Thursday, December 12, 2024
Latest:
Linux serverlinux web serverNETWORK ADMINISTRATIONS

SQL Injections are scary!! (hacking tutorial for beginners)

Is your password for sale on the Dark Web? Find out now with Dashlane: https://www.dashlane.com/networkchuck50 (Use code networkchuck50 to get 50% off)

In this video, we’re learning one of the oldest, yet most dangerous Hacking Techniques out there, SQL Injection. Despite SQL Injections being over 20 years old, they still rank number 3 on the OWASP Top 10 List….why? Even fortune 500 companies are still vulnerable to these attacks!! So, in this video, NetworkChuck will show you how to run an SQL Injection attack. Running a basic SQL Injection attack is pretty easy but will often become more complex with trickier targets.

Stuff from the Video
—————————————————
TARGET SITE (Altoro Mutual): https://demo.testfire.net/index.jsp
MORE practice: https://play.picoctf.org/practice/challenge/304?page=1&search=sqli
How to protect against SQL Injection attacks: https://www.crowdstrike.com/cybersecurity-101/sql-injection/

🔥🔥Join Hackwell Academy: https://ntck.co/NCAcademy

**Sponsored by Dashlane

SUPPORT NETWORKCHUCK
—————————————————
➡️NetworkChuck membership: https://ntck.co/Premium
☕☕ COFFEE and MERCH: https://ntck.co/coffee

Check out my new channel: https://ntck.co/ncclips

🆘🆘NEED HELP?? Join the Discord Server: https://discord.gg/networkchuck

STUDY WITH ME on Twitch: https://bit.ly/nc_twitch

READY TO LEARN??
—————————————————
-Learn Python: https://bit.ly/3rzZjzz
-Get your CCNA: https://bit.ly/nc-ccna

FOLLOW ME EVERYWHERE
—————————————————
Instagram: https://www.instagram.com/networkchuck/
Twitter: https://twitter.com/networkchuck
Facebook: https://www.facebook.com/NetworkChuck/
Join the Discord server: http://bit.ly/nc-discord

0:00 ⏩ Intro
0:39 ⏩ Sponsor – Dashlane
1:43 ⏩ How Websites work with Databases
2:08 ⏩ What is a SQL Injection??
2:51 ⏩ Strings in SQL Queries
3:25 ⏩ Is a website vulnerable to SQL Injection?
4:14 ⏩ SQL Query Logic
4:45 ⏩ the OR SQL Injection Payload
7:13 ⏩ the COMMENT SQL Injection Payload
8:42 ⏩ how to protect against SQL Injections

AFFILIATES & REFERRALS
—————————————————
(GEAR I USE…STUFF I RECOMMEND)
My network gear: https://geni.us/L6wyIUj
Amazon Affiliate Store: https://www.amazon.com/shop/networkchuck
Buy a Raspberry Pi: https://geni.us/aBeqAL
Do you want to know how I draw on the screen?? Go to https://ntck.co/EpicPen and use code NetworkChuck to get 20% off!!

#sqlinjection #owasptop10 #sqli

source

by NetworkChuck

linux web server

You May Also Like

Unforeseen Consequences – CISA’s “Secure by Design” Initiative, Fastly's BoringSSL

Installing AdGuard Home DNS on Linux (CentOS)

Host Django Web Application on AWS EC2 || AWS and Django || Django With AWS

48 thoughts on “SQL Injections are scary!! (hacking tutorial for beginners)

  • Is your password for sale on the Dark Web? Find out now with Dashlane: https://www.dashlane.com/networkchuck50 (Use code networkchuck50 to get 50% off)

    Stuff from the Video
    ————————————————-
    TARGET SITE (Altoro Mutual): https://demo.testfire.net/index.jsp
    MORE practice: https://play.picoctf.org/practice/cha...
    How to protect against SQL Injection attacks: https://www.crowdstrike.com/cybersecu...

    🔥🔥Join Hackwell Academy: https://ntck.co/NCAcademy

    0:00 ⏩ Intro
    0:39 ⏩ Sponsor – Dashlane
    1:43 ⏩ How Websites work with Databases
    2:08 ⏩ What is a SQL Injection??
    2:51 ⏩ Strings in SQL Queries
    3:25 ⏩ Is a website vulnerable to SQL Injection?
    4:14 ⏩ SQL Query Logic
    4:45 ⏩ the OR SQL Injection Payload
    7:13 ⏩ the COMMENT SQL Injection Payload
    8:42 ⏩ how to protect against SQL Injections

  • asshole' OR '1' = '1' —
    pwd = lushdflujkdsahf OR doesnt matter

  • only thing is that this kind of SQL injection is only the very basic and outdated. It could have worked on a website from early 2000's with some wonky selfwritten code

  • Thee challange was completed in 2 sec, I truly hope this is not a real website, I would not trust my money too be in that bank! xD

  • My database is encrypted 😂😂😂

  • When building a website it's recommended to perform a regex user input filter to strip of any input that isn't a-z and 0-9 before posting to the server and on receiving a request in the server it's recommended to perform same regex filter before performing sql queries. This will strip off any sql injection input by the user.

  • what if it is: user_name = input("write username here: ")
    pass_word = input("write password here: ")
    SELECT * FROM users WHERE username = user_name AND password= pass_word

  • why exploit your sql to internet, protect it and make only backend to go there and everything will be fine lol…

  • I feel guilty now…
    I'm a college student and I… I…
    I used this information to collect academic data
    Whas it wrong?? What should I do??

  • This will never work since almost all db connectors use prepared statements which prevents that kind of stuff.

  • But wait. Why is there a single quote after admin (admin' OR '1'='1') ?? Query should be ('admin'' OR '1'='1' AND ….) right ??
    THANK YOU FOR THE ANSWER !!!
    (End loved your videos !)

  • I even got myself a credit card. thanks man!

  • Now that i know this, I wanna know how to avoid SQL injection more deeply..

  • I hear someone pronounce SQL a "sequel" and I know the video is not worth my time.

  • I DID IT!!!! I hacked into the site! Wow. I feel so great now successfully completing my very FIRST sql injection attack. Now I know how it's done, I can protect my databases. Interesting

  • I believe in most databases the first three logins would be for the admins and to prevent overlapping of usernames databases would have a form of primary key system…so we could use the comment SQL injection method alongside with inputting the primary key field as 1 it should get us in but that would require us to have inside information on the database

  • I went to the website for more practise and it told me to log in. I thought that was the practise and i tried to sql inject that website without realising it just wanted me to make an account

  • Mind blowing 🥳🥳🥳 what ever basic logic you put in email like

    Admin' ' OR '200-100'='100
    Etc..

  • That is terrifying i got in it only took 4 seconds

  • This a great video but i have a few question. How would you do this if it was just a password and how do you protect against it?

  • That actually worked haha
    MY FIRST HACKING EXPERIENCE. Feels good, kinda like fixing a bug in Ur program making it work just like u wanted it to 😛

  • I think this would only work on a two tier DB system, but not 3 tier

Comments are closed.