Hacking With SQL Injection Attacks (and Where to Practice Them Safely)
ฝัง
- เผยแพร่เมื่อ 29 ธ.ค. 2016
- Brian and Jason finally figured out HTML tags, so that got them thinking, what other sinister design lies just under the surface? They called up friend and hacker Jgor, who helps them understand one of the oldest security breaches in the books, the SQL injection.
We're serious when we say don't try this yourself. You could get into some major trouble! Also, putting together a website yourself? Educate yourself on mitigation strategies and exercise good code hygiene. Don't make a website that ends up being an example for bad code.
Note: at 8:29, the Modulated Rogue possessed Jason and kept him from accidentally saying the wrong decade.
-----------------------------------------------------------------
Additional Information
Volume 8, Issue 54 of Phrack Magazine
phrack.org/issues/54/8.html
The History of SQL Injection on Motherboard
motherboard.vice.com/read/the-...
-----------------------------------------------------------------
Patreon: / modernrogue
Discord (patron reward): / discord
MR Articles: themodernrogue.com
Outtakes & BTS: / scamstuff
Subreddit: modernrogue.reddit.com
Merch: shop.themodernrogue.com
Twitter: / modernrogueshow
Instagram: / modernrogueshow
Facebook: / modernrogues
-----------------------------------------------------------------
Music used in this episode, in order of appearance:
"Patience" by B-Side:
chillhop.bandcamp.com/album/c...
"Menti" by Moose Dawa:
chillhop.bandcamp.com/album/c...
Released by Chillhop: / chillhopdotcom
-----------------------------------------------------------------
This episode was made with the help of:
Brian Brushwood - host -- / shwood
Jason Murphy - host -- / captainmurphy
Jgor - guest / research -- / indiecom
Brandt Hughes - camera operator / editor -- / gatowag
Bryce Castillo - camera operator -- / brycas
Max Gillilan - live audio engineer -- / djoldfashioned - บันเทิง
At this point I've watched so much "do not do this at home because it's illegal but let's show you how it's done anyways" videos that I wouldn't be surprised if I'm being monitored by the NSA
Welcome to the club!
Remember Grant Thompson...
@
Was that a...,
"No, I Don't know who Grant Thompson is. who is that Person? I've never heard of that Person in My life. Please tell Me more?"
Or A...,
"Oh God no... Please don't remind Me. It's painful just to think about. Oh God, Why did You Have to remind me, You cruel heartless Human being?"
Sorry, its hard to convey emotion over text, I'd rather just ask than assume.
*my dad starts looking over my shoulder*
“Do we need to talk to the federal bureau of investigation about this? Or maybe the national security agency?”
same
jgor needs a Hak5 sticker on that laptop.
Lol you guys should have the modern rogue make a guest appearance. They have the mind of hackers. btw I love the wifi pineapple (*:
i agree on the co host thinggy, you should really join forces.
Chuck Norris we could show them how to take down a drone with a wifi Pineapple. or something :)
That would be so cool. I would patreon that all day.
You need to do collaboration vids Shannon Morse! I sub to both your channels.
This channel is going to explode. I'm calling it
how much black powder does that require? XD
Makoto Ren needs c4 to blow up best.
The Not-So Final Countdown it's fine how to make C4 is the next video knowing this channel
Nice Profile pic Skullt
this is my thought
We will not attempt *uses incognito tab.
Pipsta & Enigma Productions the fuck is that gunna do
Nothing like seeing a new Modern Rogue video in your feed
Crungus Spungus so true
Crungus Spungus so ture
Crungus Spungus, FINALLY! SOMEONE SPELT THEIR NAME RIGHT!
Crungus Spungus sant det
Nothing like seeing a four year old Modern Rogue video in your feed!
Hey look modern rouge uploaded a video
But I need to study
Its about hacking
Hell yes, fuck studying
Josh Hill I love modern *rouge*
Josh Hill modern rouge is my favorite color
whatiswhat lawl, Rogue*
starting next semester, going to school for cyber network security so this is good to know.
And Gabriel you spelled 'Spelled' wrong
I love it how they did the whole show as q&a, one is always prepared with all the info, while other one is totally clueless, it's adorable.
I feel an emotional connection to Brian because he just gets oddly exited when it come to fastening weapons of minor destruction and when it comes to cool " spy stuff" like lock-picking number stations and hacking😂
There is a special string you can type into google to get a list of all sites that have a PHP parameter in them, for which you can test all them by hand until you find one is vulnerable, and run the tool (such as sqlmap or sqlninja), where you can compromise the db. This entire process could take you max 20 minutes, its pretty scary how easy it is to do and how easy it is to prevent. Take this code, for example
$sth = $dbh->prepare("SELECT * FROM users WHERE username =".$_POST["username"]." AND password = ".$_POST["password"]);
$sth->execute();
What the above (PHP) code does is it takes the post parameters (post parameters are usually just data from forms you fill out) and just concatenates the strings together, combining the data, which is what causes it to be vulnerable. To fix this, this is literally all you need to do:
$sth = $dbh->prepare("SELECT * FROM users WHERE username = :username AND password = :password");
$sth->bindParam(":username", $_POST["username"]);
$sth->bindParam(":password", hash("sha256", $_POST["username"]));
$sth->execute();
This will now "bind" the data to the tokens in the original string, in this example it is :username and :password. then we run the "bindParam" method to tell PDO that this is where the data will go, and it will not be able to escape this. The above code is 100% secure.
Lazy developers all around, always make sure you hire reputable ones.
Wow.
Am I the only one who was reading this in Tom Scott's voice? :D
And now we will have people naming their son "Robert'); DROP TABLE students;--" to mess with the school database.
1973Washu xkcd 327
1973Washu set.grades:F=A>grades>all.set:A
dude this allready happens alot.. >_
haha nice reference
Update schoolname.school_greades
Set grade='A+'
Where class = and roll_no=
You guys really don't get the credit you deserve. You are one of my favorite channels to watch.
thanks so much. Help spread the word?
I sure will. It's just weird after being on The King of Random you'd think there would be a large boost.
Saying SQL like sequel sounds so weird to me, I've always said it like an acronym
I believe what you do, as do I, is the correct way. Just saying the letters. But a lot of people do say "sequel"
Same thing with people who say "Deedoss". That is not the correct way to say it because an acronym is said letter by letter.
The original version of the language was called SEQUEL, so there is some remnants of people that pronounced it "See-Qual" but most people that actually use it today say "S-Q-L".
My teacher always called it squirrel
"hey Dan, how do I become a badass?"
"alright jimbo, take a look"
*shows jimbo thr modern rogue*
*jimbo comes back with a full zztop beard, mutton chops, a glass of whiskey and two named women*
Yeah, I'd be a little concerned if they were Unamed Women.
This is the kind of thing that made me decide to go to school for Computer Science and cybersecurity
I believe the original version of the database language was called "QL" for "Query Language", and then someone came along and made "SQL" or "Structured Query Language" and said it should be pronounced "Sequel" as a jab at QL
I spent some time working as a Test Admin for a school, and one of my tasks was to upload student demographic info into state testing databases. We pulled the data from Access/Aeries, exported it into Excel, moved some things around and then uploaded the final tables as CSV files. Some of the fields would have to be inputted manually, and we were told to be extremely careful because the testing programs (SBAC's test loader, for example), would execute commands based on the entries of certain fields. It's a little insane when you realize that the input data of one person, if tampered with to look like a command, can adversely affect all entries which follow it.
the only channel i check daily to see if they have uploaded.
oh, man... hang in there. for now we're friday mornings only.
hope that didn't sound negative. I meant it as a positive because I love your guys channel!
is it illegal to try it out on the login that was in the video
PhAnToM .04 no it was setup for you to see how it worked
Rights guys, I have now binge watched all of the vids so I need you to pick up the pace and make 25 videos a day.
Cheers 😉
working on it!
probably some of the best content on youtube nowadays. loving this channel, amazing quality stuff
This is probably my favorite youtube channel at the moment. The chemistry between Brian and Jason is amazing, i could watch them all day long, non stop. And they're so funny! Keep it up guys! Cheers from Finland :D
Thank you! Glad you're enjoying it!
Jason Murphy chemistry, ooooooo
The Modern Rogue is officially my favorite channel on you tube HANDS DOWN
Woohoo!!
Jason Murphy
HOLY CRAP YOU REPLIED OMG!!
Jason Murphy
Does anyone know what laptop that is? It looks sleek and I need a new PC.
Awesome guys! Just re-watched Hacking the System and enjoyed it so much! Re-watched Brian on Penn and Teller too! Great job Brian, Love the work
thanks, man!
OmegaReaper His face is public domain, just use a royalty-free photo.
Why can't I subscribe to you guys more than once? This is literally in my top 2 favorite channels on TH-cam and you guys certainly deserve more recognition. Rock on!!!
You guys are awesome! I love that there is a variety of content and that not only one topic is being focused on. :)
0:55 the hacker nearly cringed
whatever happened to the Ancestry thing??
yeah
Armin Santiaguel it takes 6-10 weeks to process
+saxmegal the video last week said "results next week"
It got postponed last minute, it's ready to go for next week though!
nice
Damn I was watching MR videos wishing there were more, back out to YT home page and BAM! There is another uploaded 25 mins ago!
Love your videos!
EDIT: Side note, after watching the video, I had been interested in SQL for a while but could never understand it. This literally crystally cleared things up for me! Thanks!
thanks!!
Been here since first video man been In love ever since this channel is going to be massive bro!
It's always a great time when you're watching a Modern Rogue video.
I can only hope you guys have as much fun watching as we do filming them.
you have the best job in the world. same as the mythbusters
Is it ok to test my own security with this hack? localhost is what I mean
plezx29 Yeah, as far a I know. Just like you can't be arrested for breaking into your own house.
OK, I have tested the security, this hack doesn't work, so all secured :)
That means he proved that he was the owner, so he was never charged or prosecuted, he was able to prove it. It would of been different obviously f he was a burglar to a property he didn't own
Aaron Ullger Why should it be illegal to hack your own network? It'd be like breaking into your own house to see how a thief would.
it's perfectly ok to check your own local host, and to check just sent a special character in the programming language, (which ever you are using) and if it does not return an error which belong to server, you are 90% save, i have vedio explaining just that, and more if you like you can check them out
back when I was interested in this kind of stuff I never really understood how to actually do any of it, by far this video has had the easiest and most simple explanation how how to do a basic SQL injection hack
I love episodes like this. The ones that actually teach you how to do something truly bad ass. (Or how to make weapons)
I would really like to show my thanks and acknowledgement to Brandt Hughes, Bryce Castillo and Max Gillian. If you ever see them around, could you send them my regards? Or if they're here in the comments, thanks for your work!
Thanks! It's always nice to hear :D
Agreed
the guy who started talking in the beginning i feel like ive seen him i think from the king of random
i think his name is ryan rushwood
the rodcaster?
The Modern Rogue LOL he is new I think so he'll probably not understand the joke
I am impressed Brian, for someone who is not really hacker savvy, you did your homework. Spot on with the questions there.
Need to leave a mark for when this channel gets REALLY big. I was here the 30th December 2016.
Long time Scamschool subscriber and love your stuff but as someone who works with SQL daily there are a few incorrect things here. In the beginning of the video Jason kept referring to "SQL" as a program, where it's really a language that is used to access the data in a number of different database programs (MySQL, SQL Server, etc.). Also the code modification you put up @5:19 is not what would be modified in an injection attack. it's the query string that is being compromised not the connection string.
Yeah, sorry. My jargon was definitely off on this one.
Jason Murphy I love that you guys are tackling these kinds of topics. Looking forward to see what other stuff you have planned in the future.
re: code modification - Editor here, that example was me painting in broad strokes to teach the larger concept than give a specific accurate example (which, as someone who doesn't code, I wouldn't be able to provide anyway.) Originally it was all more obscured in mosaic to imply that the code itself isn't what mattered there, more than maybe structure or syntax, but when I realized a password field needed to be legible to communicate that structure, the whole thing got less mosaic'd as consequence.
Abstracting it is fine, my gripe was more about the fact that you showed a very specific piece of code and then showed the modification to the wrong part of it. It was analogous to making a video about how to change out a flat on your car, and when you got to the part about removing the wheel: showing someone removing the steering wheel.
I think I see now, would it have had to be in the query line? As a laymen it's pretty easy to misinterpret when you see another line specifically referencing passwords and user ids. An unfortunate artifact of us covering a wide variety of topics, is that I, as the person who has to visually explain everything, can only be proficient in so many of those topics.
What was the prequel to SQL?
Moshil l PRQL
QUEL
I love your videos, they are so well done. I think you are highly underrated
Alp Çelik Thanks!
Ah! My three favorite Texans talking about a subject I understand. Good way to end out the year.
Wait, is this Brian from scam school?
of course!
Euritide no, it's Brian from Penn & Teller Fool Us ;)
I love the modern rouge
Euritide yes
Andy Loescher, Rogue*
Is it an American thing to pronounce it "sequel"? Over here in the UK, I've been doing CS for about 5 years now, worked with many programmers and everybody has always pronounced it SQL...
english.stackexchange.com/questions/7231/how-is-sql-pronounced
The Modern Rogue Wow I never knew that, thanks for the info!
Its like GUI or Goo-ey
Call it whatever you like
...well, been working as an administrator for almost 10 years now it'll always be SQL for me^^
Loved your guys' show on Netflix, absolutely love the channel. Keep em coming!
will do!
Thank you!
I love this. Please make it a continuing format on the MR. Yeah, that would be great XD
Many games and so on just forbid to use ";" and so on in usernames... Esay protection against the example.
yeah, never understood that until now. seems like an easy fix.
I wonder if brian responds to non derverving comments
Depends on how verving they are at the time.
The Modern Rogue If I have an account with a certain website and I use a SQL injection on my own account with the intent of seeing if the site is vulnerable is that still a felony?
love u brian i have been watching i 4years
Braidborn ..Yes. Unless you own the website then you are breaking the law. Also there are different types of sql injection such as blind / time based
This is the type of videos I love! this is so much more interesting than mixing drinks XD keep it up guys and thanks
This channel is soon gonna have millions, I'm glad I was here since 150k
same i been here since 40k just a couple weeks before grant thompson featured them on his channel
I don't want to brag, but I've been here since 0. :P
Jason Murphy dangit u beat me
Been here since -5
Most of the professors at my university don't care if we students see their usernames when they log into things *cracks knuckles* time to hack into teacher accounts
Just kidding I wouldn't do that. Prison is scary
4:12 how did they not make a joke?
The voice over in 8:28 is funny! Good video guys!
this channel deserves to blow up
oh my god... so tempting... must resist...
*five minutes later* dammit can't resist
kidding
No more porcupine head
whoa... where you been?
The Modern Rogue Scam school xD
Love the vids. Keep up all of the good work
Modern rogue is easily one of the best put together series on TH-cam.
Thank you!
where are the ancestry results
next week!
SQL Injection is hacking, but a terrible version of hacking. I've been doing it for years.
If you think SQL injection will help you impress that pretty girl who you work with / go to school with, then you're wrong.
Geeky Gamers then what do you use
Okay, I'll bite: In your experience, what flavor of website penetration attack discussion does impress the pretty girls?
Penetration.
heh.
Geeky Gamers you are completely right, who uses Sql anyways? Today any websites that you would like to hack with sql injection, almost all the time are never worth it.
Are you going to do XSS next? Oh and love the channel, keep up the great work!
Love your channel so much guys!
ok i'm still early can i get an "Hello World"
Hello World!
48656c6c6f20576f726c64
print ("Hello World")
cout
System.out.println("Hello World");
I can teach you how to hack the GPS on your iPhone to display coordinates different than where you are actually at, if uh, you want.
(without jailbreaking or downloading any apps, obviously)
Tommy Callaway you can use a VPN which constantly changes your IP address (e.g. VPN master)
not your IP, I'm talking about the GPS (like what waze, google maps, and other things use)
Called a GPS spoofer, mock locations. Woah magic.
Install vpn
Been watching for 2 years now, starting with scam school. Keep up the amazing work Brian.
Same here
thanks, guys.
Great. So I never have to remember a password for any website ever again. Thanks Brian and Jason
2:39. If Attempting To Use SQL Injections Is A Felony, Then WHY TEACH THE GENERAL PUBLIC ABOUT IT?? I Learned It In A Computer Science Class. Do you want this channel deleted??? 4:45. The character is actually ' '. My bad. I actually forgot that part, so I threw in what made sense.
Welcome to our computer science class, Nathaniel.
The Modern Rogue hahahhah
Good one hahaha
Nathaniel Shaw Why teach people about SQL Injection? So they'll know to protect against it if they ever make a website
Oh my dear, sweet Nathaniel. We're going to teach you so many more diabolical things.
Man this type of hacking is really old and barely works anywhere. But its so much fun to do!
Scibbie / ǝıqqıɔS you'd be surprised how many websites still have SQL vulnerabilities. Most of them aren't really common like Reddit or TH-cam, but they still store people's private information sometimes.
what kind of sites?( ͡° ͜ʖ ͡°)
Of course websites are still vulnerable to SQLi, but the '-- thingy is probably not going to work. More likely you'll have a Time-based blind SQLi or something like that.
ClixSense is a site that recently got hit with SQL injection. It held user's names, usernames, passwords (in cleartext), birthdays, credit card info, and emails. Over 6 and a half million users had their info stolen, and about 2 and half million of that 6.5 had their info publish online.
That's (sadly) not even surprising.
Just had a report due for college and one of parts asked us to give a brief description of SQL Injection Attacks.. thanks for the help haha!
love your videos. keep them coming
Calling it sequel is triggering me. S Q L
Do you need a safe space? Some calming jasmine tea, perhaps?
Just British things, do you have regular tea on offer? Also your videos are top kek
me too.. I need some of that jasmine tea, Brian.
Why would you show people this? Now thousands of idiots are going to try and hack Roblox or Steam and get arrested. It sure would suck going to prison over a website, wouldn't it?
Information is never the enemy, especially when this information is already so widely available to anybody looking for it. Same goes with our lockpicking / bump key videos on scam school, letting people know that these vulnerabilities exist helps people who didn't know this was an issue protect against it. Criminals already know how to commit crimes and keeping people in the dark doesn't stop that.
Brandt Hughes That is a great point, but it wouldn't hurt to put more warning towards kids about felonies and punishment for misuse of this information.
True, I'll add an additional note in the description. It's not much, but it can't hurt to have.
Brandt Hughes Are you a channel manager?
Yeah, I'm the editor and do most of the channel management.
awesome that this channel is growing so fast :^) nice vid
Thanks!
And then there was a surge of information hacks on small online business websites lol. Great video guys!
hacking is like my favorite subject for you to cover. Thanks for this video
Oh man. This is the best channel.
Mr. Shwood, this show is SO DAMN GOOD.
I'm studying programing right now, so cool!
TheModernRogue I love you guys! ive been watching since the beginning. Do a video about hacking with keyloggers and backdoors
My favorite moment of the week!
i love this stuff its so neat to watch and learn new info ♡
Thanks! I like that it's 'mysterious' to most people.
Your channel is so god damn interesting.I got sucked into watching your videos and i can't stop.......help.
You'll find no help here!
Jason Murphy I'm serious,i think i have a probl.....wait it's normal to binge watch all the videos on a channel in a row....twice.....right?
The modern rogue is entertaining and teaches you stuff
Great vid man! Keep it up!
I am _incredibly_ tempted to try this
Please make more of those videos!
That is crazy thanks Brian Brushwood
As Brian brushed through the wood he found himself lost in it
Why this channel hasn't one million subscribe yet?
probably because we're less than four months old. (but we'd love it if you helped spread the word!)
The Modern Rogue sure i'll do !
I just love this channel :3
Im hooked to this channel
I absolutely LOVE the modern rouge!!
Hey I'm the guy who was the employee at heb in the Santa hat on Christmas Eve that said hi.
Hey! It was great meeting you. Thanks for saying 'hi!'
Technically it's illegal, but would I be able to retrieve my hacked steam account through this?
Probably not. Steam security measurements are damn good... Also it's illegal and you could get into loads of trouble attempting something like that with a huge company as a target. So dont.
Do NOT attempt that. Even if it's your account.
I'm gonna wind up on some kind of watchlist, just from watching this channel.
this is such a cool episode
Guys you are awesome this is my favorite channel and this is my type of videos (programming) can you do something related with kali Linux.
+slim Shady yep me neither
Something that the Modern Rogue a) Doesn't have experience with and b) Is afraid of messing with; We need more of this.
so a random question, but are they making another one of the logos at the end everytime they make a new video? because that would be kinda cool
Good episode. As someone who just finished setting up a bunch of prepared statements. This video makes it seem over complicated. It is like typing an extra few lines of code. The real problems with securing this stuff is when you need to find redo some production code. The method before prepared statements was/is comment out ' which you just replace all ' with \' and this means this tick is not code. You need to put that into the program and do that before you send the data to the sql server. Bunch of information for you all in case you wanted to know.
glad to see Nick Oliveri is staying busy
Do you have to download anything for this, btw amazing videos!
Sees sql in the title, expects a sequel pun.
Not disappointed