1: SQL Injection (Union + Blind) - Gin and Juice Shop (Portswigger)

Рет қаралды 1,956

Күн бұрын

SQL Injection - Episode 2 of hacking the Gin and Juice shop; an intentionally vulnerable web application developed by Portswigger. The website was created primarily to demonstrate the features of Burp pro vulnerability scanner. However, throughout the series, we will leverage burp suite (and other tools) to exploit the high, medium, low and informational issues identified by the scanner. Hopefully these videos will be useful for aspiring bug bounty hunters, security researchers, pentesters, CTF players etc 🙂 #BugBounty #EthicalHacking #PenTesting #AppSec #WebSec #InfoSec #OffSec
↢Social Media↣
Twitter: / _cryptocat
GitHub: github.com/Crypto-Cat/CTF
HackTheBox: app.hackthebox.eu/profile/11897
LinkedIn: / cryptocat
Reddit: / _cryptocat23
KZfaq: / cryptocat23
Twitch: / cryptocat23
↢Portswigger: Gin and Juice Shop↣
ginandjuice.shop
portswigger.net/blog/gin-and-...
portswigger.net/burp/vulnerab...
portswigger.net/web-security
↢Resources↣
Ghidra: ghidra-sre.org/CheatSheet.html
Volatility: github.com/volatilityfoundati...
PwnTools: github.com/Gallopsled/pwntool...
CyberChef: gchq.github.io/CyberChef
DCode: www.dcode.fr/en
HackTricks: book.hacktricks.xyz/pentestin...
CTF Tools: github.com/apsdehal/awesome-ctf
Forensics: cugu.github.io/awesome-forensics
Decompile Code: www.decompiler.com
Run Code: tio.run
↢Chapters↣
0:00 Intro
0:10 Recap
0:46 Redeploy live audit scan
1:21 Known vulnerabilities endpoint
1:57 Review scan results
4:07 Recreate the vulnerability (SQLi)
7:09 Useful SQLi resources
7:45 Union vs Blind injection
8:28 Finding the correct syntax (comments)
9:30 Identify number of columns (order by)
11:25 Determine column datatypes
12:16 Enumerate databases (union attack)
13:32 Enumerate tables
14:15 Enumerate columns
14:41 Extract username and password
15:30 Blind SQLi attack
16:50 Determine database name length
18:06 Extract database name (substring)
19:37 Automate extraction with burp intruder
26:03 Issue #2: SQL in base64-encoded JSON cookie
26:54 Fail to automate with burp (macros / session handling)
30:30 SQLMap burp extension (bApp)
31:46 Test SQLMap CLI (fails to get DB type/version)
33:22 Conclusion

Пікірлер: 9

@_CryptoCat 3 ай бұрын

I'm prepping for the BSCP atm and recently solved the brute-forcing a stay-logged-in cookie lab (again xD). It required some payload processing rules similar to the SQLi tracking cookie on this site (which I was struggling to automate with burp in the vid) - portswigger.net/web-security/authentication/other-mechanisms/lab-brute-forcing-a-stay-logged-in-cookie

@thatcyberlad 3 ай бұрын

Would love to see more of these for sure..!!

@algemies 3 ай бұрын

when you goes thru some of the burpsuite functionality, could you please let us know if the functionality is on the community or enterprise version.

@_CryptoCat 3 ай бұрын

Sure! I think the only premium feature I've used so far has been the burp scanner, although the burp intruder (used in this ep) is unthrottled on the pro version.

@xeunwa 3 ай бұрын

Really good tutorial

@_CryptoCat 3 ай бұрын

Thank you! 💜

@lennartluthi4869 3 ай бұрын

Is it deliberate they named it this? Bit weird in my opinion, after the Juice shop from OWASP which is a great project.

@_CryptoCat 3 ай бұрын

I'm assuming it was! I've been meaning to make some videos on the OWASP juice shop, maybe I'll check it out after I get the BSCP. I've already made the next episode of this series but not sure how long it's gonna last because it seems like you can't really do much with most of the vulns. Either that or I'm a n00b, we'll see 😂