 What's up YouTube? This is John Hammond coming back at you with Natus level 14 from the over-the-wire wargames some web application security stuff So in the last couple videos, we've been doing some file upload vulnerabilities Let's clean up some of that code and let's check out what level 14 is asking for us and Going dead and to run that script. It looks like the page is pretty simple There's just a form post method with a username and password and a login button. So nothing else Let's take a look at the source code and see what this is really doing here Thankfully over the wire levels for our learning and our education is giving us the source code So once we download that we'll again use sublime text to de-entitize all those HTML entities And we'll remove all those break statements. So I'm gonna save this in a new file or a new pane and sublime text We can keep the source code Okay, so it looks like the PHP code here Determines if we are supplying the username So if we've actually kind of filled out the form or done what we expected to do it makes a connection to a mysql database So a database that has you know anything in it. Maybe credentials Maybe credit cards, maybe passwords, maybe social security numbers The potential for databases is crazy crazy big like that could be an airport that could be at a bank Who knows so there's normally a lot of good things stored in a database at least good in the eyes of an attacker So let's take advantage of some vulnerabilities here and see what we can break see what we can leak out We are selecting the NAS 14 database and we're making a query Select all from users where username and we're just concatenating on the username and password equals concatenating on the password so This is bad like This should be firing alarms in like security professionals minds because you should never ever ever be concatenating Like variables that you control Like the user has full control over like at the raw level request variables get HTTP post stuff and concatenating them into SQL query or thing that's going to be run on a database. There's no sanitation There's no actual verification of this data and it's super duper bad. So that will lead to things like SQL injection like in Inputting SQL commands and SQL code into a query and making the database do Different things and leak out information. You're tricking the back-end database where you as The attacker are replacing what would normally be data that the user would supply or information and replacing it with code We're tricking the database and to think that our data and it's actually going to be executing code So we can see the query that we're working with and we can use this Debug functionality that is testing looks like a little hidden Easter egg to show us what the query really looks like when we're at the when we're executing it and Then it will show us Okay, if we actually get a result if the number of rows returned from Executing this query is more than zero or if we get any results if we get one or more Then we will be a success to logged in and we'll get the password otherwise access to nine. So We don't know any username and password. We literally don't know credentials. So we can't log in but We can take advantage of this SQL injection and maybe get it to return something and Okay, log in get the password for the next level. So let's go ahead and try this Let's change this You will appear to set debug equal to true or really anything and then when we run this Nothing's going to happen to start because we're not actually posting to the web page But now let's go ahead and post to the web page and pass in a username and password as variables here so Comment this out change this to a post request and let's say data can equal username Can equal please and password Can be subscribe? Shameless plug cool run this. Let's see what we get here. Oh, I forgot a comma Man my moment of glory with the police subscribe digger is totally ruined. All right Don't forget your commas and your keyword arguments kids stay in school So here's the debug information Executing query select all from users where username equals please and password is equal to subscribe Access denied. So we weren't able to log in with that obviously, but you can see we're just concatenating in those things They're not being sanitized. So what's to stop us from? using double quotes in One of these like in one of these these Fields that we're supplying because in the source code It's using double quotes to denote this is where I'm going to put the username or put the password That'll be the placeholder for it. You can see it in the query here so If I put an extra double quote in there will things break will it run out of will it will it mess up that that placement of quotes Let's try this here Looks like it did we see executing query select all from users where username equals please with two Quotation marks and we get a PHP error or a warning here my SQL number rows expects parameter number one to be resource is boolean given and blah blah blah So something went wrong We can put please anything what now lol and just completely break it see if we'll get more errors see if we'll get weird things to happen That's all the way included and we're still getting that same error for that warning that PHP warning. So let's Make this go crazy. Let's get try and get some valid sequel back into this We can use a comment Or in my sequel just a pound symbol or a hashtag to comment out the rest of the line or the query here So now we'll get back to access denied like the command was sex successfully executed There wasn't a warning or any PHP my sequel notifications there But we put a hashtag or a pound symbol that commented out this test for the password So now we're not testing where username and password is equal to something now We're only testing where username equals to something where username equals please and obviously okay There aren't any user names that set to please But now we've proven to ourselves that volume there is there is some sequel injection vulnerability here So we can do other tests. We can inject other sequel statements like trying to return something that always return successfully like Selecting all from users where username equals please isn't going to return anything It's not gonna return true because there aren't any users that are have a username set to please but if we were to add another conditional in here like or One equals one because one is always one right that'll always return true and that's in an or statement So that condition will light up green that will work so that's the kind of most simple easiest example of sequel injection where you can leak or dump and tire database This will select all or return everything where Blah blah blah one condition that doesn't normally work or One equals one that condition always works select all where everything returns true or one equals one Sweet so that should return something have results more than zero and We'll get success successful login the password for negative team is this guy So you can see this query here with the debug information select all from users were username equals please Again, we're terminating that original string because we've been injected our own double quote and we're doing another condition in here Or one equals one always return true gives me everything and then we have a comment My sequel comment that pound similar hashtag that will just throw out the whole rest of the query that and subscribe That and password equals test that goes away because we've commented it out so just like that we do some cool sequel injection and Now we've got the password for the next level. So awesome. Thank you guys for sticking with me. Hope you enjoyed this sequel injection is super duper cool in my opinion. It's one of my favorite things I Love that aspect of web security sequel injection in databases. So I think I just saved and overwrote that my bad Let's go ahead and create a new script for Natus level 15, but hope you guys are enjoying these Thanks for watching. I hope to see you in a later video and we'll do a lot more cool sequel injection and Web application security stuff. Thanks again Hey, if you liked this video, please do like the video. Maybe leave me a comment. Maybe subscribe share with us See you soon