error and this error say this creates a warning and what is warning my SQL fetch array expects parameter 1 to be resource Boolean given in this link on line number 62. So let's browse another page like this. Can you please zoom in actually text is very small now it is good. So if we browse another page like browse artist your cart. So we have multiple web pages but none of have some parameters in it like disclaimer your cart and guest book. But all these have all these don't have any parameters in the URL. We have only this and one of URL is list products. And if we see there is the product listed on this link. So if we change the value to two, we have some another product. If we change the value to three, we don't have any product. So these all are the links we have to test for SQL. And if I put a single code in the end of URL, you can see you have an error. You have an error in your SQL syntax. Check the manual that correspond to your MySQL server version for the right syntax to use. So if we got any error related to your SQL syntax, that means this application or this URL is vulnerable to SQL. You can inject other SQL statements to retrieve some of the data from the database that website have. And if you use our vaporizer add-on, you can see this website is built on PHP. And this is using your editor DMV work and the web server is IngenX and operating system is Ubuntu. But we have a database in SQL. So we have an SQL error. So we can test it further with a manual tool. So first, you need to confirm it, whether your application is vulnerable to SQL injection or not. And to do that, you need to put a single code in the end of URL. You can put double code as well and you can put semi colon in the end of URL and see if your application behave and generate an error. If you have an error in your SQL syntax, that means your website is vulnerable to SQL injection and you can proceed further to retrieve some of the database or to retrieve some of the user names, some of the passwords that have stored in this application's database. So how you test further and how you will retrieve all the things. So we have a tool, we have a script called SQL map. This is pre installed in Kali Linux. If you're using parrot operating system or Kali Linux operating system, which is based on Linux. So we have SQL map pre installed in it open with open with this command type SQL map in your terminal. And this tool will run. And then we have multiple commands to test whether a application is vulnerable and we have multiple commands to retrieve some of the database. So the first command we use is this SQL map space hyphen you use for URL. You can give your full URL like this. This is my URL sttp colon double slash test dot PHP colon one web dot com slash list products dot PHP question mark cat equals to one. This is our URL, which is you can see. And then I will use this command hyphen hyphen DBS. This is for retrieving database. If this application have any database name in it, this script will perform some methods and will show you if this application have database. So let's use it and see if you got any database in it. So this is my terminal and you can see type SQL map and you see our SQL map is present in Kali Linux. You can use hyphen you and then the URL and type hyphen hyphen DBS DBS is for database names hit enter. And you can see it will show showing that we have two available database. One of the database name is accurate and the second one is information dot information underscore schema. You can use this command for finding your testing your application that your application is vulnerable or not. You can simply put SQL map hyphen you and then your vulnerable link and hit enter without any parameter and you see the back end DBS is my SQL. So this command will show you how your back end DBS is database management system. And you can see this is saying that SQL map resumed the following injection point. So this is the injection point where we can inject our query cat parameter. So in our link, we have a cat parameter and what type of SQL injection we have. We have Boolean based blind injection. The title is and Boolean based blind where or having closed. So these are all the clothes we have in SQL statement and the payload this SQL map script is used is this and we have another SQL injection present in this type error based title my SQL 5.6 and error based and the payload this application use is this. We have another in this. So we this link is vulnerable to all of the SQL injection types. So we determine that back end DBS is my SQL and the web server operating system is Linux Ubuntu that application technology is engine X 1.19 and PhD version is 5.6.40 the back end back end DBS is my SQL version number 4.6. So now we have a database name and retrieve a database name. We use this command. This command will retrieve database. So let's run again. So we have a database called Acute AC UART Acute. Now, if we have a database name, we can use this database to find tables as well. So we use a flag called hyphen D is for database. If we have a database name, we use hyphen D and then give your database name. So this is our database name and then hyphen hyphen tables. This command is will show our every table name present in this application and then run. You can see we have total eight tables in this database. Acute database have total eight tables. And if we retrieve some more data inside in this table, so we use these table names one by one. So we have artist tables. We have cards. We have catalog. We have featured guest book pictures, products and users. This might be suspicious because the user information or some admin information will store in this table name. So let's use this table name for our further proceedings. Now you can use hyphen T and then give your table name and then find columns. So in this command, we have a database. The database name is this and we have table foot. If we have table name, we use the command hyphen T and users. This is the table name and then give the command to find columns is hyphen hyphen columns hit enter. And you can see we have some of the columns present in the user table name. So these are all the columns present in the table name users. Now we have table name. We have database name. We have column name. Let's dump the data in on each these columns. So use this command or give the column name. We use capital C and then give some of the columns we find earlier. So let's give email and then hyphen hyphen dump dump is used for dumping the database and hit enter. And you can see we have a email listed in the column name email and the table name is users. So we have a email. So with the help of aspect injection, we can dump the database. We can change the database or we can modify the database. So let's use another table name. So let's see one again. Once again, what we have address at email name past phone and you name. So let's use these one by one. This is the command. Let's change the value here like pass. And you can see some of the password. The password is test. And if you use another column name like you name, we have a column name named you name. So we have a you name as well. This is the you name. We have address as well. So this is the address we present in this column name. So with the help of SQL, SQL map, you can easily retrieve or dump and test your application where your application is vulnerable or not. And see if we have this type of application like we don't have any parameter in it. If we don't have any parameter in if we have a single page like this in our link or URL, you can easily test this also with the help of SQL map. So we don't have any parameter and value present in this path. So we have to we have to specify where your SQL map will inject all the queries or all the statements. So we put a custom injection marker and this. Start. So this is star will known as custom injection marker. Let's use this and see if we can find some of the vulnerabilities here. So use SQL map. I fun you and give your domain name test PHP one web. So let's see if our SQL map will find some database names or not. So here you have a custom injection marker found in option you do you want to proceed say yes and enter why. So SQL map is running and it is testing all the possible statements on your given target. And you can see multiple accesses SQL injection attacks are performed. And if we if this tool or script get any database name. It will be presented in the end of result. You can see all types of SQL injection SQL database server will test it. Now it is saying it is recommend to perform only basic union test. But we want to perform some more tests. So click on and no. Because this says do you want to reduce the number of requests but we don't want to reduce the number of requests. So I put and and then it is testing more more SQL statements and more as injecting a more SQL queries into our vulnerable field for our testing field. And you see that you are a parameter does not seem to be injectable. This is not vulnerable or not injectable with any of the SQL. And you see that you are a parameter does not seem to be injectable. This is not vulnerable or not injectable with any of the SQL. And you see the STP error code detected during run not found. So this URL is not vulnerable to SQL but this URL is vulnerable to SQL. And if you check this also like artist dot PHP question mark artist equals to one. Let's check this out as well. Use our SQL map and give the full URL artist dot PHP question mark artist equals to one. This is our URL and see if we can find something with that URL also put hyphen hyphen DBS. Hit enter. So it is saying that might be injectable and possible DBMS is my SQL. So let's say yes. Say yes. Various SQL queries are performed via SQL map. So now the result is the parameter artist is generic union query injectable and the parameter artist is vulnerable. Do you want to keep testing the others? But this is vulnerable. So no. And then you can see the backend DBMS is this and the available databases. The same database we have in using the list products. The artist dot PHP URL also have these database. So let's now explore this table name. We have let's give the database name for giving the database name. I'm using hyphen capital D and then give the database name. This is our database name. And then we want to find tables. So put the hyphen hyphen tables and hit enter. So you can see we have multiple tables present in this artist in this information schema. The table name is we have 79 tables. So we have applicable roles character set columns events engines files. So let's choose one of these tables and extract some more data. So let's choose. Let's choose profiling. Now I want to find some columns in the profiling table name. So I will use capital T and then give the table name. This is the table name and then give hyphen hyphen columns. This command is used to find column name. So let's hit enter and see if we can find some of the column names. Yes, we have some of the column names. The column name is CPU system CPU user. Let's dump the data with the help of these columns and the help of table name. So copy this and use these column name for giving the column name. We use capital C and then give that column name we have. We have CPU user and then hyphen hyphen dump or using this command. You have your CPU user. So it is saying that this value is empty because we don't have any entries in CPU user. So SQL map is quite important. You can use you can check every single URL with the help of SQL map. So now let's find some of the link of Salesforce domain. So we already collected some of the URLs. Let's see what we have in our file. So we have Salesforce URLs. We have this file. This file have all the possible parts that we have in Salesforce web application. So let's open it and you can see we have multiple parts. Let's choose one of them and test if we can find something. So like this we have this parameter. You will find multiple parameter in this file. So let's choose one of one of the path and see if we can find an SQL injection. So let's choose. Let's choose a single find with a single path without a parameter. So copy this and in another terminal. I'm using SQL map and then hyphen you give your file name or path name because we don't have any parameter in the end of URL. So put custom injection marker to specify where where where your SQL map will inject all the possible statement or queries and then hyphen hyphen DBS. Let's check if this path or link is vulnerable to SQL injection or not proceed and you see this URI parameter does not seem to be injectable. So you need to check every single link in this file. We already collected all the possible link the Salesforce have in their domain. Now let's give a link with the parameter in it. So let's find a link with the that have a parameter. This link have a parameter. So let's copy this link and test it with the help with the help of SQL map. So this is our command and I'm going to change the path name. So when we have a parameter name in our URL as well map will automatically inject the possible statements here. But if we don't have any possible parameters in our URL, we have to specify with custom injection marker and put a star where you want to inject your queries. You can inject your queries on the file directories as well. You can inject the queries on the file extension as well. And hit enter and see this is saying the get parameter is vulnerable. Let's testing others. No, it is not right now fetching because Salesforce is using all of these databases. The backend dbms is not set max db Sybase IBM. The backend dbms is informix. So Salesforce is using informix dbms database management system. And now SQL map will try to find some of the database name if we if we can find something. So it is fetching database names fetching number of database running a single thread mode. So the database retrieved of this value and now retrieve retrieving. It is testing the possible scenarios basically fuzzing and creating combinations that present in Salesforce. So let's see if we can retrieve some database name. And if we find some database name, then we can proceed further and by finding the table name and by finding the column name and then dump the data. This will take time because Salesforce have multiple database set. And you can see the combination is this. So SQL map will creating all the combinations with the help of fuzzing. We have to wait till the scan is finished. So let's. So we have another tool for checking SQL related vulnerabilities. The tool name is Gory. You can install it with the help of GitHub. I already told you and you can watch our previously videos how to install all these scripts. So this script is written on Python. You can easily clone it with the help of this command and then can run. So Gory is a advanced tool that will find SQL injection and is used to detecting and exploiting. SQL injection. So we have two scripts to exploit SQL related vulnerability. One is SQL map and then second one is Gory. The command is same. The URL command or the dump command, the table command and the column command. We don't have to read the other command with using Gory. This scan is still processing. So you need to check every parameter or every link we have and you can automate the task with a single command as well. And how you can automate this, you can simply give this all this file to our SQL map. But this will take time because we have a lot of URL around 10,000 URLs we have. So first you need to filter and remove the same links like this link and all these links are same. All these links have same path. So you need to remove it and then give all this file into SQL map and how you will give this file into your SQL map. So open this file with the help of cat salesforceurls.txt and then give SQL map. Use pipe and all these URLs will be forwarding to the SQL map and SQL map will run automatically. So it will test all the URLs you have in your file and then you can check your result because we have multiple URLs in the file. So it will take time. So you need to run this command from your back end and then check back later. This is also running. So SQL vulnerability is quite openly discovered on every applications. You can find this vulnerability very often. First you need to collect URLs. You need to find some of the valid links that have a parameter in it. Put single code in the end of URL. You can use double code or semicolon as well. And if your application generates an error or your page is not visible and you got some kind of error, then there might be a chance to have a SQL injection in your application. Then you can simply exploit it manually or exploit it with the help of some script. So we have two script. One is SQL map and the other one is Gauri. With the help of SQL map and the Gauri, you can simply retrieve and dump the database. If we have any database, if we have any table name or column name present in it, we can exploit it manually as well. So let's see if we can exploit manually because this is taking more time to proceed. So we have this link. Let's put a single code in the end of URL and you can see we have an error in our SQL syntax. If we want to find out that what we have, first we have to find that what number of columns we have, total number of columns. So you need to put an SQL statement order by one and then give enter and you can see your page is loaded. That means your one number column is present. Give it here two and give where when you got one error, that means like if I giving here four, I got an error. That means total number of three columns present in this application and then use this command to find that what is the vulnerable column. The manual command is not working. So we have two scans running here. One is SQL. I'm giving all the URLs to SQL map and all the links are tested and one is I'm manually exploiting a single URL where some of the database is retrieving. So SQL injection is a simple attack where you can find the database with the help of SQL map. You can just find some of the URLs with the help of Katana or go or way back URL, then collect all these URLs, find some of the URLs that have parameters value in it and put a single code or double code or semi colon in the end of URL and see if we can generate an SQL syntax error, and if you got any error in your application, then forward it to the SQL map and then SQL map will do the rest and to and then find all the database or the table name or column name and the data present in this vulnerable application. So guys, if you have any question, ask me in the chat. So I will tell you. Yeah, I think there is no question as of now. So do we have more things to cover or you are done. I'm done for today. Okay. So guys, if you have any question, you can ask in the chat. So that submit can answer. And I think he very well explained SQL injections and go through the recording once so that you can understand it better and do the practice those who are following all the sessions. Okay. So there is no question. So with this note, like we can end the session. Thank you so much for sharing your knowledge for today. And we'll be having one more session this week tomorrow and then we'll be having sessions on next week. And like now submit is linking cybersecurity with Salesforce. So I think those who are in Salesforce ecosystem for them, this will be good opportunity to learn. Okay. Thank you so much. Thank you so much for sharing the knowledge. Thank you everyone.