Interested in supporting me and gaining early access to the Web Security Academy videos when they're recorded? Consider buying my course: academy.ranakhalil.com/p/web-security-academy-video-series! ✨ ✨
I am binging this whole series thank you for being an amazing explainer. As soon as I can afford it I am going to pay for your video series to show support to you. THANK YOU
i have 2 questions 1. with concat string, when you consider with mysql, why did u using || instead of space? (in cheatsheet they're using space) 2. in a query: seclect tracking-id.... why did it end with ' ? can u explain, thank you so much!
@@ahmedsaleem9327 an and need a condition after it because the query is something like SELECT X FROM Y WHERE Z='xxxxxx' so if we add AND we need a condition having sleep after it will not have any sencce and it will result a syntax error
In this tutorial why did on providing single quote on tracking cookie did not throw internal error? , if so how will we know that the parameter is vulnerable to sql injection
I know it's a late reply but perhaps as you're giving 2 instructions. 1 for the timing delay and the other for length of time? This seems to be logical to me as || is used to join strings / commands.
@@shba9300 an and need a condition after it because the query is something like SELECT X FROM Y WHERE Z='xxxxxx' so if we add AND we need a condition having sleep after it will not have any sencce and it will result a syntax error and in this case we can't see the result of a syntax error
Dont know if this video is alive and someone replying but I think it was best that if you explaining the xploit part by part, it best to also explain why did you use || to concatenate, I have no idea what made you want to put that, and its ashame cause SQLi is all about logic
@@amiremami8661@danielklibanov5797 It seems like the decision to use || was incorrect for a mysql back end since mysql uses CONCAT() for concatenation. || was used since it is the concatenation operator for postrgresql DB which is what is running on the back end for this lab. (If a function is concatenated it is executed as part of the concatenation, hence causing the DB to sleep). However, if all sleep payloads were to be tried as implied in the vid, it would be incorrect to use || as the concatenation operator for all of them. Fwiw, mysql can be configured to use || as a concatenation operator, but there is no way the attacker should assume that it's configured that way.
Interested in supporting me and gaining early access to the Web Security Academy videos when they're recorded? Consider buying my course: academy.ranakhalil.com/p/web-security-academy-video-series! ✨ ✨
I am binging this whole series thank you for being an amazing explainer. As soon as I can afford it I am going to pay for your video series to show support to you. THANK YOU
wonderful explanation, I had my aha moments in this video. Keep up the good work
thank you so much, this was so helpful! greeting from Costa Rica.
thank you♥♥
but in 6:46 the payload for mysql
the comment is //%20 or #
Thanks again
Hi I have a question.. In some videos you use '||' this operator and in some you use 'and'.. Can u explain that
i have 2 questions
1. with concat string, when you consider with mysql, why did u using || instead of space? (in cheatsheet they're using space)
2. in a query: seclect tracking-id.... why did it end with ' ?
can u explain, thank you so much!
Very nicely explained sister
Thank you Rana for the amazing guide. Could you please clarify why we need to add the concatenate || in the query? I'm still unclear about this.
i have the same question why should not it work with AND ?
@@ahmedsaleem9327 an and need a condition after it because the query is something like SELECT X FROM Y WHERE Z='xxxxxx' so if we add AND we need a condition having sleep after it will not have any sencce and it will result a syntax error
@@ahmedsaleem9327 SAME DOUBTS , if you get the answer please mentained it here.
Thank you, I will follow you in every video
我也是
Thank you Ms.Khalil
In this tutorial why did on providing single quote on tracking cookie did not throw internal error? , if so how will we know that the parameter is vulnerable to sql injection
I know it's a late reply but perhaps as you're giving 2 instructions. 1 for the timing delay and the other for length of time? This seems to be logical to me as || is used to join strings / commands.
@@camelotenglishtuition6394 its not true , its because the application catches database errors and handles them gracefully.
Why don't you try using AND or anything else but use || first?
does it work with AND? because I tried but no results
@@shba9300 an and need a condition after it because the query is something like SELECT X FROM Y WHERE Z='xxxxxx' so if we add AND we need a condition having sleep after it will not have any sencce and it will result a syntax error and in this case we can't see the result of a syntax error
AND needs boolean, so it doesn't work. But batched queries will also work:
'%3B select pg_sleep(10)--
AND also works: ' AND 1=(SELECT 1 FROM pg_sleep(10))--
Dont know if this video is alive and someone replying but I think it was best that if you explaining the xploit part by part, it best to also explain why did you use || to concatenate, I have no idea what made you want to put that, and its ashame cause SQLi is all about logic
This was exactly my question. Why we used || ? The original code is SELECT pg_sleep(10) , how transformed to || (SELECT pg_sleep(10)) ?
@@amiremami8661@danielklibanov5797 It seems like the decision to use || was incorrect for a mysql back end since mysql uses CONCAT() for concatenation. || was used since it is the concatenation operator for postrgresql DB which is what is running on the back end for this lab. (If a function is concatenated it is executed as part of the concatenation, hence causing the DB to sleep). However, if all sleep payloads were to be tried as implied in the vid, it would be incorrect to use || as the concatenation operator for all of them. Fwiw, mysql can be configured to use || as a concatenation operator, but there is no way the attacker should assume that it's configured that way.
@@z3nsh3ll Hey, thank you so much man ❤ , I'm already following you, one of the best channels that explain things deeply 🙏