Most of what was going on in the video was beyond me, for now, but it was neat to see the results towards the end of the video. It's interesting to see what you can do once you have a solid understanding of the technology.
Another really great video, dude. I'd really love to see a longer vid from you dedicated to teaching python for basic web hacking covering the common modules and common usage. Pretty please :) I'd be keen to pay to see that!
How would you counter this? adding delays to random % of sql queries sounds goofy? query string scanning for selects on metatables describing the database and its tables? sql throtteling per user?
What I don't get: How can you even screw up sanitizing your input like this? Either you are aware of SQL injections and close that gap completely or you aren't - that's what I naively believed until now. Or is it like: A timing attack is sometimes the only way to leverage an SQL injection gap? Anyway, thanks for the video!
Love your videos bro. You probably already know this, but after you typed "mkdir the_sql_always_sucks" then proceeded to type "cd " ... as a shortcut, next you could have typed ALT + "." That allows you to repeat the last argument from the previous command(s). If you keep typing ALT + ".", it cycles through all previous commands. Just a little shortcut I use.
So a word of the wise: that may work in a terminal (e.g. in GNOME, which I tried and does work) but doesn't work in SSH (at least in PuTTY and SecureCRT, both of which I tried). An alternative that works, however, would be "cd !$". "!$" is a shell expansion that expands to "whatever my last command's last argument was". So in this case, "mkdir the_sql_always_sucks" then "cd !$" and you're there. Generally speaking, I would highly recommend getting familiar with shell expansions and string manipulations as they're VERY powerful. People will literally call you "the shell wizard" (it happens at work, I kid you not) if you can master them. They make your job a million times easier too, if used correctly. Using !! (last command), !$ (last argument of last command), and !str (last command in history that started with str): $ cat /etc/sudoers (permission denied) $ sudo !! (expands to "sudo cat /etc/sudoers" as it repeats your whole last command) $ sudo cat !$ (also expands to "sudo cat /etc/sudoers", as it repeats your last command's last argument) $ cat /etc/hosts $ vi some-file $ cd somewhere $ touch something $ !ca (expands to "cat /etc/hosts" since that was your last command that started with "ca") Using "{...}" to pass multiple arguments to a command or a loop: $ for N in {1..10}; do echo ${N}; done (expands to every number from 1 to 10, and the for loop repeats that many times) # cp /etc/sudoers{,.bak} (expands to "cp /etc/sudoers /etc/sudoers.bak" - a fast way to make a backup of a file - because the braces expands to two arguments - one with nothing, and one with ".bak") $ ls -ld /{home,etc,opt,tmp,var{,/log{,/secure}}} (expands to "ls -ld /home /etc /opt /tmp /var /var/log /var/log/secure", a more magical way to iterate on the "adding something on the end" aspect of expansions) Doing fancy stuff with variables: $ LOWERNAME="john" $ CAPSNAME="${LOWERNAME^}" (the single caret "^" uppercases the first character to "John") $ UPPERNAME="${LOWERNAME^^}" (two carets "^^" uppercases the entire string to "JOHN") $ LCAPSNAME="${UPPERNAME,}" (a single comma "," lowercases the first character to "jOHN") $ LOWERNAME="${UPPERNAME,,}" (two commas ",," lowercases the entire string to "john") $ FQDN="my-server.example.com" (we'll grab JUST the hostname and domain names separately) $ HOSTNAME="${FQDN%%.*}" (results in "my-server" as "%%str" removes the longest matching str, in our case "a period followed by anything else") $ DOMAIN="${FQDN#*.}" (results in "example.com" as "#str" removes the shortest matching str, in our case "anything followed by a period" Sure you can do stuff in awk and cut and whatnot, but shell builtins are just as easy, if not easier. And just basic stuff that saves you keystrokes: $ > file (if you want to make sure a file is empty, you don't need to echo anything to it; just redirect nothingness to it) $ vi !$ (there's that "last argument from last command" thing again) $ cd /tmp (make note of where you are, when you issue this; more in the next command) $ cd - (this will cd you back to the last directory you were in - it's stored in $OLDPWD) $ cd (the "cd" command will cd you to $HOME if no directory is specified) Anything you can do to save yourself a keystroke is time saved, when you have to do it tens to hundreds of times a day. Anywho... Good luck, happy Linux-ing! :)
Yeah I am not good at python but I know more about Node.js so made this type of script in nodejs. when you print the current known_data it is so satisfying like ASMR.
just tried to register on the acictf.com It says you have to own special type of email "You can register provided you have an email for one of these domains:*.edu, *.gov, *.mil" . is this site only for some security professionals? or how can I get in? any hints?
Stop the underlying vulnerability, SQL injection. This is only possible because the site is vulnerable to SQL injection (the whole " ' OR 1=1; -- " part.
Right now I can think of two ways: 1) Escape the input on the query (don’t let ‘, “ and other funny characters even reach it) 2) Less elegant way, but add an artificial delay to every query, so you inhibit this kind of attack.
No just get Atom, some addon do have a subscription model, but they generally don't provide anything worth wile, as a text/code editor it's really good.
The big twist with the challenge was the fact, that you do not get any output from your injected SQL, that's why he just "assumed" certain values and then used the time it took for the database to return as an indicator whether it was true or not. The reason this works: When SQL gets a list of conditions linked with AND it will try to look at them one by one. In case the first part of an AND is false, it's no use to check the second condition and will quickly abort. In the case that the first part is indeed true then second part has to be checked which is a "heavy to compute" condition (in this case just generating random data, which just takes a little while).
Dang that sql timing injection technique was beautifully engineered. Always learn something new on this channel.
John Hammond:Hacker. Friend. Security Researcher
Also John Hammond: Copy paste password in plain text
That sql time-attack was absolutely awesome!
17:00 I would have just got it to rerun a couple of times if it thought it got a match and only print/break if all are true
Sqlite injection is a little bit difficult BUT you "John Hammond" explain it very well - so I understand it - Thanks for that! ^^
Really like the manual way to solve problems...nice useful content
Definitely cool! Thanks, John, as always great content!
This was great! Always learning something new from you
That was very well presented. Thanks!
Most of what was going on in the video was beyond me, for now, but it was neat to see the results towards the end of the video. It's interesting to see what you can do once you have a solid understanding of the technology.
Another really great video, dude. I'd really love to see a longer vid from you dedicated to teaching python for basic web hacking covering the common modules and common usage. Pretty please :) I'd be keen to pay to see that!
Learn python
Did you change you password after leaking it? @17:42
Ah yes, thank you! And thanks for watching!
@@_JohnHammond Hahaa
Wat abt using sqlmap....could u solve it completely using sqlmap?
@@_JohnHammond Instructions unclear. Fell asleep browsing John's photo directory.
How would you counter this? adding delays to random % of sql queries sounds goofy? query string scanning for selects on metatables describing the database and its tables? sql throtteling per user?
Thank you! This was very interesting
What I don't get: How can you even screw up sanitizing your input like this? Either you are aware of SQL injections and close that gap completely or you aren't - that's what I naively believed until now. Or is it like: A timing attack is sometimes the only way to leverage an SQL injection gap? Anyway, thanks for the video!
The best as usual
Love your videos bro. You probably already know this, but after you typed "mkdir the_sql_always_sucks" then proceeded to type "cd " ... as a shortcut, next you could have typed ALT + "." That allows you to repeat the last argument from the previous command(s). If you keep typing ALT + ".", it cycles through all previous commands. Just a little shortcut I use.
So a word of the wise: that may work in a terminal (e.g. in GNOME, which I tried and does work) but doesn't work in SSH (at least in PuTTY and SecureCRT, both of which I tried). An alternative that works, however, would be "cd !$". "!$" is a shell expansion that expands to "whatever my last command's last argument was". So in this case, "mkdir the_sql_always_sucks" then "cd !$" and you're there.
Generally speaking, I would highly recommend getting familiar with shell expansions and string manipulations as they're VERY powerful. People will literally call you "the shell wizard" (it happens at work, I kid you not) if you can master them. They make your job a million times easier too, if used correctly.
Using !! (last command), !$ (last argument of last command), and !str (last command in history that started with str):
$ cat /etc/sudoers (permission denied)
$ sudo !! (expands to "sudo cat /etc/sudoers" as it repeats your whole last command)
$ sudo cat !$ (also expands to "sudo cat /etc/sudoers", as it repeats your last command's last argument)
$ cat /etc/hosts
$ vi some-file
$ cd somewhere
$ touch something
$ !ca (expands to "cat /etc/hosts" since that was your last command that started with "ca")
Using "{...}" to pass multiple arguments to a command or a loop:
$ for N in {1..10}; do echo ${N}; done (expands to every number from 1 to 10, and the for loop repeats that many times)
# cp /etc/sudoers{,.bak} (expands to "cp /etc/sudoers /etc/sudoers.bak" - a fast way to make a backup of a file - because the braces expands to two arguments - one with nothing, and one with ".bak")
$ ls -ld /{home,etc,opt,tmp,var{,/log{,/secure}}} (expands to "ls -ld /home /etc /opt /tmp /var /var/log /var/log/secure", a more magical way to iterate on the "adding something on the end" aspect of expansions)
Doing fancy stuff with variables:
$ LOWERNAME="john"
$ CAPSNAME="${LOWERNAME^}" (the single caret "^" uppercases the first character to "John")
$ UPPERNAME="${LOWERNAME^^}" (two carets "^^" uppercases the entire string to "JOHN")
$ LCAPSNAME="${UPPERNAME,}" (a single comma "," lowercases the first character to "jOHN")
$ LOWERNAME="${UPPERNAME,,}" (two commas ",," lowercases the entire string to "john")
$ FQDN="my-server.example.com" (we'll grab JUST the hostname and domain names separately)
$ HOSTNAME="${FQDN%%.*}" (results in "my-server" as "%%str" removes the longest matching str, in our case "a period followed by anything else")
$ DOMAIN="${FQDN#*.}" (results in "example.com" as "#str" removes the shortest matching str, in our case "anything followed by a period"
Sure you can do stuff in awk and cut and whatnot, but shell builtins are just as easy, if not easier.
And just basic stuff that saves you keystrokes:
$ > file (if you want to make sure a file is empty, you don't need to echo anything to it; just redirect nothingness to it)
$ vi !$ (there's that "last argument from last command" thing again)
$ cd /tmp (make note of where you are, when you issue this; more in the next command)
$ cd - (this will cd you back to the last directory you were in - it's stored in $OLDPWD)
$ cd (the "cd" command will cd you to $HOME if no directory is specified)
Anything you can do to save yourself a keystroke is time saved, when you have to do it tens to hundreds of times a day.
Anywho... Good luck, happy Linux-ing! :)
@@iSuperGeek Nice...Anyway its easier for me to press the "up-arrow" and then Home and type sudo :) Its all I need with my current knowledge
This is pretty awesome!
That's a pretty strong password john haha
Gotta use LastPass ;)
Thanks for watching!
John how did you get your sublime to generate the html from python????
Awesome video
Yeah I am not good at python but I know more about Node.js so made this type of script in nodejs. when you print the current known_data it is so satisfying like ASMR.
Really ace again thanks!
just tried to register on the acictf.com
It says you have to own special type of email "You can register provided you have an email for one of these domains:*.edu, *.gov, *.mil" .
is this site only for some security professionals? or how can I get in? any hints?
LOL Its for students or people working in government
Yeah, I got that.
Wouldn't be faster to try to match each bit from the string?
great video
Hi John, Please tell me how can i access that CTF site
love ur video very much!!!
good as always :)
R.I.P Sqlmap 🤣🤣🤣🤣🤣
I was today years old when I learned you could good your user agent 😳
super fun videos
that was awesome!
Sry maybe that's a dumb question, but what 'Get parameter' firstname' does not to appear dynamic mean?
That amazing
I'm more interested in how to stop such attack technique
Stop the underlying vulnerability, SQL injection. This is only possible because the site is vulnerable to SQL injection (the whole " ' OR 1=1; -- " part.
Right now I can think of two ways:
1) Escape the input on the query (don’t let ‘, “ and other funny characters even reach it)
2) Less elegant way, but add an artificial delay to every query, so you inhibit this kind of attack.
@@iSuperGeek just use prepared statement
@@abeplus7352 Exactly. Rolling your own SQL or encryption these days is asking for trouble.
Nice
wheres the 2 python scripts the 1st to get the table name and the second to get the flag? can you upoload them to your github and post a link to them?
You could just copy what he types during the video
Could we just use --random-agent techniques=T --level 5 --risk 3 ??
Hi John, I installed subl the other day.... didnt realise you had to pay for it. Is it really worth paying for as I see you do use it a lot?
Search online for crack key of sublime text of what version you are
@@unevalkamlesh387 Most of the time the Keys dont Work, just open sublime in Ida or similar and bytepatch the Code thats determining the license
No just get Atom, some addon do have a subscription model, but they generally don't provide anything worth wile, as a text/code editor it's really good.
Wow
Instead of brut-forcing for each character, you really should use the dichotomy algorithm.
dang it i cant understand how this attack works LOL
Why couldn't you just dump the table names, like shown in the cheatsheet?
The big twist with the challenge was the fact, that you do not get any output from your injected SQL, that's why he just "assumed" certain values and then used the time it took for the database to return as an indicator whether it was true or not.
The reason this works:
When SQL gets a list of conditions linked with AND it will try to look at them one by one. In case the first part of an AND is false, it's no use to check the second condition and will quickly abort. In the case that the first part is indeed true then second part has to be checked which is a "heavy to compute" condition (in this case just generating random data, which just takes a little while).
I would buy every million dollar HOME and Sunglasses from this place. --👍@lg0r1thm
Wow