Running an SQL Injection Attack - Computerphile
ฝัง
- เผยแพร่เมื่อ 14 มิ.ย. 2016
- Just how bad is it if your site is vulnerable to an SQL Injection? Dr Mike Pound shows us how they work.
Cookie Stealing: • Cookie Stealing - Comp...
Rob Miles on Game Playing AI: • AI's Game Playing Chal...
Secure Web Browsing: • Secure Web Browsing - ...
Deep Learning: • Deep Learning - Comput...
Tom Scott on SQL Injection: • Hacking Websites with ...
/ computerphile
/ computer_phile
This video was filmed and edited by Sean Riley.
Computer Science at the University of Nottingham: bit.ly/nottscomputer
Computerphile is a sister project to Brady Haran's Numberphile. More at www.bradyharan.com
![[FULL EP.63] “เรือนรัศมีแข” Custom ทั้งหลัง ดูแพงแต่ถูกกว่าที่คิด | เคหสถานบานปลาย | One Playground](http://i.ytimg.com/vi/bBRsIS9LVns/mqdefault.jpg)
How to avoid jail: "I`ve given myself the permission"
officer i swear what i did wasnt illegal, i gave myself permission to rob him!
@@elisttm ok ur free
XDDD
@@elisttm this reads like a privilege escalation exploit lol
I'm using it
imagine not giving yourself permission to do this on your own website and then you sue yourself, win the lawsuit and then land in prison
Well, at least you would be able to win your own money. Thats more than what can be said for some married / divorced folks.
You’re pretty damn right m8
mmmMM the court fee and if you have 1000 iq your lawyar takes about 30%
Then become mr robot
Write it off as a tax deduction.
Decades ago, my brother named his bowling team "select *". This was in the early days of computers, so there wasn't modern security. The bowling alley printed the statistics, and when his team arrived, the employee presented an entire ream of paper and demanded they choose a different name.
Hehehe... funny. It's like the first Unix systems where you couldn't have a user named "Ed".
@@bsvenss2 Would it start the editor?
@@karldavis7392 it would lol
alright youtube, this has been in my recommended for 2 years now, ill watch it, you win.
Underrated
Interesting and informative, but the other guy is almost as basic as "So, what's that in front of you? Is it a computer?"
lowkey joke
You just wasted 2 years
@@sachinfulsunge9977 hahaha
Me: Can I SQL Injection Attack your website
Me:Sure
That's what he did
Imagine he has schizofrenia and fires a lawsuit against himself.
Or simply changes his mind.
*Mr. Robot intesifies*
😂
the intro had "" and the outro ""... smart... love the attention to detail
what that means ?
oh now that makes sense :D Thanks
Being the pedantic developer I am, it's more like XML since HTML doesn't support a tag.
What are u doing here if u don't know that?? lol
@@sirturnables learning.
The interviewer thought the text editor was already the hacking part
I noticed his excitement as well.
I loved when he nervously asked...so where are u typing that now....as if the whole world was going to blow up >^
you know he probably knows but he just asks for the content right?
He knows
at least he's willing to learn
This is defense against the dark arts for Computer Science
Instructions unclear, NSA is outside my house.
😂😂😂
John Doe FAV hahahahaa
😂😂😂
WTF HOW DID YOU GET NSA OUTSIDE YOUR HOUSE OBVIOUSLY YOU UNDERSTOOD THE INSTRUCTIONS ARE YOU IN PRISON NOW?
blackham7 wooosh
Thank you Peter Parker
He's the cool version of Peter Parker, from Spiderman 3
Underrated post
I thought I was the only mofo thinking he looked like Peter Parker from Spider-Man 😂
Or Frodo from the lordof the rings
FRODO!
It’s crazy how different my understanding of this video is since the first time I watched it. I watched it back in high school, now I’m halfway through a university degree and have taken web development courses... Funky.
Got Same feelings haha
i feel attacked
Just came back after 5 years and I'm second year into IT
Okay TH-cam, I'll watch it. Recommending it to me for years.
..what is illegal? running sql attack or making shitty web apps? Coz my real name is "'; DROP table users; SELECT '"
Both.
releasing the information is illegal.
attacking someone without their permission is illegal by law
making shitty apps is illegal by community
Making your application insecure towards attacks and putting your user's sensitive informations at risk of being stolen and released is illegal.
@jan harald: What is "illegal by community" supposed to mean?
I wonder if you could change your legal name to that.
Imagine naming your child "LIKE'%' UNION SELECT * FROM TABLEBASE" so that when they register its name, you'll get the information on all of the country's database
Travis Petit probem is, you should rather imagine that names of people would contain else than alphabet (numbers and symbols)
Why is PHP better then Python please?
^^^^^^^^^^
US government sites use Drupal which uses PHP, so US government actually uses PHP
my birth name is actually ':-- DROP DATABASE
The whole computerphile series is just great. Much that I can only see through here, although I speak only moderately English.
Your enthusiasm and your fascination for the topic leaves even a slightly boring topic to last interesting.
And that with every clip.
this was one of the most interesting videos I have seen in a while. gotta watch more now
I love how he explains things non-pretentiously. It seems a lot of people in the computing field really like to think they're better than everyone else.
Prince Benny it’s usually not their fault.
Having worked with Tech Mobs for the Gold Coast commonwealth games, it’s just how IT dudes are and there is actually a job for people to take what the IT guy says and explains it to the project manager in a way that makes sense.
Yeah he's a great teacher too
Or with a foreign accent so heavy you can't even tell they are speaking English.
Yeah we do 😎
Yes we are
So the best defense is to disable the "Search" box
Only criminals need search boxes.
The best defence is to take down your own website, destroy your computer, isolate yourself from technology & civilisation and go live in the woods.
No client can't hack you if you have no clients #LifeHack
@@saeedbaig4249
Nah, silly lol Just ban "UNION" from your search box...
From memory it's possible to use your browser search bar to run an SQL query
I had known and understood what sql injection was previously, but I had never heard of blind sql attacks and using database-specific syntax in order to obtain information on the underlying database. Very informative video
That program you had was literally something I had to make for a class in web development. I think it was the PHP class. Thankfully, we also have a mandatory information security course I'm in now and learning about these. We did talk about making sure quotes don't get in, which is important.
The hacking videos are the best and most interesting for me as comp science student. Keep them coming!
Just wait until you learn MySQL and Javascript. Then you'll be able to learn some very interesting things.
BlackenGames lol, I can program in over 20 languages, including those two. The point is not to learn them, but to learn against them. Possible weaknesses you have to remember when programming.
>Javascript
When I'm feeling like a masochist perhaps.
Blaze I really hate Javascript, but you should try typescript. I have made my peace with javascript that way
SuperManitu1 Then you should be able to exploit things easily.
I don't know how to program in a lot of languages. Only 2 and I know how to do some nice exploits.
This is a very well done demonstration! I liked being able to see how it worked in an actual example.
Someone ran one of those scripts on my site to try to hack my database a couple years ago. The only thing it helped me realize is that I needed stronger spam protection, because it left thousands of failed injection comments on one of my pages, haha.
That sounds more like xss than sql injection
You need some of that htmlspecialchars(), a stripslashes() and str_replace()
htmlspecialchars() for the output as xss protection.
in case of php & mysql it would be mysql_real_escape_string() against sql injections in quoted values.
but people shouldn't think they would be save when just using these functions. someone can do an sql injection without using any control chars at all if you didn't put quotes around the variable in the query: for example "SELECT * FROM posts WHERE postId = $postId"... the value of $postId could just be "1 UNION (SELECT 1, 2, 3)-- " without any quotes.
in this case you would be save with casting the variable to an int, but best practice in general is using prepared statements.
meh, forgot about the ; in the example injection - but you get the point...
use prepared statements / stored procedures :-)
No, it is a SQL injection attempt, not an XSS attack, the hacker was using the comments form as a gateway to the database, just like Michael in the video used the search box to send malicious queries. The difference is a comments form will store those requests as comments while a search box doesn't store search queries.
This is the best explanation of SQL injection video ever. I've recommended it to a non-technical friend and he got the info-sec job.
That's why you use PDO and bind requests. Also don't forget to sanitize user input before the query
I thought I loved Scott. Then I discovered this man, the man that doesn't pronounce SQL like Sequel. He's brilliant
oh snap i've been pronouncing it incorrectly
Us in the UK dont tend to prononce it sequel...
@@jackrogers1115 Well isn't Tom Scott from the UK, though? You see, he's the one in question who tends to do so.
@@13am22 what
In the uk, we tend to say s q l, not sequel. Thats what i'm say. And yes hes from the uk
I made a website many years ago, and obviously made sure SQL injection wasn't possible, and I also logged stuff, and I did see some people trying to do SQL injection on my website.
peas give me website address and permission to practice pen test
@@211212112 This was well over 10 years ago. That website no longer exists.
anti/HUMAN Designs :(
Quantity in stock: A D M I N
Product name: G E O R G E
Alternative title: Tyrell Wellick runs an SQL Injection attack.
XD
I always struggled with some parts of this. But I finally understand how it works so I'd have to say this is probably the best explaination of SQL injections I've ever come across. Thanks
I really love how Mike stepped up his game lately. Easily one of my regulars on Computerphile, keep it up!
Subcription at first video :) This is the best explanation of an SQL injection that I've ever heard. Pretty sure that even non-coders would understand
I'm only halfway through the video, Its easy to understand what he is trying to say due to those practical examples in a simplified way. Its half a decade old and still best videos to watch out for on this topic.
you gave yourself permission? is that in writing? is it notarized? who knows, maybe you'll change your mind and press charges on yourself!
Dude this guy is crazy I love watching vids with this dude
alert("hello world");
-I'm in.
Imagine explaining that to inmates in jail: "I... I... put the wrong text in a database on purpose".
Inmates be like: "Somebody get me a restriction order, you ain't coming 5 cells away from me, what is wrong with you!"
Funny haha
Would love to see more videos like this about possible software attacks. This was eye-opening
This guy is by far the best on this channel. Especially with his practical examples!
OKAY TH-cam I FINALLY WATCHED IT! This video has been in my recommended for years now.
I love this channel, some videos I understand, and some I have no ******* idea what they are talking about. These guys are super epic and advanced. I'm an uber beginner LOL. Been learning the basics and enjoying it. Thank you for such incredible material, I really appreciate you guys, and of course, TH-cam too is just simply awesome
That's why I use prepared statements everywhere, even when I get something from my own database, and do a query on something else.
Would love to see a video on second order SQL injections!
I really enjoyed this video! Very informative and the professor speaks really well
One of my accomplishments at my first job was rewriting all of our (then) inline SQL queries and stored procs in C# to implement SQL injection prevention! It was a lot of fun :) And very rewarding when I was done
This guy is quality, I could listen to him all day
A 2rd degree attack would be me naming my children ";--"
LOL I miss-typed 2 instead of 3 hahaha
Bobby Tables would be proud of you!
Little Bobby Tables!! :)
2rd ? "secord" ? :))
CuZoSky
twoerd
Amazing how this was posted in 2016 and these were concerns I had to address in 1996. Filtering, stored procedures and permissions are your friend.
I learnt more from this video than my entire DBMS coursework.
You don't go to jail if you don't get caught.
Iceborn Gauntlet probably you.
Chase Brower no, not just me. EVERYONE.
Frank zapper
you don't go to jail if you never try to learn this stuff. * makes the meme face *.
That's what Hillary told me.
user name consisting of SQL? must be Little Bobby Tables
rchandraonline I know of that site, but this is a full in depth explanation as to exactly how it works.
I will name my son as Little Bobby Tables
I suddenly remember a man named "null"
Where's the "Students" table?
Oh, I love that comic. "Oh little Bobby Tables, we call him."
WPF in C# 2010 Book on the background - Busted!
I learned more about databases in this one video than I did during a semester long class in Uni about databases.
Thanks! This video explains it better than my database subject lectures.
This man is is an amazing teacher.
Reminds me of the days when I had to 'recover' lost wordpress credentials for customers. Luckily web security has gotten much better but this is still a very valid video.
Wordpress has never been secure in any way And it should never be used commercially
just started doing a Cyber Security Course at college, enjoying your videos to supplement my learning :)
Useful to see as this does work on my website.
Baldeep Birak so what website you run.? Asking for a friend lol
Cheeky.
Hey now, let's none of us go Ball Deep on Baldeep.
mind if I take a look on your website?
@@Rosson311 but even as a joke you shouldnt try it cause when police will be at your door ,it wont hold honestly. like, i go with a knife at your house and you call police and i tell them 'oh ,its was just a joke,for fun,didn't mean to do anything'. not so sure someone will bite that even if it would be truth.so yea, don't even think to try just to see if it works.you would be the dumbest hacker in that jail yard.
I'm so glad I stumbled upon this channel. So interesting. Excellent and informative use of CGI woven into the videos as well. Thanks Computerphile!!
Great explanation!!!, Glad youtube finally recommends me something I am really interested. Keep iy up!
It was so much fun watching this. Well instructed.
Insightful..Thank you for taking the time to go through it..Not a database guy but found it very interesting.
Now this is art. I can totally imagine people do stuff like this cause it's fun. Like chess.
Juan2003gtr why are you calling him a noob?
Like gambling.
i’ve been looking for this, computer related channels that have the same or similar delivery as history channels and economics channels just stuff i can watch while relaxed
Well done Sir! I'm very impressed
That nearly finished Rubik's cube on his desk is playing havoc with my OCD
here to remind you of that unfinished cube lol
😭
I used to work for a consulting company and you'd be surprised how shitty the majority of companies are at protecting your data. Mostly smaller businesses, but even some of the large ones lack basic security measures. It was pretty eye opening.
Felt like I was listening to an SQL injection tutorial as presented by James Acaster. And loved every second of it of course
Very well explained.
I liked a lot this explainatory video.
The most scary fact about this is that it's still an issue in 2016. I did this kind of stuff 15 years ago and back then I already thought "this is way too easy". The bad news was that there were no such things as prepared statements, so you really had to do all the work with escaping.
"Ah, I'm sure my website will be fine."
*checks it*
"ohno"
actually underrated 😂
Oof 😅
SurprisedPikachu.jpg
"anyway..."
Inspiring, you must do more videos, thank you
Incredibly informative!
As a SQL beginner this was super helpful, thank you.
The password for user Joe is 'administrator'.
./john /vagrant/x --show
?:administrator
1 password hash cracked, 0 left
What was the salt?
The whole hash is
$1$V32.4G/.$0PKnjhXYUmYLJZZ8vEt/b/
so i guess the salt is 'V32.4G/.'. I'm not familiar with the format of md5, but in bcrypt that would be the salt.
vinkuu So, essentially, if you get into the database, you can use the salt that is with the password to crack it by brute forcing it?
Yes correct. And that is the reason md5 is considered a bad choice of hashing algorithms to use for hashing passwords. It's very fast to brute force md5 hashes compared to eg. bcrypt with a cost setting of 15. It directly equates to cost (€) of the brute force cracking setup.
Or just type in administrator??????
Nice video, easy to understand. Well demonstrated examples too....
This was fun, can you do more of these vids where you show what this is actually like?
What was the price for the 7mm nails? I'm re-upholstering a chair currently and think 8mm would be too long.
Thanks.
admin
Next up: *Second Order injections*, then?
How does that happen? Simply when something gets unescaped and evaluated by the server?
Amazing demonstration.
Hi sir, thank you for the knowledge, u really make computer science fun
I just want to ask how can i get the playlist of all your videos in security staffs?
I have been watching ur videos and its awesome and very informative and i would like to check all of them because they help me alot
Just to clarify: It's not a malformed query. You're actually getting outside of the query that the website wants you to. Basically, you get to create your own little query which is pretty terrible cause then some dude can query for everyone's passwords.
Thank you TH-cam for suggesting me this video after my DBMS exam .....wouldve done great if i had watched this video
What a crazy interesting video. Any chance we could get a video / any information on rainbow table cracking, and Man in the Middle attacks? I feel like the latter is still used quite frequently, but these are some older techniques that with newer tools & ideas applied to them, are crazy effective. Would love to see your take on them.
At one point, I created and maintained a server. You have to know how to crack your own system to know how to defend it. I launched campaigns against my server on a somewhat regular basis. Great explanation.
When putting together a SQL driven site, I put all text input variables through a function which filters out all potentially hostile characters and replaces them with something which cannot be interpreted as SQL code. It could also be possible to get the PHP to check for multiple attempts to submit SQL injections. One or two could be accidental, but more than that could be viewed as an attack, so I could make the PHP block all traffic from that IP for an hour, or return some decoy tables, or even a fake page warning the hacker that a virus is being uploaded to their computer, complete with a progress bar :)
If you're still learning PHP, SQL and all that stuff and didn't already - please have a read on PDO and prepared statements. It's the "new" easy way of dealing with everything. :)
make it return what they would want to see, but the wrong information. a fake error or a fake full table
Me: Going through lecture slides to past my sql exam.
You: Playing black magic with sql query.
awesome, back in few years ago I tried to study the topic but I was so confused, no idea why it makes sense now but awesome video, liked.
Very interesting and informative content, love the work, instant sub and like.
the illegal part of this is having an unsolved cube on your desk with super easy PLL case :c
This why we should use PreparedStatements in PHP , JSP, Servlets, C# and ASP.. :)
That wasn't alway a thing before sadly. As of today, it's the only way to go basically. :)
This is all such great stuff.
Just perfect!!! Rather than talking about how it's done, show how it's done.
"; DROP ALL DATABASES; --
Thats bad
:D
OMG...
Only if the account has been granted DROP permissions. For a site that just shows records it should only be created and given SELECT permission.
+Chris Ellis
Do you really think someone who isn't going to escape user input, would think about that?
Because I honestly don't.
As a learning web developer that uses php and sql all the time, this is pretty creepy. Luckily I learned to sanitize my queries early on, but I need to learn more about how hackers might attack a website.
well explained may the One bless increase your knowledge
Excellent content, thank you!
+Computerphile could you do a video on hashing/breaking hashes?
Coming soon - using a 4x Titan X GPU server ;)
Usually you need to find out what type of hash they use. Then you could try a dictionary attack. Have a program try each word until the hashed value = the one you got.
md5 :)
I think you're misunderstanding what salting does, you can reverse lookup a hash by having a list of hashed common words/used passwords, lists of billions upon billions of possible passwords...what salting does is change each hash with a "salt". So having two of the same passwords would produce two different hashes, thus making reverse lookup a less likely decryption method.
Is this the actual Michael from the video. If it is I'm happy you're reading the comments. These videos have been quite refreshing on computerphile.
15:15 "Thank you for saving us some time." - Malicious people.
Thanks!! Really informative and entertaining video !!
These videos are very helpful