 Hello everyone, my name is John Hammond welcome back to more Pico CTF This challenge is called my first sequel the first challenge in the web category of level 2 here 50 points It says I really need access to this website, but I forgot my password and there's no reset Can you help so we can check out the website open it up in the tab here Just like a regular forum login username and password so credentials We would otherwise have to know but the hint here is have you heard about sequel injection? So this is the first Pico CTF introduction to sequel injection, which is one of my favorite things I think one of the coolest things for hacking on the internet and stuff like that sequel injection is tricking a back-end web program into thinking that you are inputting data into a Database that runs in the back. However, it's not real data that you're putting in you're tricking it And that it's going to take some of that data and consider it to be code So normally you'll see queries that are trying to insert or select data from a database That's of the syntax in this dial select something some kind of column or table information From a specific table where whatever column or field is something else So if you get your own input that's kind of just being concatenated or added into the original query There is significant potential for like bad things to happen That's a vulnerability if you are just concatenating those sequel lot constants in their sequel literals So this is kind of exactly what we can assume this website is doing and if I wanted to just like log in with please sub and a password password That's weird. Not okay. I don't know why that's not the regular login. That makes no sense to me But whatever we can inject something into this determine if whether or not a user exists or not by getting a condition to log in That we know is always going to be true because this where clause in that sequel statement is running a test It is running a conditional where name is equal to something that we supply But we can inject hence sequel injection some other code or sequel into that sequel being the language Of course, it's being run in the background. I don't want to baby this up But I know I should and that some people are wanting to learn this for their first time of sequel injection the magic Thing the very kind of like bare bones basic test that you'll see in like sequel injection challenges and in and tests of this It's just determining can we get one thing that obviously equals another thing to return or to go through sometimes you don't know the kind of string or Quotations that it's using to determine a string and maybe using double quotes or single quotes to denote their string So you kind of have to fuzz Testing which one you are trying to end because you're again concatenating in your input Inside of what would expect to be a string So you have to escape or end out of their string with a terminating quote double quote or not continuous sequel code with adding a new condition or an or statement for this where essentially an if clause or test clause and Another condition where something is equal to obviously itself So that will that will clearly return true one is equal to one But we don't know what is at the very end of this query So sometimes we'll have to comment out the rest of the sequel code and the way we do that again is dependent on the sequel That's running it in in the background like the back-end database version. Maybe it's my sequel. Maybe it's Microsoft sequel rendition sequel light etc etc and they'll have a different kind of form So again, you'll have to fuzz and fudge that until you get something that that will return a hit So if we wanted to we could simply try double quote or one equals one and then a hashtag is what you'd expect for some my sequel versions I'm just gonna paste that in both the username and the password field because we don't know which one is vulnerable We can go ahead and try and log in but that doesn't work for us So, okay, let's try with or one equals one another pound symbol or a hashtag because that is what my sequel uses for comments Try and log in with that. Oh, okay We get an error with your request and it shows us actually the query that's trying to run in the background You don't normally see this this is again Just for your learning capability in the CTF scene because CTF is being nice to us where it shows us what they're trying to use They're using a single quote where user equals the start of our input. You see we have our single quote injected into it So that's why the error is happening because it's trying to interpret this or one equals one But our hashtag is being weird. It's getting in the way because we now don't have a string that matches the rest of this Password isn't there as well. So maybe it's not this the comments dial But we do know we are using single quotes for our string So let's change that rather than using a hashtag the Wikipedia page suggest some other things where you can use hyphen hyphen or dash dash to Use a comment that you'd expect to see in SQLite So let's try that again. I'm going to use it in the username and password field and we log in welcome admin flag Be careful what you let people ask and the hash that should be different for each one So we logged in as admin because we got an immediate return and an immediate truth in our condition Where one equals one or one equals one? So the first thing that we return is the very first row in the table that we're looking at Likely admin or usually admin so cool immediate login We've got our flag if we wanted to we can script this and I'd showcase that in another video But I don't think it's necessary for this one We can paste that in and we can jump up on the scoreboard 50 points super cool that's SQL injection Well, I will however want to take a note of that as our flag because I think that's good practice certainly writing a get flag strip would also be a good practice for it, but Whatever I digress if you'd like me to we certainly can I'd use some Python requests use regular expressions to pull out the flag and we'd be grooving Special shout-out to the people that support me on patreon. Thank you guys so much. I love you That was weird. Sorry a $1 or more on patreon a month We'll give you a special shout-out just like this at the end of her video five dollars or more on patreon will give you a special Access to a folder on Google Drive that I like to upload my early access videos Well, I include all the videos that I have recorded but not yet released on YouTube because I normally record in bulk and YouTube gradually upload them on a on a scheduled basis So if you want to not wait you want the content right when it's ready That's the best way to do it just five dollars a month on patreon if you did like this video Please do a press that like button maybe leave me a comment if you're willing to subscribe that would be awesome Link in the description to join our discord server It's a cool community of CTF players programmers and hackers if you want to hang out with me or some other awesome people That's the best way to do that. Hope to see you guys on patreon. Thank you And I hope to see you in the next video. Bye