Hey there, welcome back. In our previous lesson, we looked at a man-in-the-middle attack, got familiar with the Burp Suite, and used a proxy to intercept the traffic from our client to our server also that we can test the application's security. In this lesson, we're going to turn our attention to SQL or a Structured Query Language and injection attacks specifically. After this lesson, you'll be able to explain the basics of how Structured Query Language or SQL works using a site called SQLZOO. Now, SQL is not central to this course, but we need the basic understandings of it. I am by no means a SQL professional, so we're going to dig into SQL just as much as we need for this class. You'll also be able to describe the process to find SQL injection vulnerabilities by following my thought process as I explore possible SQL vulnerabilities while putting on my attacker hat. In the process, you also see how SQL injection attacks work at a basic level, and how to protect against them in your application. At the end, I'll call on you to give it a try for yourself and try to exploit this SQL vulnerability. So let's get to it. So before we can actually really get started with SQL injection, we need to have an understanding of how SQL works. For that, I want to use a site called SQLZOO. SQLZOO is a place to learn about SQL in general, it's not injection specific, it's not attack oriented actually. If you want to learn more about SQL, there's a UC Davis course on Coursera for SQL. That course will teach way more than this module will cover, simply because we don't need to fully understand SQL and all of its features, we're just trying to understand some basic concepts. So if you have no background in SQL at all, this is where I'm going to talk about some of the use cases of SQL and how it's used, and we'll start from there. So SQLZOO gives us a table. It's a dummy table called world. It has a bunch of records in a bunch of columns. If you're not used to thinking about SQL, think of Excel spreadsheet. Think of this as just plain Excel spreadsheet, and we're trying to maybe select or filter some data out of this based on some use cases. So I'll start something simple, select everything from world. So I would expect this to return everything that's in world. Now, SQLZOO won't return everything just because that result is too big and there's too many columns and too many rows. So it's only going to return back to us just a subset of the data. But as you can see, it's a lot more than what they're showing in their demo here. What if I wanted to filter this out a little bit? Maybe I could do something where I limited by the continent. So I can say select everything from world where continent equals Asia. If I submit that, it doesn't like me using double quotes, so I'm going to use single quotes. So now it's only listing all the Asia continent information. What if this was a piece of code that a developer had written? The Asia part being something that users can control, essentially a field that you could submit where you want to limit this to and it would just simply return it for you. SQL injection is all about how can you manipulate the amount of data that you can touch to get back more information that you want it. So what if I put star here? Can I say I don't want to limit it by any continent, I want everything back? Well, it doesn't return everything because it's seeing that star as a character, as piece of data. So that doesn't work for me. So the question becomes, what can I do to get more back? Obviously, I can't change any of the code over here because that was written by the developer, so I have to work within the confines of these two single quotes. I'm we're going to zoom in here just to make it a little bit easier to see. So select everything from world where continent equals, well, I don't know what I want continent to equal to. So I'm just going to end that quote right there. So where continent equals blank. But the problem is, I have a syntax error now. Now I have three quotes, and obviously I have unbalance quotes here. If I submit that, it'll say, "You have an error in your SQL syntax." So this won't work. What if I can add some modifiers? So how would those work? Let's use them for real before we try to inject. So what if continent equals Asia or continents equals Europe. Will that work? Yeah, it does. So now I'm getting both countries from Asia and countries from Europe. So that's how or works. So I can append other arguments to this. So putting my attacker hat on, what if I can only control the contents between here? So let's keep typing. So Asia, and I'm going to end that quotes, and I'm going to write or 1 equals 1. So basically I'm saying, give me everything from world where the continent equals Asia or true. Basically, give me everything. Now, 1 equals 1 is simply a true statement, and essentially the way SQL works is it tries to parse and resolve everything that I've highlighted right now. So where continent equals Asia, and that's spawns a subprocess and it limits and filters my select query to those. Then there's an or statement or 1 equals 1. Basically saying, everything that is true. Now, I still have an issue because I have a quote right here that I cannot get rid of. That's something that a developer has written in. So I can comment it out, and the way you comment things out in SQL is using two tacks. Make sure that you have a space after the comment lines, because if they're touching it won't work. So I have space, tack tack, space. So now if I select this, you can see I'm getting more than Asia. The reason for that is because I've simply asked it to be true. Now, if I control the entire SQL statement, I could not put a where there, and I would get back all the records. But if I want to put a where there, I could say where 1 equals 1. That also gives me all the records. Of course, SQLZOO doesn't show us all the number of records that we have here, so we can simply count it just to see how many things we're getting back. So we know that there's 195 rows in here. Whether or not I put this where 1 equals 1, there's 195 rows there. So simply saying where 1 equals 1 which resolves to being true, basically gives SQL no filters. It's saying where everything is true, where give me everything, anything you can select. Now there's nothing special about 1 equals 1. You could actually put anything that resolves to being true. So 2 equals 2. So if you select that, you'll still get 195 records. Now if you did 2 equals 3, you won't get any records back because this clause turns out to be false. So it's not going to match any of the records. It doesn't have to be numbers. You could say where 'a' equals 'a'. But what if you did 'a' equals capital 'A'? Obviously that'll work because it's not case sensitive. This actually depends on the configuration of your SQL Server. So that's essentially how SQL attacks work in basic. So let's go back to WebGoat and see how we could do some of these attacks. I'm going to skip through one through six of this page simply because it's an explanation of what I just went over, and I'm going to go directly to the challenge which is on Page 7. So try it. Now, obviously we don't know what the SQL String looks like on the back-end and what was written in for it, but they gave us an idea here just because we're getting started. So they're telling us that in the back-end it's doing probably something like this. Select star from user_data where LAST_NAME equals, and then some string that we control. They also tell us that we can use the name Smith if you want to see what this looks like. So I'm just going to type in Smith here, and get the info and it just returns two rows for a username Last_Name Smith. It looks like it's the same user since it has the same user ID, but two different credit card. So we can see the MasterCard and their American Express Card. So I want you to give it a try and see if you can do a SQL injection on this. In the next video, I'll show you that SQL injection, as well as how we can go about patching it.