 All right. Hello, everyone. Welcome to second and last week of class. Everyone excited? Semester's almost done. Yay. There's a lot. It doesn't get picked up on the microphone, but they're just going wild here. Cool, okay. I'll be here Monday, Wednesday. Unfortunately, I'm out of town next week, so Connor's gonna teach class and clean up then on binary security. I think we'll be done with content probably by next Monday, but we'll see what happens. We'll extend stuff into Wednesday. As mentioned, because I guess some people don't watch things, although I guess if you didn't watch it on Wednesday, why would I expect you to watch it today on Monday, but release two modules as we all agreed on collaboratively on Wednesday. The final two modules, web security and binary exploitation. One important note, since that got brought up, if you, I might not log in. Let's go course. Okay, you're gonna see my grade. I'm failing this course, by the way, in case you were wondering. Undergrades. So you have the weight here. This weight, because it's all the same, means nothing. This is just a relative weight between the modules. So the fact that they're all eight doesn't mean anything. They could be all one, which I'll probably just change them to, although that will still be confusing to people. It could be all nines. It could be all 1000s. It really doesn't matter to literally just, that way, if when running this course, if I had wanted to say, oh, talking web is worth twice as much as the other modules, that'd be a two, and the other ones would be worth one. Something like that, right? But for our purposes here, it literally doesn't matter at all. So as stated, your grade is here. I will, this week before Wednesday, post your current status of extra credit in terms of means and thanks. I'll also pull down the latest code breaker challenges that were on the syllabus two and put them on here. That way, like as stated on Wednesday, these have the latest possible deadline of January 10th. Like grades are due the next day. So that's why everything gets cut off at midnight of the 10th. This means absolutely whatever I put in the Discord. So before I start talking about stuff that's on there, let me make sure I'm not saying the same content. But it means very simply that absolutely no extension. So like it's just fundamentally impossible. Any extensions there go into over and we need to deal with like medical incompletes and other kinds of things. So if you've been thinking about that, don't think about that. Like if you end up in that situation, I'm sorry, but that's just the way it is. During finals week, no in-person help. So finals week is in three weeks, right? So second week of class, last week of class and then finals week. So finals week, no office hours, no recitations. And I kind of can't force anyone to be here because they also have finals to take and everything. So you're kind of on your own on the Discord and you're feel free to help each other, but don't overboard as normal. I don't know, just this way with this, whatever grade you're happy with here that shows up here, that's going to be your grade unless, and it can only go higher with extra credit. So as soon as you feel like you're done, then you can just be done. It's kind of like having a button. You just say like I'm done and then you can't ever get a better grade. That way you can lock in and not feel like you have to do this until the 10th. Any questions on this? End of semester class stuff. Sorry, I just realized I was not on the 15 people on Twitch. Okay, no hands? All right, now let's get to learning. Cool, so we left off on command injection. So command injection, as we hopefully recall, is when a, most of the things we're talking about here are web applications, but when an application takes our input, concatenates it with other strings and then passes it to something like system, which then gets reparsed by BNSH just as if we had typed this in on the command line. So we saw different types of ways to exploit this. I'm not going to go over these because we went over them on Wednesday and you can watch that lecture. I think the key thing is I've seen some people maybe struggle in the Discord. The key issue here is to think you have full and total power here, right? So this, whatever you're typing in here, once you can execute a command, it is if you were, in our case, the root user and you're tricking the root user to type in whatever the heck you want. So even if, like in this case we saw, maybe running a certain command, maybe didn't show the whole flag where we weren't able to actually extract the flag that way, but we're still root. We can do whatever we want. What are some things maybe that we would want to do at a high level without talking about specific commands to accomplish our goal? What is our goal? Let's go one level up. What is our goal? On the challenges. What's always your goal? You've been doing this for eight, seven modules. This has been a key chunk of your life. Yeah. Get the flag. Yeah. So if you can't just output it directly by doing like cat flag because the program doesn't necessarily give you that output, what other things could you do? You could run LS, but you need to get the output. So the question is how do you get the output? So if you can't, if you can run commands without getting the output, how could you get the flag? You had a whole module on this about accessing stuff with control. Yeah. Move it to a different file. Like there's nothing that says that it has to be in that file, so you can move it or copy it or alter the permissions. You can alter the permissions of the destination file. You could fundamentally do anything you wanted to do as that root user. So you could do all kinds of fun stuff. But yeah, so think creatively. Like as if you were as root there, you can't get the output of the command but you want to get that file eventually. Okay. Moving to HTML, yes, question. You are running as root. Set UIDs only so that it's copied with run as root. Right, so the fact is you are fundamentally running as root when you can trick the challenge binary, the challenge web server is running as root so it can do anything. Wow, super weird that nobody is sitting over there. Did you all do that on purpose? Nobody wanted to sit on that third of the room. Just all gravitated over here weirdly. Okay. But they're coming to the door. But some people come in that way. I am over it. I mean, obviously it makes sense, but it's very weird because most people have sat over there. Anyways, okay, this is what happens when it's close to Thanksgiving. Okay, so other. Huh? No, this has been a whole room. You guys have been normally equally-ish spread out in the terms of this room. Nobody has to sit over there. Don't move. Cause all your stuff's there. That's a false move. But look, you have a better view of this right now. Anyways. All right, I noticed these things. Okay, so other things. So we talked about HTML, right? HTML is a web application's way of specifying to the user what the structure of the document should look like, what links they can click on, what forms they can fill out, what things they can do to the web application. And so very often a web application will create its HTML response by again concatenating strings together. So here is an example application that has in between P tags, has a string hello comma and then some name in red being the user's input. So why might this functionality exist? You're writing an application. Have you ever seen a website do this? I can start calling on people. Does that help? Start at the left side of the room and go, what's up? Yeah, so the idea being now it's a Dynamics website that nicely greets the user, right? So depending on who the user is, how they're logged in, right? We can see, oh, it's this user. Great, that can be a friendly application. I can say hello to that specific person. Maybe like, so maybe the results that I give are also unique to that user. So the feed that I'm showing, whatever, if it's like a Facebook newsfeed thing or whatever, but the point is like, I can customize my HTML response to each of you depending on who you are. Now, the problem is if that input comes directly from the user, now fundamentally I can control and have any code that I want be executed. And one of the key things, so again, if we go back to, let me look at this here. Yeah, so we look back at HTML, right? So now if I can inject content and control the structure of this HTML page, I can get it to be whatever I want. Now, does it seem that exciting? Maybe I can add more links to the page or something. I don't know, give them to trick them to click on something. But a key thing that we can make them do is, do I not have? One of the key things that we can do is actually get them to execute some code that will run inside of their browser, which actually sounds insane. And it's because it is every time your browser accesses a webpage, almost every single page, we'll send you some code that your browser running on your machine interprets and executes whatever code that website sends. And that is JavaScript. So let's look at, I guess we can look at here. There is some JavaScript in here, yes? Where I start poking around. Remember how this works. Sources, I think. Scripts, yeah, there we go. Cool, so there's a ton of JavaScript. This is all JavaScript that's executed. Every time you visit any site on Pone College, similar JavaScript exists everywhere else. But the point is, this is code that is running inside of your browser and has access to everything inside of this webpage. So, oops, hello. Okay, let me show an example. Going to increase the font size here. Let's go back to our example. Okay, so this isn't really a dynamic website. This is literally just gonna be me editing a text file and then us loading that text file in our browser. Let's see if I can, cool. Everyone see, on the right, I have this. So if we pass in the name of CSE365, refresh. Right, so just like a dynamic website, so my browser is parsing this. And again, because it's a parser, it has to figure out where are those starting and ending tags so we can do cool things like we can change our name and make it into a link that the user can click. Can I change what happens before here? No, I can't because this is a constant string that is concatenated. So I can't control what happens before and I can't control what happens afterwards, right? So every time we're thinking about injection, we need to be thinking about what parts do I control and what parts don't I control. So here I'm controlling just this name in here. I could really mess things up. I could do maybe ending HTML and then the page looks literally like this. Oh, where's the inspect source, so big source. Yeah, so now it's kind of like, depends on how the parser is going to interpret this, will it like, do this is the end of the page, will it keep showing the stuff that's after? Let's check if I write something after here. I actually do see that, that's really weird. I'm not sure if this is common for all browser engines. I can start another, yeah, HTML tag and then what if I end this one. Anyways, the point is I can completely control everything that happens here. But one of the big things I would wanna do is start executing JavaScript. So JavaScript was, I'm gonna go back and we're gonna go back in time, okay. Since I know we got a little bit of time, we can do this. So this was the modern HTML that we've been looking at. Very static, has images, tables, you can set font size, but fundamentally the content was static. And this actually gave rise to early websites like Yahoo. Did you guys know Yahoo was literally just like a yellow pages or a directory for the internet? So there were different categories. If you're just an art or education or entertainment, you can click in there and there would be links to other places on the web. So it was just a way literally to find things in this incredibly, this is actually even before, there's a time before where it didn't even have search. There was no ability to search here. This was the first Amazon website. And you can see very simple, just literally a website to sell books. Alta Vista was one of the first search engines that actually allowed you to like type in stuff in the search bar and it would just very crappily look for any webpage that had that search term in it. And this was the, actually the shocking thing about all this is this was the first Google beta from 1998. And you can see that it's almost exactly the same. It's actually even simpler of a, more or less of a design the Google homepage than it was here. But the important problem is we wanna be able to do fancy things and animations and being able to dynamically respond on the client because every time you clicked a link on any of these pages or hit the search bar, your browser would then have to make a new HTTP request to the server. The server would process it, send the response back in HTML in your browser that has parsed that HTML. But for some times you don't need all of that. And that became the birth of JavaScript. So I'm gonna tell you a little bit about the history here. It was originally designed as a language to run inside your browser to interact and manipulate with HTML. How many of you know Java? Yeah, many of you. Great, JavaScript has nothing in common with Java except for the first four letters. And this was actually a literal, so it was originally created in 1995 for Netscape, one of the browsers at the time called LiveScript. You're gonna be like, hey, you gotta script things live in your browser. It was renamed in December of 1995, literally JavaScript as an open cross-platform object scripting language for the creation and customization of applications on enterprise networks and the internet. This is in 1995. Whereas JavaScript in Wikipedia is a prototype-based scripting languages with dynamic typing and first-class functions. So this actually has nothing to do with Java. It's literally a different, like the syntax is very similar because they both derive syntax from C, but fundamentally prototype-based is very much in opposition to class and object orientation. So calling it an object scripting language is like super weird. Literally, it was basically like a marketing ploy because believe it or not, I know this may be very hard to believe at the time, but in like 1995, Java was considered the hot new language. Like, I don't know, what's a hot new language that you all think is cool for us? Like, yeah, Rust. So this was like the Rust. Actually, it's a very good app description because with Java, they told everyone like, hey, this is great. You don't have to worry about buffer overflows, just like Rust. And you write once and deploy everywhere because you write it, it compiles to the JVM and different JVM implementations run on different machines. What it turned out was write once, debug everywhere was actually the real thing that happened. And so anyways, hope in 20 years, maybe you'll remember this class and as soon as people, you tell people that you used to think Rust was cool and they go, that's such an old language. Why would you ever think that? But anyways, in 1996, Microsoft added support for JavaScript to Internet Explorer and it turned into a standardization. So the JavaScript language was standardized in 1996, but fundamentally it was just created for one browser to add some dynamic capabilities. And now it is essentially the language of the web. So JavaScript is fundamentally the way that you think about and is supported by all browsers and it evolved organically along the way, which is why it's very, very weird. But let me show you some examples. So you use the script element and the script tags is the way of creating JavaScript. So you have script tags. This was a very, very old style of doing this where you had these tags here is a HTML comment. So it tells the browser, hey, consider anything in here to be a comment. And this was for browsers that didn't support JavaScript. That way they wouldn't show what was in the script tags. So if you're a browser and you did support it, you would know not to take off those HTML comments and you would start executing the code there. So you can do things like, there's a whole system and stuff, but it's very similar to what you're doing. It's not anything that's too crazy. So you can prompt things like, hey, please enter your name. You can set that to a variable called name. You can check if name is null, then write welcome to my site. Otherwise write welcome to my site. And then the plus is concatenation here. And so you can do this. You can also specify exactly the language here, although this is really not needed now. So you could run this page and it would say, hey, please enter your name below. You could enter something like add them in and then it would say, hey, welcome to my site, Adam. Okay. You can also include external JavaScript files. This is actually not strictly needed for what we're doing, but something that's very useful is you can have a source attribute that have an absolute or relative URL. And so the browser, when it parses this, will make another HTTP request, fetch that content and execute it as if it was JavaScript code. I'm gonna skip all this. We don't need to do this. Okay. JavaScript, though, is... Okay. So everything in JavaScript is an object. And guess what? You learned JSON way back when when you were making web requests by hand in Netcat, those fun, fun days. So JSON, everything in curly braces in JSON derives from the syntax for JavaScript for objects. Objects are pretty sweet. They're just like hash tables or arrays. You can add properties and values at runtime. So you can have something like var object equals. And so the curly braces is... So this is an object that has one property named test with the value foo as a string and another property num with the value of 50. We can then, so objects, you can think of things that can be recursive. So you can have object and this is accessing a property. So this is with array syntax saying the object, the property with name foo set it to be equal to object and we can log itself so we can do object test is what? Here in this example, foo. And then object foo is the object itself because we set it here, object foo. You can set num to be 1000, we can log it and then we can look at it here in the console. One of the cool things is you can just... If you're ever curious about how something works in JavaScript, you can open up your good old web browser here in the console, you can just put code here and you can just type it in. Can I make this? Oh yeah, there we go. So I can type all this in here so I can look and inspect this object. So this is my object called object that has three properties foo, num and test. Foo is the object itself. So if you keep going down foo, it will go down here forever. One thing, so I use this syntax, object bracket string foo. This is one way you can access properties. The other way is the dot syntax. So you can just say object dot foo and it's exactly the same thing. It's literally just the same syntax. The dot foo is just the same syntactic sugar for the exact same thing. Okay. Okay, I think that's all we need to do under here. There's much more complicated stuff. So what we can do is now we are here. So once we have this injection, we can write any JavaScript code we want inside of ScriptTags. One of the classic things, if you look up the alert function, so instructs the browser to display a dialogue with an optional message. This is one of the ways that as security analysts, we show that we can execute JavaScript code on your web page by making it pop up a window here. So this is JavaScript code. So this is when I refresh that, the very first thing it does. It's parsing this and the developer, the original developer of this website intended, did they intend for there to be JavaScript code here? No, this is only because we, the attacker tricked the web application to include this JavaScript code. And so we can do whatever we want here. We can, I think that's how you do it, let's see. Nope, that's writing it there. I always have to look at stuff up. JavaScript, overwrite, HTML, dot replace, document dot replace, document open, document write, document close, that's where it's in. In our HTML, there we go, that's how it works. So completely changing the content of the page. We can do, let's see, you redirect to the document dot, may have blocked it because of the domains, oh, location address, that's right. So redirecting them to another place, on Wednesday I can do whatever I want. I can, if the web application uses cookies, which this one probably will not, it won't even let me go back, that's really, yeah, undefined because I don't have any cookies. Let's insert some cookies. Storage, local storage, add new, password, I don't know, JavaScript. Depends on how it's set the cookies, but let me just double check. Cookie, not cookies, see, this is why reading the documentation is so important. This is why I tell you what to do, and that did nothing. Go to the console here, document dot cookies, cookie, cookies. Cool, so if cookies were set, I could get them. I guess it should be like this. Yeah, it could be about the specific way that I'd set them. If you could get them or not, there are like lots of possible security measures here, but fundamentally I can do anything. And this means that if I was now, and especially if you're logged into this website, I can now act as you as the user. So I could steal your cookies to try to log in as you. I could have you the user transfer me, remember when we looked at the bank, transferring money, right, between things, introduction. Oh yeah, here we go. Here's our good friend, the bank, right? So if I were able to trick blue into executing code from green from the bank that says, hey, transfer money $1,000 from red, the bank has no idea that this is coming from, not coming from the actual user. So you can really do anything. Questions here? Just for the record, when you go out into the world, this is called cross-site scripting. The idea being another, and a criminal or a hacker got you, tricked your browser into executing JavaScript that they wanted to execute. So that's the cross-site. So, and the abbreviation for this is XSS. So if you see that, that's what that means. Now, again, another case where people want to concatenate strings is with when creating SQL queries. So here we have a SQL query, select star from users where username equals single quote, con or single quote, and password equals single quote, password one, two, three single quotes. This is the example where we're looking at SQL. So what's the point of this query? What would be a use case of this query? Yeah, why would we want to look for the specific user's information? Say it again. Slider? Yeah, so we're trying to check, so this would be an application where they're trying to check, did the user provide the correct username and password, right? So like, yeah, they're gonna log in. We're gonna check first, hey, does there exist any user in this database that has the username, con or in the password of password one, two, three? If it does presumably, then we would log the user in. That's exactly what this query would do. Now, fundamentally, if we control what's in the string conner and here in this password, we can fundamentally put in whatever we want here. So do you guys wanna try it on a real database? Where is the real database? This is where you're just hoping that somewhere back in your history, somebody did this once. Where do I have a web server running? Is the mic easily accessible? Ah, such a pain, I don't like SQLite. Okay, I think I have an idea. Let's see, I usually, I can quickly install something on here. Can't locate the package, MySQL. I think it's MySQL server. Okay, we'll just on MySQL server on a random thing. We'll create the table. This will be super fun. And then we will hack it. It's running, very good progress. I'm into MySQL server. All right, I'm running. So now what I'm typing commands in here is I say if we're running queries, so I could say selects, it's gonna say error, no database, flexed. So use, create a database first. Use 365, MySQL, I did, okay. Oh, I guess I can do that. Create database, hack me, use hack me. Create, what is it? Table, users, MySQL, data type. Varchars are great. Just means variable characters. Okay, it should just work without the strings. Yay, okay, insert into users, values, admin, super secret. Wanna make sure, insert into users, values, value one, value two. How do I do multiple values? I think it's just separated by commas like this. Okay, and let's go back to our thing. Admin, password, a Connor. Password one, two, three, select. Hey, got data in there? Cool, okay. Now let's go back to our query. So we're gonna simulate having a website. We are writing this statement. Okay, select, so it's gonna be select star from users where username is equal to name and password equals password. Okay, so let's run this. Why did that return nothing? And we don't have anything in the database that matches that. Okay, we did have the example of, there's space in front of here. Why is this not saving this query? It's gonna drive me insane. Connor, so now if we know Connor's password, we can log in and that returns one user. So our web application would say great, user accepted, log in, awesome. So you can write in anything where into this string. Where do you, what do you control? The username and password specifically after the single quotes. So why is the, so the application is specifically adding single quotes around your input because it knows that this is how you specify a string in MySQL. So specifically here and here we control. Inside of those strings, awesome. So select star from users, we're username is equal to Connor. So we can put in, if there's no restrictions from the web application, we can put in whatever we want here. So what might we want to put in? Another single quote, what's the point of that single quote? So it matches the first single quote and now, now what do you wanna type in? Yeah, so or maybe, so we say username is equal to blank. One equals one. What do you wanna put in for password? Let's just do password. Okay, what's gonna happen when I hit enter? Yeah, it's not gonna let me. And I wish it didn't do this. Oh, I have an idea. Let's do, this was a great example. Let's do this, quit. So you go to MySQL, you just write the command here. It's first the database name, hack me, hash c. Did you echo what it said or did? Yeah, that's right, okay, thank you. Cool, cause I wanted to simulate more of what happened and as you saw, when we tried to enter that command, the MySQL prompt wouldn't even let you type that prompt in because it has a syntax error. What's the problem? We put in single quote space or space one equals one and then the application put a single quote, password equals two and then this single quote, but then there's a password and then like a dangling single quote. So we're very close here, but the problem is we're not matching those things. And the problem is there's a bunch of gibberish that we have to deal with after this. So what was the trick we used in command injection in order to not have to deal with anything that came after us? What was that? Comment it out. Let's look up. I think we talked about it in the last one but then let's look up MySQL comment syntax from a dash character to the end of the line or from a, or sorry, a hash character to the end of the line or from a double dash to the end of the line. I'm gonna show you the double dash because the database you're gonna be using is SQL light and I wanna show you one that works on both. I believe it's double dash. Yeah, and so you can see this. Anybody remember this type of graph? Back when we looked at JSON syntax? So here in SQL light dash dash to anything except new line to new line will be a comment and that's the same in SQL light and in MySQL. So we do this. Really hope that was gonna work. Why did that not work? Oh, I think we need a space. Yes, there we go. Okay, why do we need the space? Because the characters were specifically a double dash without any space at the end. I guess MySQL is trying to interpret that as its own thing and doesn't really see the, let's actually look, this is crazy. Ah, insane. I wonder if this is what messed me up on a CTF once. It's interesting. Anyways. Okay, so what did this do? Why did this return us all the results in the database? Yeah, so this is the query that we ran. Select star from users where username is equal to blank or one equals one. How many times is one equals one true? It's always true. And true or false is true. So this returns true for every single row in the database that returned all of the rows. What if we just wanted to return the admin rather than doing or one equals one, what would we do? If I do this, what is it gonna do? Still gonna return all, why? Yeah, for all of them. So how do I fix it? Say it again? Cool. So now let's say we do this on the login form. We say, hey, we want to log in as the admin. Here's my password and password. But actually I say, we don't want to log in as admin. We want to log in as admin tick space dash dash space. And it goes, it says, oh, yep, there's one result. That's good. Let me log you in now as this user. And then boom, you've now logged in as the admin user. And we can even go, let's see. Make sure I'm balancing with time. Cool, oh yeah, perfect. Okay, we can even go crazier than here. So let's do, let's create table. I feel like I have that syntax. Nope, create table flag. Let's say there's flag. That's a varchar 255. Okay. Insert into flag values. Honk it, get this flag. Okay. So let's say we get this output. Well, let's say it's not the username and password, but whatever, we get this output, but we can control. So again, we can control anything in password. We kind of figured we don't need to do that because we can deal with anything that's in here. So we can just by changing this username. Now, can I control anything that happens before the username? Select start from users where? No, we cannot. But, so we can use this as we saw to get anybody's username. We can also, so let me, did we talk about that? Let's see if we'll get tables. So let's look up. So it turns out two things we need to look at. One, let's go back to just our normal, let's see. Ew, gross. That's too many tables. Table schema test, I haven't seen that. Nice SQL. This has a ton of information. Let's see, DB5. Okay, okay, here's, oh, am I not, wait, you use heckling? Okay, I feel like this should be a lot easier. Okay, there we go. Why does that reveal so much? I thought there was like, okay, well here is our hack me, and here's the users and flags. It's table orders for you. Yeah, there we go. Thank you. What do we put for table? Table orders for schema equals database table. Where's that? Let's check it with table. Oh, base table. But in dot, instead of dot column, you need dot table. Let's just do a select all on that. This is something you can look up by the way. It's not, well, where's the, why is this, this should be very simple. What are you trying to sort? I want you to see the tables, but just the user tables. Like, why is there all this, there's a bunch of junk tables. There's three out of 30 tables. I mean, you want me to get slightly simpler, it's table on a square name. Yeah, I would like this, but with only the user table. This is definitely, oh, they're right at the top, but I will find this. Okay, that was going to be a cool demo. Oh, that's what I want. Inject all the things. Payload, there we go. Payload all the things, that's what I want. Okay, this has everything I could ever need. Cheat sheet, MySQL injection. MySQL, oh good, it has all the comments, testing. Yes, okay, great, great. Extract database with information schema. Thank you, tables, that's annoying. Oh, schema, okay, great. Ah, okay, okay, okay. So these are all the different databases. Excellent, okay. And then, how it does this, I see. So I had to first figure out what the database name was. Okay, and I can just do the table name. Now I figured out how to pin it in here. Okay, perfect. Where were we? So we were back here, select star from users, we're username equals blot. Okay, this is where we were. Now let's say we have our tick. Now, everybody remember our friend, the union syntax? Which was used to union two select statements? Yeah, so, how many columns did our user stable have? Two columns? We may or may not know that, depending. If we don't, we can actually just keep guessing. We can do foo bar, so this select foo bar. Yeah, so if we did, and what's super interesting, you won't have to get into this, but oh, it does do that. So you can figure out how many columns are needed by just keeping adding one to the select statement until you get the correct, you get an output, a non-error, everything else errors. So what this does is says, hey, select star from users, we're username is equal to nothing, which we don't care about. Union that with select one, two, three. Well, select one, two, three is not very useful and select foo bar is also not useful. Why is this not useful? This foo bar, like we gave that input. So it's just proving that what we give comes back to us. But we gave that, so that's not interesting. But I don't know, even know where the data is that I want, but I know by looking it up in that payload all the things that I can select in my SQL and other database engines have very similar things, I could say select and that's gonna fail because that has the different wrong number of columns. So what I really want from here, where did I want from Schemata? I want the schema name, select schema name. Again, not gonna work because when I'm unioning has one column on the right side and two columns on the left, so I just need to add something. So this shows me that, hey, there's my SQL schema, information schema, performance schema, sys and hack me. Hack me sounds good. Let's figure out all the tables in hack me. So now I can use my other query. Now that I know that I can do, or was my query, there we go. So now I'm gonna union that query with select star from information scheme dot tables where table schema is equal to hack me. That will not work. So I want, I believe it's just called table name. So table name, I have flag and users. I'm already querying all the users table. So which data do I want? Like which table do I want of these two tables? Flag, we want the flag, let's get the flag. I actually, from here, I don't know what the columns are, but you can actually read if you really want to. You can read all the columns in that table so you can figure out of the flags table what are the columns there. But we can do that here. Now that I know what table to search for, select star from flags, wrong number of columns. So I actually now will need to do that. So let's select dot columns where table name. Select star from columns where table name is equal to flag. Okay, wrong number of columns. I will do column name. Aha, there's a flag. So it should just be select flag. From flag, that won't work because of the wrong number of columns, plus flag, column one. So now I've finally got the flag. So fundamentally from doing this, you can actually get, are the parentheses necessary around this select statement? No, they're not. It just helps me when I was doing that. That was a good question on Twitch. SQL syntax is almost a little too forgiving. So I like to, I'll just be very careful there, yeah. Yeah, so this just means, so, so what I'm saying is, hey, select from the table flags and for my results, I want the first column to be flag, whatever is in the database as flag. And the second column, I just want to be one, like the literal one. So that's what this does. This just makes, this just returns one for the password. I could make it return a string as foo. I can make it return whatever I want. I could put flag twice. But the important thing is because with the union, the select on the left, the users table has two columns that the result when you union them has to have two, otherwise it can't put them together, right? It's like, you know what I'm like building blocks, right? You have like, like Legos, get the size two and you had a one and try to put that on there. That's not gonna work. If you had a three, that's too big. It has to be exactly the same size so that your application gets all those same results. And the crazy thing is, do they, I can't remember, did they do this in the assignment? So what's crazy is you can, so we were able to read the flag here. Why? Because we can see the output here, right? In this table, we see these results. The application may or may not give us the results here. So one, so there, but you can do really cool things. You can actually, and there's a, I guess I don't have it installed. Do we have it installed on the Dojo? No. So we can do cool things like, okay, let me see how I'm gonna do this. Some users, you can select. There are, hey, there we go. So we can actually do things like select or let's say we can't get this so all we're getting output is foo foo. But we can say where left flag, let's see, string, length, let's say one. So what I can do is I can set up a SQL query such that if it returns something, it returns the results if the first character of the flag, so the left, this left function, I just looked up from the documentations, specifies the number of characters from the list of the string, both the number and the string are supplied as arguments of the function. So this would be the string and the length. So I can iterate over this and brute force all the characters from A to Z, big A to big Z, zero through nine. And what's the difference? How do I know if I'm correct? SQL must be case and sensitive. That was not what I meant. So this is the problem when you just copy and paste random stuff. SQL case sensitive comparison, my SQL. So I know it's not A, I know it's not B, but when I get to P, so why is that? So let's say the application will give me an error if there's nothing or give me a page, like a 500 versus a 200 error. So the only thing I can see, I can't see what it returns, but I can know if my query gave zero results or non-zero results. So that's what we're doing here is by checking and taking the flag, by creating a where clause such that, by creating a where clause such that I have a condition based on part of the flag and a value that I supply, I can then test and I can make 255 of these queries for each character. I can even, let's see, my SQL function. There's a way to like turn it, yeah, there we go. Ord, just like, ah, it is, ord. So just like in what you might call it in Python, we can call ord on this to turn it into an integer and then that will not work, but if we do man ascii, let's see, P is at 70 and capital P is gonna be 50 and these are hex. There we go, so now we've found a way to determine the case of this. So if our program in the first case gives us a 500 error, we can use that. So this is the crazy thing, it's with one bit of information, whether the query returns something or doesn't return something, we can completely, we can use this to brute force this and what's even crazier, so what's faster than a linear search through zero to 255 to see which one hits? Somebody's taking 310? So what's faster than a linear search? So rather than searching zero trying everything zero to 255, a binary search, so I can do something like, because I don't have to do equality, I can do less than or equal to, right? So I can say is this less than and I would do what's in the middle of 255 and 255 divided by two, let's say 127, which it definitely will be. So this is a yes, so I got a yes response because I got something back. So okay, so I can do zero now between 275, so I can do 127 divided by two, 63. Nope, it's not less than that. So I know it's somewhere between 63 and 127, 63. This is what I'm doing with my hands, it's kind of a pain, but this is why you have computers, 96, so it's not, so it's between 96 and 127, 112. Okay, it's not bad, Connor, you're a great board call, 120. Yes, so it's between 120 and 112, 116, yes, so between 116 and 112, 118, yes, 119, yes, also yes. I'm just gonna check equality at some point, right? Something is wrong. So it's not less than 112, but it is less than 120 and less than, I see. Yeah, so we should have gotten down after 18, right? So we should have done 114, we will find it, correct, yes. Not 112, so what does that mean it is? Yeah, or so, well, you know, we are not computers, we are not computers, it's okay if we're not doing the binary search properly, yes, there we go, okay. That's octal, so it's octal, decimal, and hex. So it's P, so we figured out the first character. We can do, yes, thank you. They're much rejoicing from the audience. Oh shoot, that took a long time. Okay, so we first have to then put everything together of why is this safe? So as we talked about with JavaScript, you have basically random code that you're downloading onto your machine, and the whole point is that your browser wants to ensure that different websites and different tabs, you can think of as tabs, can't really mess with each other. So when you're accessing something and you're including images there from, let's say, red and from blue, your browser will then go and fetch those, and it can, yes. So the way this works is it gets to the, what is the same origin policy? So the origin is this three tuple of scheme, host, and port. Scheme being HTTP or HTTPS, host being the domain name, and port being the port of the connection. So anything that where those triple is the same, it exists in the same origin. So for instance, HTTPexample.com has the, I hate, this is the dreaded Google slides to PowerPoint conversion, example.com, the root site has the origin HTTPexample.com and 80, which if you're fetching cat.gif from there, it's the same HTTPexample.com 80, whereas if it's from a different origin, even if it's the exact same host and port, that is the different origin. Different port is a different, and so you can send across origin request if there are, sorry, we're at the end of time, we're gonna have to, we spent too much time on SQL injection, but we'll do this on Wednesday.