Interested in supporting me and gaining early access to the Web Security Academy videos when they're recorded? Consider buying my course: academy.ranakhalil.com/p/web-security-academy-video-series! ✨ ✨
Rana, Thank you for your efforts. this is omar, and i have a question. when i use the sniper attack in intruder it returns the enumerated password letter by letter, so i follow you again and i use the cluster bomb attack in intruder with two variable $1$ in the substring function and the $a$ in the end for comparison. and i follow exactly the same config as you do, the weird thing is: sniper attack works and returns a letter with welcome back message, cluster bomb never returns any welcome back messages and and all responses returned in cluster bomb attack are all of same length!! is there a bug in my birpsuite? because i can not imagine another reason!! please guide me here :) thank you
update: thank you Rana, I got the Catch! watch for the payload you chose from the list, and for what the cluster bomb actually fills in during the attack. I choose Numbers for payload 1, but during the attack burpsuite was filling mix of letters and other things! seems like a burpsuite problem. the fix: changed the payload type from Numbers to simple list and added integers from 1 to 20 to the list. worked like a charm!
I can't tell you how helpful your videos have been. While doing the labs side by side I do it once with you, then again on my own, and it's been night and day in proficient results. I hope I'm lucky enough where you did all the labs in practitioner, so I can follow along and so happy I found your channel. Thanks for your hard work and educational videos. - grateful, newb.
The length of the video seemed discouraging at first, but after watching it till the end, I was able to solve the lab despite using the Burp Suite community edition. Thank you very much-this video made my day!
Great video. Instead of buying the professional edition, I used a Burpsuite extension called turbo intruder. I created my attack list of numbers from 1 to 100 and gave it to the payload. The attack was completed in 3-4 seconds. Maybe it's even faster than the professional edition itself. XD
this content is free, yet invaluable. i wish i was rich enough to donate $5m to Rana, i wonder what benevolent act for the infosec community she'd cook up next
19:52 U can also use substring to determine the length of the password. By increasing the first number and testing if the substring equals nothing (empty). 'AND..Substring (....20,1) = [nothing) IF IT equals nothing it means we exceeded the length
This was the best one yet! Thanks Rana! One thing to note is how this process could be improved by using greater than or less than operators instead of just equal to.
She mentioned so she wouldn't get a syntax error which cant be in the SQLi since you don't need it in this situation so my only guess would be so Obsidian (the note app she's using) doesn't throw up a syntax error.
I have seen your writeups and blog and masha allah its very good and interesting... I humbly request one more writeup or video playlist from you is about BOF... I dont see good resources for this.
I believe you made a mistake at 17:00 , you also should have changed 'administrator' after the = sign into 'admnistratorfwiofoweow' because if the query checks administratorfwiofoweow with administrator then obviously it will always be false, even if the username administratorfwiofoweow actually exists
Thanks to you ma'am. Many of my doubts are clear now and have concise overview how to think like you as a hacker. But I have one doubt here in this video, please consider answering my question. The main point of SQLI is to find out tables, columns and finally data. Here we may find the "users" table by brute forcing. But how could you find the columns' names by brute forcing or any other techniques when exploiting in real world having no prior knowledge. Thank you ❤❤❤
you mentioned that password can be cracked by scripting with python. more details, about that please ? thank you so much for this in depth details explanation !
Al salam alike , Rana, I can't find the SQL injection theory video you mentioned in the first minute of this video can you please share the link, also I want to tell you that you are a very good instructor
Thanks a million for your awesome awesome videos. I have a request, Please make a video on scrypting with python. Also, when will you release your videos on Lab16 and above?
First of all great video, well explained MashAllah! Somequestions!!! 1. what if users table exists with a different name like users_jkftb or users_yyytf? 2. What if administrator was named as admin or super user? 3. Does the vendor of the database matter? i think it does based upon if oracle or mysql our payloads would differ. 4. How can we construct an attach methodology that can work irrespective of database vendor and predefined names of tables or users? A real life approach. Thanks AHmed
you can use the same substring() function for those fields like "database name", "user table name" or "username" if you have access to information_schema.tables with the injection. but it is the same way.
Hi Rana, You told that the speed of intruder can be faster by using python scripting. Would you please point me toward any such material which teaches how to do scripting on Burp? Thanks
You cannot do Python scripting in Burp. She is saying if you only have access to the Community edition a clusterbomb attack would take too long and she would rather write a Python script to perform the attack, because it has no built-in throttling like Burp Community Edition.
and (select username from users WHERE username='administrator'and LENGHT(password)>1)='administrator'--' this statement might not work in the burpsuite instead of this go with and(SELECT+'a'+FROM+users+WHERE+username%3d'administrator'+AND+LENGTH(password)>1)%3d'a
@@victornicol2136 try this: and(Select 'a' from users where username = 'administrator and LENGHT(password)>1)='a (make sure to encode it as url by pressing ctrl+u)
@@anirudhsaxena9214 doesnt work aswell 😕 but i think thé error com from the lenght command function because i tried with other values and it never work that weird : ' and (select 'a' from users where username='administrator' and lenght(administrator)>1)='a i feel like im missing something really stupid haha
Well try and do that. Try brute-forcing a password, that is 20 characters long. In this lab, you have a specification, that the password is made up using only lowercase characters. That is 26 characters per slot. That is 20^26. The number is so large, you can not put it into a scale, that the human brain could comprehend. A modern computer can hash let's say 70k hashes a second. It would take 3040011596723926000000 years to break this password. Good luck with that.
Interested in supporting me and gaining early access to the Web Security Academy videos when they're recorded? Consider buying my course: academy.ranakhalil.com/p/web-security-academy-video-series! ✨ ✨
Rana, Thank you for your efforts. this is omar, and i have a question. when i use the sniper attack in intruder it returns the enumerated password letter by letter, so i follow you again and i use the cluster bomb attack in intruder with two variable $1$ in the substring function and the $a$ in the end for comparison. and i follow exactly the same config as you do, the weird thing is: sniper attack works and returns a letter with welcome back message, cluster bomb never returns any welcome back messages and and all responses returned in cluster bomb attack are all of same length!! is there a bug in my birpsuite? because i can not imagine another reason!! please guide me here :) thank you
update: thank you Rana, I got the Catch!
watch for the payload you chose from the list, and for what the cluster bomb actually fills in during the attack. I choose Numbers for payload 1, but during the attack burpsuite was filling mix of letters and other things! seems like a burpsuite problem.
the fix: changed the payload type from Numbers to simple list and added integers from 1 to 20 to the list. worked like a charm!
I can't tell you how helpful your videos have been.
While doing the labs side by side I do it once with you, then again on my own, and it's been night and day in proficient results.
I hope I'm lucky enough where you did all the labs in practitioner, so I can follow along and so happy I found your channel.
Thanks for your hard work and educational videos.
- grateful, newb.
The length of the video seemed discouraging at first, but after watching it till the end, I was able to solve the lab despite using the Burp Suite community edition. Thank you very much-this video made my day!
Great video. Instead of buying the professional edition, I used a Burpsuite extension called turbo intruder. I created my attack list of numbers from 1 to 100 and gave it to the payload. The attack was completed in 3-4 seconds. Maybe it's even faster than the professional edition itself. XD
thanks for this tip ill try it out too
this content is free, yet invaluable. i wish i was rich enough to donate $5m to Rana, i wonder what benevolent act for the infosec community she'd cook up next
19:52
U can also use substring to determine the length of the password. By increasing the first number and testing if the substring equals nothing (empty).
'AND..Substring (....20,1) = [nothing)
IF IT equals nothing it means we exceeded the length
You have done a great job... shortly you will have a lot of followers. Amazing format and approach.
Absolutely brilliant vid you explain it so well SQL is something i struggle with well not anymore thanks to you
Much appreciated
This was the best one yet! Thanks Rana! One thing to note is how this process could be improved by using greater than or less than operators instead of just equal to.
i was thinking something similar as well!
Can you explain this better, please?
I have been really enjoying your challenge walk throughs. Really clear and well presented. Thankyou
Great video. I could understand Blind SQLi from this video because the explanation was very clear. THX!
These videos are amazing, Rana. Thank you!
Like the way you teach you explain as you go which is good for beginners
Very nice video, seriously this helped me a lot. Thank-you Rana Khalil..
At about 9:00, why did you add the single quote if you commented it out right after ? I’m a bit confused there.
She mentioned so she wouldn't get a syntax error which cant be in the SQLi since you don't need it in this situation so my only guess would be so Obsidian (the note app she's using) doesn't throw up a syntax error.
Thank you for being very thorough, and descriptive
Such a detailed explanation!
I seems that your voice is need to more clear and slow. Finally it's very helpful.
Thank you @Rana Khali, great explanation!
I have seen your writeups and blog and masha allah its very good and interesting... I humbly request one more writeup or video playlist from you is about BOF... I dont see good resources for this.
Tib3rius has several videos about buffer overflow: ua-cam.com/video/1X2JGF_9JGM/v-deo.html
@@RanaKhalil101 Jazakallah hu khair
Really nice and well explained. Also like your clear voice 👍🏻
thanks for this series ☺️☺️
Hi Rana, i follow your video and solve the lab using a python script with Binary Search. Thank you for you content!!!
I believe you made a mistake at 17:00 , you also should have changed 'administrator' after the = sign into 'admnistratorfwiofoweow' because if the query checks administratorfwiofoweow with administrator then obviously it will always be false, even if the username administratorfwiofoweow actually exists
I was thinking the same thing.
Very useful, thanks Rana.
Thanks to you ma'am.
Many of my doubts are clear now and have concise overview how to think like you as a hacker.
But I have one doubt here in this video, please consider answering my question.
The main point of SQLI is to find out tables, columns and finally data.
Here we may find the "users" table by brute forcing.
But how could you find the columns' names by brute forcing or any other techniques when exploiting in real world having no prior knowledge.
Thank you
❤❤❤
Thank you so much teacher; this helps a lot !!
Thanks for this Ms.Khalil
Thank you teacher, this helps me a lot
Does the community edition only allow one payload set per attack? :(
you mentioned that password can be cracked by scripting with python.
more details, about that please ?
thank you so much for this in depth details explanation !
Nothing is stopping you from sending HTTP requests using Python
thank you so much , can i useing this way for users ... i tallk about brute forcer?
perfectly explained
Great Video! If somebody wants to run it on Community Edition, it's not a huge deal, my scan lasted around 35 minutes.
if the table,columns, user names are not given , how can we do the blind SQLi to extract them ?
Well, you don't need the cookie editor extension, because nowadays viewing and editing cookies is possible directly from the browser's dev tools
where is the video where you script this in python?? burp community is way too slow to do these labs
Al salam alike , Rana, I can't find the SQL injection theory video you mentioned in the first minute of this video can you please share the link, also I want to tell you that you are a very good instructor
Thank you! Here's a link to the video: ua-cam.com/video/1nJgupaUPEQ/v-deo.html&ab_channel=RanaKhalil
@@RanaKhalil101 I appreciate that thanks and Ramadan mbark
Have you ever tried Bug bounty programs ?
Hii sis, i cant able to apply welcome in filter section, how to fix that
Thanks a million for your awesome awesome videos. I have a request, Please make a video on scrypting with python. Also, when will you release your videos on Lab16 and above?
First of all great video, well explained MashAllah!
Somequestions!!!
1. what if users table exists with a different name like users_jkftb or users_yyytf?
2. What if administrator was named as admin or super user?
3. Does the vendor of the database matter? i think it does based upon if oracle or mysql our payloads would differ.
4. How can we construct an attach methodology that can work irrespective of database vendor and predefined names of tables or users? A real life approach.
Thanks
AHmed
you can use the same substring() function for those fields like "database name", "user table name" or "username" if you have access to information_schema.tables with the injection. but it is the same way.
Great video! Thank you.
What's name of too that in python script : I don't have professional edition
is url encoding really necessary ? cause it works fine without it
thank a lot. I really wanna see the python solution 😁
Great video!
how to get tracking id in latest cookie editor can anyone help me to sort it out please
Hi Rana, You told that the speed of intruder can be faster by using python scripting. Would you please point me toward any such material which teaches how to do scripting on Burp? Thanks
You cannot do Python scripting in Burp. She is saying if you only have access to the Community edition a clusterbomb attack would take too long and she would rather write a Python script to perform the attack, because it has no built-in throttling like Burp Community Edition.
excellent work
Has someone made a video about clusterbombing using python?
you used but why? I tried
Does anyone have a link to a python script tutorial that Rana mentioned? I'd love to see how to do this in Python.
Links to scripts are in the description of the video :)
@@RanaKhalil101 oh ya I found those eventually... LOVE IT! Thanks so much for all your work!
My search filter is not working in both normal and in professional can anyone help me plz.
The results of the cluster could just have been sorted, first descending payload 1, secondly Length descending
شكرا جزيلا
thanks mam for this video
thank you a lot of
and (select username from users WHERE username='administrator'and LENGHT(password)>1)='administrator'--' this statement might not work in the burpsuite instead of this go with and(SELECT+'a'+FROM+users+WHERE+username%3d'administrator'+AND+LENGTH(password)>1)%3d'a
both doesn't work for me do u have any idea ? i use burpsuite community edition
@@victornicol2136 try this: and(Select 'a' from users where username = 'administrator and LENGHT(password)>1)='a (make sure to encode it as url by pressing ctrl+u)
@@anirudhsaxena9214 doesnt work aswell 😕 but i think thé error com from the lenght command function because i tried with other values and it never work that weird : ' and (select 'a' from users where username='administrator' and lenght(administrator)>1)='a i feel like im missing something really stupid haha
@@victornicol2136 you are not getting welcome back message through this or getting protocol error
@@victornicol2136 broo thatsss notttttt lenght(administrator) that's LENGHT(password )🥲🥲🥲🥲
Hello, salutes from Russia. I have a question: what happened to your voice?
Thank a lot
Thnx
U think you could also make a grep match filter like "Welcome back!" or all
Everyone has different password for the exercise so please don't copy from here and better do it . Thank me later .😅
abla hızlı ol ak
most stupid exercise on portswigger. Why do SQli when you can brute force with hydra. Waste of time.
Well try and do that. Try brute-forcing a password, that is 20 characters long. In this lab, you have a specification, that the password is made up using only lowercase characters. That is 26 characters per slot. That is 20^26. The number is so large, you can not put it into a scale, that the human brain could comprehend. A modern computer can hash let's say 70k hashes a second. It would take 3040011596723926000000 years to break this password. Good luck with that.
hhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhh. u think life is that easy
My welcome filter is not applying in professional edition can any one help me plz