Wow, watching you dive into the world of hacking and database dumping is both fascinating and nerve-wracking at the same time! Your expertise is truly impressive, and I appreciate the way you break things down for us mere mortals to understand. As someone who is always looking to expand their knowledge in the field, your videos are a must-watch. Keep up the great work, John!
My initial thought was to use a tilde instead of a single quote character in the injected data because all tildes will just end up being converted into a single quote on line 17.
That comment left by "Gamerboy80" might actually be a reference to a UA-camr by the same name - gamerboy80. He's a somewhat popular minecraft youtuber, known for his bedwars. I wonder if he was put in on purpose, or it was a coincidence.
If /* is banned, but you are able to inject single quotes you can do that without multiline comments or spaces: 'or'1'='1'-- . The single quotes work as spacer between the tokens too.
Maybe ascii85 doesn’t have ‘~’ or doesn’t allow it at the beginning something like that That could be true because ‘~’ is the last printable ASCII character
I think you could also have replaced the backslashes in your query with a tilde and you will get a single quote at the end because every tilde is being replaced by a single quote in that function.
In real life, how would you go about getting the source code? I imagine it would be protected behind security, which, if you could break that security you would have access to the full database anyway and basically access to the whole website?
Maybe you were able to download the code and the security team kicked you out of their server before you got the db. Or you could have hacked the dev and now you want to go further by getting the production db
There are a lot of projects that use databases. Many are open source. SQLite is also often installed as part of a larger program a user (like an accountant) has access to, but shouldn't have access to the whole database, just least privilege. The program should run parametrized statements and only return data the user should have access to. A point John did not go over here, because it was not the topic of the video, is the importance of encrypting any sensitive data. Just in case someone does dump the database.
@@_JohnHammond thanks for the mention. On an unrelated side note, I see a major lack of pentesting, auditing/code analysis of opensource projects. There is almost a blind belief in opensource security & safety. Android custom roms & foss apps are the my biggest concern. Most don't patch on time, don't adhere to android CDD security spec, etc. There's fast growing user base of these & it's promoters too focused on opensource = private idea. We need a reputed, unbiased, 3rd party without any conflicts of interest. Would you be up for a challenge to test the most popular android ROMs, repos & apps like graphene os, fdroid, microg, aurora store etc? Test if they have backdoors, vulnerabilities, malware, their security practices, or whatever. You may be the first youtuber to do these tests!.
Your practical run throughs super helpful and well explained. Do you do a single take on the fly or are there multiple takes?. Even someone brain dead like me can follow it 😅. Thanks man.
Hello John, Today I found out that you will be at Rootedcon in Madrid (Spain) what great news I look forward to greeting you in person and having a few beers at the booth of my company that is a diamond sponsor of the conference You are a total crack, total pro! Keep it up dude! How much you help us! The conference says that it is in Spanish lol, is that right? BR
John, this is the grammar and pronunciation police. You may not have seen my previous comment, but this is strike two. I have now sited you for not only pronouncing tuple "toople" but also pronouncing init "ine-it". I mean, come on, it literally stands for initialize. You're gonna give me an aneurysm, lol.
I don't get why people watch this guy. He goes on a lot of rants but never ends up 'cracking the code' when analyzing the code of those hackers. Essentially, he doesn't know anything. Waste of time.
This video is the pure example that you can't be a penetration tester if you don't know how to code. You have stupid people trying to convince others not to learn how to code so they don't feel alone. If you know how to code 99% of the time you will get a bug. You can't find bugs if you don't know how to spot a vuln on a source code
I love it when you also tell us what each command means and how to use keyboard shortcuts.
Wow, watching you dive into the world of hacking and database dumping is both fascinating and nerve-wracking at the same time! Your expertise is truly impressive, and I appreciate the way you break things down for us mere mortals to understand. As someone who is always looking to expand their knowledge in the field, your videos are a must-watch. Keep up the great work, John!
You could also have injected the single-quote using a tilde because it's later replaced with a single-quote.
Exactly why I came to the comment section
Thank you!
ascii85 does not support the ~ character IIRC
Always a good day when you get a John Hammond notification
My initial thought was to use a tilde instead of a single quote character in the injected data because all tildes will just end up being converted into a single quote on line 17.
That comment left by "Gamerboy80" might actually be a reference to a UA-camr by the same name - gamerboy80. He's a somewhat popular minecraft youtuber, known for his bedwars. I wonder if he was put in on purpose, or it was a coincidence.
And now tell me that a hacker don't have to be a programmer... Awesome stuff!
This is exactly what I said. Whoever say programming isn't important is just lying because they cant programm themselves
Only a script kiddie would say that
24:40 I think Python3 is enough for now, we don't need Python4 yet...
If /* is banned, but you are able to inject single quotes you can do that without multiline comments or spaces: 'or'1'='1'-- . The single quotes work as spacer between the tokens too.
knowing that the decode function replaces a ~ with a /' could you have just injected your command as ~ or 1=1 --?
Maybe ascii85 doesn’t have ‘~’ or doesn’t allow it at the beginning something like that
That could be true because ‘~’ is the last printable ASCII character
This is 100, Im studying for OSCP do you have pre-oscp guide playlist?
I think you could also have replaced the backslashes in your query with a tilde and you will get a single quote at the end because every tilde is being replaced by a single quote in that function.
The python multi-line comment trick was really clever!
Really enjoy the watching the video,
Good work!
What is eye-nit? Eye-nitialisation?
In real life, how would you go about getting the source code?
I imagine it would be protected behind security, which, if you could break that security you would have access to the full database anyway and basically access to the whole website?
You'd be surprised how often an entire website is available on github.
Maybe you were able to download the code and the security team kicked you out of their server before you got the db.
Or you could have hacked the dev and now you want to go further by getting the production db
There are a lot of projects that use databases. Many are open source.
SQLite is also often installed as part of a larger program a user (like an accountant) has access to, but shouldn't have access to the whole database, just least privilege. The program should run parametrized statements and only return data the user should have access to.
A point John did not go over here, because it was not the topic of the video, is the importance of encrypting any sensitive data. Just in case someone does dump the database.
I'm finally getting to a point in my understanding of python to be able to follow this
Hello John. Which CTF-website is this?
This is from Lactf, challenges will be taken down soon
This is LACTF, some of their challenges are still up and available for the week, but the game finished last weekend :)
@@_JohnHammond thanks for the mention. On an unrelated side note, I see a major lack of pentesting, auditing/code analysis of opensource projects. There is almost a blind belief in opensource security & safety. Android custom roms & foss apps are the my biggest concern. Most don't patch on time, don't adhere to android CDD security spec, etc. There's fast growing user base of these & it's promoters too focused on opensource = private idea. We need a reputed, unbiased, 3rd party without any conflicts of interest.
Would you be up for a challenge to test the most popular android ROMs, repos & apps like graphene os, fdroid, microg, aurora store etc? Test if they have backdoors, vulnerabilities, malware, their security practices, or whatever.
You may be the first youtuber to do these tests!.
Your practical run throughs super helpful and well explained. Do you do a single take on the fly or are there multiple takes?.
Even someone brain dead like me can follow it 😅. Thanks man.
Yet another amazing video. I'd seriously pay for some private lessons by you 😂
What's the lesson here? Don't reinvent the sanitization function wheel?
Dang , Nice vid , LA ctf was awesome !
Why don't we just replace injectable query with parameterized like all other? Another question is about hash %).
5:50
Lysdexics of the World Untie!!
Hello John,
Today I found out that you will be at Rootedcon in Madrid (Spain) what great news
I look forward to greeting you in person and having a few beers at the booth of my company that is a diamond sponsor of the conference
You are a total crack, total pro!
Keep it up dude! How much you help us!
The conference says that it is in Spanish lol, is that right?
BR
Much appreciate for sharing us and teaching us always sir
You make it look so easy!
What ctf is that?
Thanks for this showcase!
Awsome video, thanks john
Very good video! Thanks
Hello, do you think you could analyse a video game cheat?
Bro make a video on how to decompile latest marshal bytecodes of python3.9,3.10,3.11
Never ever John lets you down
I think in the real world you just ban direct concatenation instead of using filters. Am I not right?
Excellent
Gj !, just wondering, why you didn't start your own online academy courses, i will definitely purchase
Great vid as always john
How could you know? You commented the minute it was published. (It was good though good job John).
Keep going ✅
Always great quality content... Love these.. specially my favourite SQL injection ones 👌
9:02 MR BEAST
i can’t stop laughing seriously😂
gamerboy80 the bw player let's go :D
❤❤❤
Just so you know, unless i'm missing some inside joke, It's not pronounced inet... it's pronounced innit. Like in initialise.
John Hammod:: like the scientist from the jurassic parc. ha ha
sql injection perhaps.
👊💪💪💪
I’m Gamerboy80
you look like justin roiland
John, this is the grammar and pronunciation police. You may not have seen my previous comment, but this is strike two. I have now sited you for not only pronouncing tuple "toople" but also pronouncing init "ine-it". I mean, come on, it literally stands for initialize. You're gonna give me an aneurysm, lol.
3rd
1st!
Lol wht
62nd
2nd comment
1st like
I don't get why people watch this guy. He goes on a lot of rants but never ends up 'cracking the code' when analyzing the code of those hackers. Essentially, he doesn't know anything. Waste of time.
This video is the pure example that you can't be a penetration tester if you don't know how to code. You have stupid people trying to convince others not to learn how to code so they don't feel alone.
If you know how to code 99% of the time you will get a bug. You can't find bugs if you don't know how to spot a vuln on a source code