First to know in MySQL, unless the string is a number ('123', '-42') or the strings starts by a number, every other string equals 0 (or FALSE). That makes password = 'username' = 'anything' be true in this way: the DB system fill Michelle's password into the where clause, it becomes 'MichellePassword' = 'username' = 'anything'. Then, 'MichellePassword' = 'username' is 0(false), and 0 = 'anything' is true because the string 'anything' is calculated as an 0! And finally the where clause makes a funny result --> True. That makes the attack success.
Oh WOAH! Okay, THAT is awesome! Thanks for helping clarify that. I never exactly understood it 1000%. Pinning your comment so other viewers get a more solid explanation :)
@@_JohnHammond If we wanna be a little bit more precise, it is password = `username` = 'anything'. Note the backticks on the "username" field. It's because the key of the passed object is username, and backticks indicate it's a column name, not a value. Thus, when evaluating, MySQL will resolve password column as Michelle's password, let's say "MichelleP4ssword" `username` will be evaluated as "michelle", and "anything" will stay "anything". If you put password[password]=anything, then the `password` column will be replaced with "MichelleP4ssword" ending with this evaluation: "MichelleP4ssword" = "MichelleP4ssword" = "Anything". First, "MichelleP4ssword" = "MichelleP4ssword" will be true, and then, true = "Anything" will be false, so it doesn't authenticate. That's why it's working with "username" or "id", but not with "password".
@@hackndo6891 So is this also the reason it didn't work with admin-admin, because "admin"="admin" returns true, and admin is both username and password?
John, never worry about video length when making these. We like to see your learning process. It helps us become better. I used to hack in the 90's and after the family i never had time. Just now getting back into it! Keep up the good work. Kudos to you! \
Yup, if anything a bit more digging would have been good in this case. I don't feel like this video had a real conclusion :( I'm still a bit lost as to why password[password]="xyz" doesn't work.
I completely agree! Watching how you think through things helps me learn how to do the same. You told everyone when you captured the flag, whoever didn't want to keep watching could stop 🙂
I agree 100%.. Let the video be long.. Watching you go down these rabbit holes, helps us understand the hacker mentality and the different ways to solve problems. Love your vids!
I agree John 95% of your support group is here to learn so dont worry about surfing the net making a video too long because the whole process helps all of us learn new methods, tricks and valuable information for the long haul. Thanks for adding me on LinkedIn recently. Another great video my friend.
John, I am getting into cybersecurity as a new job and I actually really appreciated seeing how you looked up information to try to figure out how things were working at the end of the video. I appreciated it for 2 reasons, 1, it shows how to find the cause of a security flaw (and therefore how it might be patched) and 2, it shows the actual logic on why the method worked in the first place (pretty much an exercise in "how" to think about it rather than just stopping at "it works, so why do I care why it works?").
Hey the end where you are trying to understand what’s going on is just important. It’s not stupid. You are showing people how to find answers and learn
Even if its someone else's work its still John's ability to work through, digest and express ideas in a easy to understand way that keeps the viewers coming back.
Bro i'm sure most of us are learning lot of stuff from ur videos, and we r here because of the way u explain things so don't worry about the writeup being urs or no, i prefer watch one of ur videos than reading an article
I was also really curious as to why this bypass worked so I did a little digging. By using the "mysql.format" function with the nodejs library and passing in the SQL statement from the source code with the two input parameters that would have come in from the request (with the password coming in as an object), it returns the following query: Select * from users where username = 'michelle' and password = `username` = 'whatever'. The issue comes with the comparison having the multiple equals signs, which will always evaluate to true with string comparisons based on the order that MySQL evaluates such a statement (there are some stack overflow threads that explain this better than I can). I think the whole point of the challenge was that passing in an object into the prepared statement would produce a scenario where it adds this extra = to the password checking part of the query, rendering it useless.
Great explanation, but I have one small question left. Why at 16:28 does username=admin not work? To my understanding it should just log you in as the admin user right?
To elaborate, the password=‘username’ would evaluate to true (which is evaluated as 1 in MySQL), which would be compared to “whatever” as “1=0(false)”, which would ultimately return false
Nothing at all wrong with following the rabbit hole until you find a solution. I can't speak for others, but learning WHY these things work is part of why I watch these. By all means, throw down a point like you did where folks can get off the train, but don't feel obligated to cut the research short if it's still unknown. That's the most important part, IMHO.
I'm doubtful anybody ever can or has gotten to a point where they'll never have to look something up to solve every CTF challenge. Considering your audience, myself included, we're always coming across something that makes redefine our understanding and makes us dig for why things work the way they do. I think this is the fun part, we're not just learning. We're constantly asking "How can I use these rules, this system to solve the challenge?" With how technical and dry all of this stuff can be, I think that's a key part of what makes it fun. Well, at least for me. It's a mystery waiting to be solved. Nobody wants to watch a mystery thriller where we jump from unsolved case to the criminal being arrested. I know, at least personally, I love watching how someone else uses critical thinking and deductive reasoning to find the answer. It's inspiring and fascinating. Anywho, thanks for the video! I really enjoyed this one more than usual and look forward to watching more!
hey just a comment! @John Hammon the way you wondered on the internet, is something we all do and talk exactly like that just not otloud but it ends up being natural, and it's besides entertaining a good way of showing the process to new comers! so keep it natural, we love it! Suscribed
Hi John, Love the channel and the videos. You seem to have a great eye for exploitable aspects of the code during the ctf you get the job done. I would much prefer a longer format where you dig deeper into the node source given in the challenge prior to retrofitting write ups. Possibly you could run the code locally, step through with breakpoint debugging. Would also love to see an 'alarm bells ringing when I see this' cheat sheet per domain server stack / language. Keep the good content coming!
Thank you so much for uploading your videos! I'm super new into the tech world and am learning so much from. Although I don't know 100% of what you're talking about it makes me curious and I start searching up these words. Thank you John !!!
This is too good. I am entertained by this type of stuff than other regular videos where you get to the point without any trouble. And let the videos be hours long it does not matter.
The string actually evaluates to: "Select * from users where username = 'michelle' and password = `username` = 'michelle';" I added a part in my writeup (at 21:26) explaining how I think it works, hope this helps :) Link: github.com/csivitu/CTF-Write-ups/tree/master/Google%20CTF/Web/Log-Me-In
Still don't get why select * from table where field=''='' gives all the table John, how about bonus episode with explanation about SQL type-cast weirdness and how vulnerable could it be?
Some clarification: SELECT * FROM table WHERE field=''='', evaluates the WHERE clause for each record/row. With the assumption that 'field' is a string type, let's say for the first row, 'field' has a value of 'first'. Then for the first row, the WHERE clause evaluates to 'first'=''=''. The first part of the expression is 'first'=''. This is an equality comparison between two (clearly distinct) strings. The result is obviously false (which is the same as 0). The second part of the expression is then evaluated, as 0=''. For the purpose comparing numeric values and strings, strings are implicitly casted to said numeric type. Strings that are a numeric value will be casted as that value. For example '32' will be casted as 32. Strings beginning with a numeric character and containing non-numeric characters will be casted as the numeric value leading the string. For example '4somestring' will be casted as 4. All other strings are casted as 0. Returning to our expression, this means that the second comparison becomes 0=0 (since an empty string has no numeric characters), resulting in true. Thus, we can return this record/row. As becomes apparent, for all records, unless the value contained within 'field' is an empty string, this WHERE clause will always evaluate to be true. If a record has a 'field' value of an empty string, then the expression evaluates as follows: ''=''='' -> true/1='' -> true/1=0 -> false/0. So, if every record in your table has a value for 'field' that is a non-empty string, you will return them all.
thats what i like about you and your videos. you are awesome and humble at the same time. i learned so much from your videos and yourself. wholesome hacker and conetent creator 👏👏🙌🙌
Hey John, tbh the last part was the most interesting one for me, not boring at all :-) also... I would've loved if you would have tried the prototype polution here aswell
Unless I'm mistaken Michelle is the password and when you parse it in the way you did the string works. I face-palmed when I figured it out. Admin's password is "admin" so it's logical that they did something overly easy for the flag account. Either that or it's including the password as a part of the username object.
Does anyone know a video or link to a video of Johns that explains the process of downloading/extracting the page source? It was gone over around 2:25 in the video but he said 'hes already downloaded the source' and simply extracts it. i've tried this in the past and usually get the html source after the code has been interpreted by a browser, rather than the raw source like he has. thanks!
Hey John, if I wanna practice these ctf challenges now, I mean I wanna upsolve them how can I do ? Could you please provide me any hint or something, please help.
on SQL, ` can be used to mark the value as the name of a column or table password=`password` it is the same as password=password, basically it is comparing if the value of the password column is equal to itself, what will always be true password = `password` = 1 will be evaluated to true = 1 which is the same as true = true, that is, true
My suggestion is to start a local copy of the challenge as soon as possible. Then start debugging the program, i.e., put prints near the query to understand what's happening and what's actually being sent to MySQL.
I have to tell you to "slow the F down" sometimes and pause you... lol I need to visualize things, which means I may need to read what you read outloud twice. Not sure if possible, but if there is a way you could describe a visualization of things, like what that pinned comment means, it would be amazingly helpful on how it works. Appreciate your videos mate
what about 1 'or' 1 '=' 1 in password field and michell in username field SQL Query: SELECT * FROM column_name where username = michell AND password = 1 'or' 1 '=' 1 1 is not the valid password, but 2nd statement is true ( 1 = 1 )
In my opinion when pass object variable with keys into js it will without qoute, so it translate into sql language to this 'select * from users where username="michelle" and password=username' it means 'password' equal to 'password' in same row where username="michelle" #cmiww
Talking about the code and your thought process, not boring. On the other hand... constant interruptions talking about the length of the video, how we can stop if we want, and how we may be perceiving it...
I don't get this video. Are you acting like you don't know the answer like a recreation of what someone would do for this CTF or is this you doing it for the first time? Just because you keep flipping from not knowing and exploring to being certain and just putting in the answer in seemingly by accident... I am genuinely confused.
Not watched this yet. But last 2 i watched this guy couldnt do but basically made a vid "teaching" while following another persons write up. If same happens here im giving up on this channel
First to know in MySQL, unless the string is a number ('123', '-42') or the strings starts by a number, every other string equals 0 (or FALSE). That makes password = 'username' = 'anything' be true in this way: the DB system fill Michelle's password into the where clause, it becomes 'MichellePassword' = 'username' = 'anything'. Then, 'MichellePassword' = 'username' is 0(false), and 0 = 'anything' is true because the string 'anything' is calculated as an 0! And finally the where clause makes a funny result --> True. That makes the attack success.
Oh WOAH! Okay, THAT is awesome! Thanks for helping clarify that. I never exactly understood it 1000%. Pinning your comment so other viewers get a more solid explanation :)
nice one! thanks for the explanation.
@@_JohnHammond If we wanna be a little bit more precise, it is password = `username` = 'anything'. Note the backticks on the "username" field. It's because the key of the passed object is username, and backticks indicate it's a column name, not a value.
Thus, when evaluating, MySQL will resolve password column as Michelle's password, let's say "MichelleP4ssword"
`username` will be evaluated as "michelle", and "anything" will stay "anything".
If you put password[password]=anything, then the `password` column will be replaced with "MichelleP4ssword" ending with this evaluation:
"MichelleP4ssword" = "MichelleP4ssword" = "Anything". First, "MichelleP4ssword" = "MichelleP4ssword" will be true, and then, true = "Anything" will be false, so it doesn't authenticate.
That's why it's working with "username" or "id", but not with "password".
Wow! That bizarre!!
@@hackndo6891 So is this also the reason it didn't work with admin-admin, because "admin"="admin" returns true, and admin is both username and password?
John, never worry about video length when making these. We like to see your learning process. It helps us become better. I used to hack in the 90's and after the family i never had time. Just now getting back into it! Keep up the good work. Kudos to you!
\
Yup, if anything a bit more digging would have been good in this case. I don't feel like this video had a real conclusion :( I'm still a bit lost as to why password[password]="xyz" doesn't work.
I completely agree! Watching how you think through things helps me learn how to do the same. You told everyone when you captured the flag, whoever didn't want to keep watching could stop 🙂
damn in the 90's you coming back from that http password cleartext era xD
I agree 100%.. Let the video be long.. Watching you go down these rabbit holes, helps us understand the hacker mentality and the different ways to solve problems. Love your vids!
That "boring and stupid" part at the end was exactly what I'd love to see more of
I come here to write same comment
Honestly I found the part at the end (that you said was so boring) where you were exploring why that worked to be the most intriguing part. 😁
Watched until the end because im here to learn, love the extended cut.
I agree John 95% of your support group is here to learn so dont worry about surfing the net making a video too long because the whole process helps all of us learn new methods, tricks and valuable information for the long haul. Thanks for adding me on LinkedIn recently. Another great video my friend.
Watching you trying to learn something isn't boring, I actually enjoy to watch that.
Good job and a nice video.!
John,
I am getting into cybersecurity as a new job and I actually really appreciated seeing how you looked up information to try to figure out how things were working at the end of the video. I appreciated it for 2 reasons, 1, it shows how to find the cause of a security flaw (and therefore how it might be patched) and 2, it shows the actual logic on why the method worked in the first place (pretty much an exercise in "how" to think about it rather than just stopping at "it works, so why do I care why it works?").
grandma approved
Hey the end where you are trying to understand what’s going on is just important. It’s not stupid. You are showing people how to find answers and learn
I may not speak for everyone but hearing your thinking process when going down the rabbit hole is what taught me the most in this video. Thank you!
Even if its someone else's work its still John's ability to work through, digest and express ideas in a easy to understand way that keeps the viewers coming back.
Bro i'm sure most of us are learning lot of stuff from ur videos, and we r here because of the way u explain things so don't worry about the writeup being urs or no, i prefer watch one of ur videos than reading an article
I was also really curious as to why this bypass worked so I did a little digging. By using the "mysql.format" function with the nodejs library and passing in the SQL statement from the source code with the two input parameters that would have come in from the request (with the password coming in as an object), it returns the following query: Select * from users where username = 'michelle' and password = `username` = 'whatever'. The issue comes with the comparison having the multiple equals signs, which will always evaluate to true with string comparisons based on the order that MySQL evaluates such a statement (there are some stack overflow threads that explain this better than I can). I think the whole point of the challenge was that passing in an object into the prepared statement would produce a scenario where it adds this extra = to the password checking part of the query, rendering it useless.
Could you point to the stack overflow threads, I couldn't find them and I'm interested
@@sgaleta I think this one explains it in a really clear, concise manner stackoverflow.com/questions/19214675/why-does-select-a-b-c-return-1-in-mysql
Great explanation, but I have one small question left. Why at 16:28 does username=admin not work? To my understanding it should just log you in as the admin user right?
@@J0R1AN I think it’s because the password for is also admin
To elaborate, the password=‘username’ would evaluate to true (which is evaluated as 1 in MySQL), which would be compared to “whatever” as “1=0(false)”, which would ultimately return false
Nothing at all wrong with following the rabbit hole until you find a solution. I can't speak for others, but learning WHY these things work is part of why I watch these. By all means, throw down a point like you did where folks can get off the train, but don't feel obligated to cut the research short if it's still unknown. That's the most important part, IMHO.
I'm doubtful anybody ever can or has gotten to a point where they'll never have to look something up to solve every CTF challenge. Considering your audience, myself included, we're always coming across something that makes redefine our understanding and makes us dig for why things work the way they do. I think this is the fun part, we're not just learning. We're constantly asking "How can I use these rules, this system to solve the challenge?"
With how technical and dry all of this stuff can be, I think that's a key part of what makes it fun. Well, at least for me. It's a mystery waiting to be solved.
Nobody wants to watch a mystery thriller where we jump from unsolved case to the criminal being arrested. I know, at least personally, I love watching how someone else uses critical thinking and deductive reasoning to find the answer. It's inspiring and fascinating.
Anywho, thanks for the video! I really enjoyed this one more than usual and look forward to watching more!
hey just a comment! @John Hammon the way you wondered on the internet, is something we all do and talk exactly like that just not otloud but it ends up being natural, and it's besides entertaining a good way of showing the process to new comers! so keep it natural, we love it!
Suscribed
I really like these videos. You reading through write ups and explaining your thought process is really informative. Good job keep it up!
Hi John,
Love the channel and the videos. You seem to have a great eye for exploitable aspects of the code during the ctf you get the job done. I would much prefer a longer format where you dig deeper into the node source given in the challenge prior to retrofitting write ups. Possibly you could run the code locally, step through with breakpoint debugging. Would also love to see an 'alarm bells ringing when I see this' cheat sheet per domain server stack / language.
Keep the good content coming!
The extended cut is awesome. Don’t worry about the length of the video!
Thank you so much for uploading your videos! I'm super new into the tech world and am learning so much from. Although I don't know 100% of what you're talking about it makes me curious and I start searching up these words. Thank you John !!!
This is too good. I am entertained by this type of stuff than other regular videos where you get to the point without any trouble. And let the videos be hours long it does not matter.
I also love finding out why a technique work and your video helps me a lot to learn many stuffs
The string actually evaluates to:
"Select * from users where username = 'michelle' and password = `username` = 'michelle';"
I added a part in my writeup (at 21:26) explaining how I think it works, hope this helps :)
Link: github.com/csivitu/CTF-Write-ups/tree/master/Google%20CTF/Web/Log-Me-In
Thanks for adding more information to that write-up, I understand it now. Not 100% but it's slowly sinking in XD
This was not boring at all bro! Keep it up
I like when you wonder around and trying to understand whats happening and explaining to us
👆👆 for your account recovery he's the best and reliable indeed you're trustworthy💯💯
What an amazing video John! Thankyou so much for such content.
Still don't get why select * from table where field=''='' gives all the table
John, how about bonus episode with explanation about SQL type-cast weirdness and how vulnerable could it be?
Some clarification:
SELECT * FROM table WHERE field=''='', evaluates the WHERE clause for each record/row. With the assumption that 'field' is a string type, let's say for the first row, 'field' has a value of 'first'. Then for the first row, the WHERE clause evaluates to 'first'=''=''. The first part of the expression is 'first'=''. This is an equality comparison between two (clearly distinct) strings. The result is obviously false (which is the same as 0). The second part of the expression is then evaluated, as 0=''. For the purpose comparing numeric values and strings, strings are implicitly casted to said numeric type. Strings that are a numeric value will be casted as that value. For example '32' will be casted as 32. Strings beginning with a numeric character and containing non-numeric characters will be casted as the numeric value leading the string. For example '4somestring' will be casted as 4. All other strings are casted as 0. Returning to our expression, this means that the second comparison becomes 0=0 (since an empty string has no numeric characters), resulting in true. Thus, we can return this record/row. As becomes apparent, for all records, unless the value contained within 'field' is an empty string, this WHERE clause will always evaluate to be true. If a record has a 'field' value of an empty string, then the expression evaluates as follows: ''=''='' -> true/1='' -> true/1=0 -> false/0. So, if every record in your table has a value for 'field' that is a non-empty string, you will return them all.
I should add that this is an example of terrible language design and I do not advocate using MySQL for this reason, amongst many others.
this process of investigating and learning is great content, at least imo.
John! Dude first off just wanna say I love your videos
Don't worry about the length of your video... Because learning new things is itself interesting!!
Love the end learning part! ❤️
1:18 I knew we would have retroactively hilarious Deltarune predictions
thats what i like about you and your videos. you are awesome and humble at the same time. i learned so much from your videos and yourself. wholesome hacker and conetent creator 👏👏🙌🙌
Hey John,
tbh the last part was the most interesting one for me, not boring at all :-)
also... I would've loved if you would have tried the prototype polution here aswell
I learn sooo much from your videos! Thank you
Time is necessary to learn and don't worry about it! Amazing try! Try hard always!! Thanks for sharing your knowledge with us!
Rabbit holes are good. They exists so we can learn something new!
Agree with everyone, last part was fun to watch.
Hey man, have you got the logic behind that query now? Can you explain it?
Unless I'm mistaken Michelle is the password and when you parse it in the way you did the string works. I face-palmed when I figured it out. Admin's password is "admin" so it's logical that they did something overly easy for the flag account. Either that or it's including the password as a part of the username object.
Definitely my new favorite channel, great content ❤️
Does anyone know a video or link to a video of Johns that explains the process of downloading/extracting the page source? It was gone over around 2:25 in the video but he said 'hes already downloaded the source' and simply extracts it. i've tried this in the past and usually get the html source after the code has been interpreted by a browser, rather than the raw source like he has. thanks!
hey may I know what OS were you using in this video?
I love your mindset which is amazing
Hey John, if I wanna practice these ctf challenges now, I mean I wanna upsolve them how can I do ? Could you please provide me any hint or something, please help.
I can't find video where you solve first chalange ("Hardware"), can you send me a link to that video please?
at 7:25, i don't see any checks for the given parameters u and p
can't you do a SQL Injection here?
So, instead of setting password to the correct string, you pass an object that evaluates to true?
learned new thing about curl
Thanks!!!!
Dude never stop making videos please ♥️
what subjects/programmes best to learn to begin hacking?
You videos are teaching me so much! Thanks amigo
Great video man! Honestly the end helped me the most
I wish you finished figuring this out - I want to know why its working the way it is. Also doesn't make sense to me.
Nested SQL query within a query. 👏
on SQL, ` can be used to mark the value as the name of a column or table
password=`password` it is the same as password=password, basically it is comparing if the value of the password column is equal to itself, what will always be true
password = `password` = 1 will be evaluated to true = 1 which is the same as true = true, that is, true
Very confusing, but it works
What distro are you using ?
Hello, john. I am new here. May I ask how do you got a build output while editing your python script (starts from 14:06 to 15:04)
There is a package called buildview, it can be used to show build output in a separate file as he does here.
you just have to hit the build command(Ctrl+B) again every time you change the script.
Thx so much
I love how you explain things about the code and how it works, is there any course you could recommend for beginner this fields ?
x86 Assembly its easy for noobies to learn
Good stuff! :)
THM Throwback network vid coming soon? 🖥
Yes (⌐■_■)
Gives me vibes of "Silicon Valley": "Your username is password and your password is password?"
Pure genius. Thanks John
thanks john for your effort
another awesome video thank you john
amazing video john you rock
My suggestion is to start a local copy of the challenge as soon as possible. Then start debugging the program, i.e., put prints near the query to understand what's happening and what's actually being sent to MySQL.
John the Don. Love ya.
what a video, really thank you
I have to tell you to "slow the F down" sometimes and pause you... lol I need to visualize things, which means I may need to read what you read outloud twice. Not sure if possible, but if there is a way you could describe a visualization of things, like what that pinned comment means, it would be amazingly helpful on how it works. Appreciate your videos mate
what about 1 'or' 1 '=' 1 in password field and michell in username field SQL Query: SELECT * FROM column_name where username = michell AND password = 1 'or' 1 '=' 1
1 is not the valid password, but 2nd statement is true ( 1 = 1 )
👆👆 for your account recovery he's the best and reliable indeed you're trustworthy💯💯
Erorr cocokis cap to pist ?
In my opinion when pass object variable with keys into js it will without qoute, so it translate into sql language to this 'select * from users where username="michelle" and password=username' it means 'password' equal to 'password' in same row where username="michelle" #cmiww
Thank you!! Cant wait xD
So 'password[username] = anything' means whatthefu..? :D
John, we both know it’s pronounced ”sea-surf”
Like always good video
How bad did you cry John? your eyes looks red.
16:38 to 19:53 has the CTF flag :D
"username=michelle&password[username]=" - works just fine
and you can do it just from chrome using devtools
Talking about the code and your thought process, not boring. On the other hand... constant interruptions talking about the length of the video, how we can stop if we want, and how we may be perceiving it...
not boring dude at all
Just play Fearless at the end :)
Good vid. Not bad.
it's a very helpful and cool vedio
Good stuff!!
I don't get this video. Are you acting like you don't know the answer like a recreation of what someone would do for this CTF or is this you doing it for the first time? Just because you keep flipping from not knowing and exploring to being certain and just putting in the answer in seemingly by accident... I am genuinely confused.
21:13 I don't mind
Bro you should make ethical hacking series to learn haking
amzg
claps and TY
you look like ippsec 🤔
who else is still noob
login mi.chelle
K
commen for ytalg
Not watched this yet. But last 2 i watched this guy couldnt do but basically made a vid "teaching" while following another persons write up.
If same happens here im giving up on this channel