Interested in supporting me and gaining early access to the Web Security Academy videos when they're recorded? Consider buying my course: academy.ranakhalil.com/p/web-security-academy-video-series! ✨ ✨
After recording the video, I realized the SQL payload can be much more simple. We don't need a CASE expression in order for it to work. The following is the alternative payload: ' || (select TO_CHAR(1/0) FROM users WHERE username='administrator' and SUBSTR(password,1,1)='a')|| '
effectively that way works too. In the other hand, on github notes, in last query apperars substr(password,,1)='a'), instead of substr(password,1,1)='a'), but in the video is ok. Thanks congtratulations amazing content.
Hi Rana. Any chance you could explain how the concatenation works here? I get it when concatenating username and password for output, like in your previous vids, but i can't quite figure out how it works as part of a select statement. I imagine the query looks something like this, which doesn't make sense to me: select TrackingID from tracker where TrackingID = 'ddd' || (select '' from users where rownum=1) || '
@@padaloni Yup, you're correct, the query would look similar to what you mentioned. To better understand it, I would recommend either installing an oracle database or using this link to run the following queries: livesql.oracle.com/. Query 1: select 'a' from dual where 'a'='a' -> This outputs the letter 'a' because the where clause is true. Query 2: select 'a' from dual where 'a'='a' || (select 'b' from dual) -> This outputs nothing b/c the where clause is no longer true. Query 3: select 'a' from dual where 'a'='a' || (select '' from dual) -> This outputs the letter 'a' b/c we're only concatenating a True with an empty string and so the where clause still evaluates to True. In a similar way, if the questions we are asking the application in the exercise evaluate to True, then it outputs nothing which doesn't break the where clause / SQL query.
I don't fully understand why we have to concatenate before AND after the select SQL query that we are running? why can we not comment out anything else that comes after our query?
Thanks for making such useful content. Did learn a couple of new things that made the script I was working on a lot better. The part of using the decimal value for a character fixed the issue I had were the # character would generate the error and the script would return that as the character.
Thank you very much for sharing with us, Great explanation. If i may, why did you use the || symbol in this Injection and not "AND", compared to Lab #11?
Hi as I remembered for blind SQLi the error is no return by application response but in this the error is given on adding ' character. We could have use UNION but why we have use conditional responses
@RanaKhalil101 hello! Thank you so much for these videos! I'm learning so much and it's super exciting. I wondered if you'd mind doing an explanation on how to set up the lab environment to be accessed via the VScode terminal? I'd like to start being able to do that but I'm not sure how. Thank you so much!
I like the way in details you shown everything how conduct penetration and python logic, I would like to learn more about cyber security. Can you help?
I am trying for a way to extract username as we extracted password because alot of times admin, administrator, root etc usernames don't exists... need help or please make a video on that if may possible. Thanks alot.....
how to determine table and column names in real situation? This lab is provided table and column name with username data. But in real situation we need to find table and column names manually. pls teach me how to write the query for find table and column names for this blind error based sql injection
I tried the last step and noticed that I would be able to get the correct response if using substr() but it wouldn't work if using substring(). Anyone know why? I know in previous videos Rana used substring().
Because what we are dealing with is Oracle database. And the substring keyword is 'substr(*,*,*) in it. You can check the database by using union in the parameter Query:- ' union select banner from v$version--
Can anyone please explain why the following doesn't produce an error? Since the user 'administratorzxcxzcz' doesn't exist, I would think this should produce an error? '|| (select CASE WHEN (1=1) THEN TO_CHAR (1/0) ELSE '' END FROM users where username='administratorzxcxzcz') ||'
hey buddie !!!''' in oracle database at first from statement will run and it check if the user table exist or not and after it checks if the username is admiisdfsdfgsdf ) if this user doesn't exist than the case statement will not run so it doesn't produce any errors .
Interested in supporting me and gaining early access to the Web Security Academy videos when they're recorded? Consider buying my course: academy.ranakhalil.com/p/web-security-academy-video-series! ✨ ✨
After recording the video, I realized the SQL payload can be much more simple. We don't need a CASE expression in order for it to work. The following is the alternative payload:
' || (select TO_CHAR(1/0) FROM users WHERE username='administrator' and SUBSTR(password,1,1)='a')|| '
Great explanation mam,keep it up
effectively that way works too. In the other hand, on github notes, in last query apperars substr(password,,1)='a'), instead of substr(password,1,1)='a'), but in the video is ok. Thanks congtratulations amazing content.
Hi Rana. Any chance you could explain how the concatenation works here? I get it when concatenating username and password for output, like in your previous vids, but i can't quite figure out how it works as part of a select statement. I imagine the query looks something like this, which doesn't make sense to me: select TrackingID from tracker where TrackingID = 'ddd' || (select '' from users where rownum=1) || '
@@padaloni Yup, you're correct, the query would look similar to what you mentioned. To better understand it, I would recommend either installing an oracle database or using this link to run the following queries: livesql.oracle.com/.
Query 1: select 'a' from dual where 'a'='a' -> This outputs the letter 'a' because the where clause is true.
Query 2: select 'a' from dual where 'a'='a' || (select 'b' from dual) -> This outputs nothing b/c the where clause is no longer true.
Query 3: select 'a' from dual where 'a'='a' || (select '' from dual) -> This outputs the letter 'a' b/c we're only concatenating a True with an empty string and so the where clause still evaluates to True.
In a similar way, if the questions we are asking the application in the exercise evaluate to True, then it outputs nothing which doesn't break the where clause / SQL query.
@@RanaKhalil101 Thanks so much for the explanation. I think i get it now, and i'll have a play on livesql ❤
I love it when Rana says "Here we go" . Thanks Rana for your videos. Helps us a lot.
Thank you, Rana, you explain things so well, more so than every video about SQLi! please keep it up!
amazing tutorial thanks a million Rana!
Thank you Miss Rana, your videos has been helping me a lot
Assalamu Alaikum! Just to let you know that you're awesome :) . Keep up the good work mate!
YOU ARE THE BEST!!! thank you so much for your time and efforts doing all this.
I don't fully understand why we have to concatenate before AND after the select SQL query that we are running? why can we not comment out anything else that comes after our query?
Thanks for making such useful content. Did learn a couple of new things that made the script I was working on a lot better. The part of using the decimal value for a character fixed the issue I had were the # character would generate the error and the script would return that as the character.
Thank you very much for sharing with us, Great explanation. If i may, why did you use the || symbol in this Injection and not "AND", compared to Lab #11?
Great Teaching ❤
Hi as I remembered for blind SQLi the error is no return by application response but in this the error is given on adding ' character. We could have use UNION but why we have use conditional responses
@RanaKhalil101 hello! Thank you so much for these videos! I'm learning so much and it's super exciting. I wondered if you'd mind doing an explanation on how to set up the lab environment to be accessed via the VScode terminal? I'd like to start being able to do that but I'm not sure how. Thank you so much!
I like the way in details you shown everything how conduct penetration and python logic, I would like to learn more about cyber security. Can you help?
I am trying for a way to extract username as we extracted password because alot of times admin, administrator, root etc usernames don't exists... need help or please make a video on that if may possible. Thanks alot.....
Ma'am why the script is not working on my system..
guys if this error occurs: "ValueError: check_hostname requires server_hostname" download urllib3: pip install urllib3==1.25.11 it worked for me :)
my man doing god's work here. thanks!
THANK YOU!
why we need the second || expression?
It's there to concatenate the ' and close the other apostrophe when the query is executed
how to determine table and column names in real situation? This lab is provided table and column name with username data. But in real situation we need to find table and column names manually. pls teach me how to write the query for find table and column names for this blind error based sql injection
Check the labs before this. There U have to find the table name and column name yourself
I tried the last step and noticed that I would be able to get the correct response if using substr() but it wouldn't work if using substring(). Anyone know why? I know in previous videos Rana used substring().
Because what we are dealing with is Oracle database. And the substring keyword is 'substr(*,*,*) in it. You can check the database by using union in the parameter
Query:-
' union select banner from v$version--
Why are you using double pipes instead of AND operator?
Because she is concatenating not ANDing. Reason being, when you concatenate 'something' with NULL/Blank, you get 'something' back.
Can anyone please explain why the following doesn't produce an error? Since the user 'administratorzxcxzcz' doesn't exist, I would think this should produce an error?
'|| (select CASE WHEN (1=1) THEN TO_CHAR (1/0) ELSE '' END FROM users where username='administratorzxcxzcz') ||'
ah I think I figured it out..'The application does not respond any differently based on whether the query returns any rows."
hey buddie !!!'''
in oracle database at first
from statement will run and it check if the user table exist or not and after it checks if the username is admiisdfsdfgsdf ) if this user doesn't exist than the case statement will not run so it doesn't produce any errors .
trakingid' and 1=2--
This doesn't show error messg...why???
Because injecting different Boolean conditions makes no difference to the application's responses.