SQL Injections: The Full Course
Рет қаралды 100,916
Күн бұрынWelcome to this course on SQL injection attacks! In this course, we explore one of the biggest risks facing web applications today.
We start out by creating a safe and legal environment for us to perform attacks in. Then, we cover the core concepts of SQL and injections. After that, we learn SQL injection techniques with the help of cheat sheets and references. At that point, we start to gather information about our target in order to find weaknesses and potential vulnerabilities.
Once we've gathered enough information, we go full-on offensive and perform SQL injections both by hand and with automated tools. These attacks will extract data such as tokens, emails, hidden products, and password hashes which we then proceed to crack.
After successfully attacking and compromising our targets, we take a step back and discuss defensive controls at the network, application, and database layers. We also look at actual vulnerable code and show ways of fixing that vulnerable code to prevent injections.
Please note: Performing these attacks on environments you do not have explicit permissions for is illegal and will get you in trouble. That is not the purpose of this course. The purpose is to teach you how to secure your own applications.
Join Cybr's Discord: / discord
Cybr Courses: cybr.com/courses/
Pre-Requisites:
To understand how SQL injections work and how to perform them as well as defend against them, you must have:
- Experience working with web applications
- Experience with SQL
Suggestion: You may also wish to take our free Introduction to Application Security (AppSec) course (cybr.com/courses/introduction...) to familiarize yourself with the concepts of Application Security.
Timestamps:
About the course - 00:00 - 04:15
Setting up a safe & legal environment - 4:16 - 14:20
Getting started with OWASP ZAP - 14:21 - 18:41
SQL Concepts - 18:42 - 25:16
SQL Injections Explained - 25:17 - 35:27
SQL Injections Cheatsheets - 35:28 - 45:08
Information Gathering - 45:09 - 58:36
SQL Injections Hands-On - 58:37 - 01:14:41
SQL Injections with SQLMap - 01:14:42 - 01:23:29
Defenses at the Network Layer - 01:23:30 - 01:25:58
Defenses at the Application Layer - 01:25:59 - 01:37:49
Defenses at the Database Layer - 01:37:50 - 01:41:40
Ending Screen - 01:41:41 - 01:41:50
@Cybrcom 3 жыл бұрын
Here's an update on how to install Docker on the new Kali version. It's actually much simpler now! cybr.com/app-data-security-archives/how-to-set-up-the-dvwa-on-kali-with-docker/ TL;DR: sudo apt update sudo apt install -y docker.io sudo systemctl enable docker --now sudo usermod -aG docker $USER newgrp docker
@AbhishekkumarSir 3 жыл бұрын
I am really glad that there are people like you in this world. Thank you so much for your Video.
@Cybrcom 3 жыл бұрын
You are very welcome! Happy learning
@eyeinthesky1050 3 жыл бұрын
Thanks dude, i learned a lot by watching your videos, it is still difficult with those codes and stuff but the way you explains makes it easier! Thanks again :)
@Cybrcom 2 жыл бұрын
How's your learning journey been so far?
@eyeinthesky1050 2 жыл бұрын
@@Cybrcom hello sir! I have been working a lot lately and i have not been studying so much past few weeks but i gotta tell you i have learned so much in such short time while i was watching/studying the SQL Injection on your website and i really appreciate it, i am almost done with that course, thanks for your concern Christoph
@Cybrcom 2 жыл бұрын
@@eyeinthesky1050 awesome! Keep it up and good luck!
@islamkaram463 Жыл бұрын
The most powerful and professional course I've ever seen. Thanks a lot
@Cybrcom Жыл бұрын
That's really nice. Thanks so much!
@deadoralive8296 2 жыл бұрын
Still watching your videos Thank you so much
@9jacafe118 4 ай бұрын
Woow, that was educative and informative. You have done a great job.
@vandamieespadero6633 3 жыл бұрын
Your channel was arrived in my KZfaq screen in time. I recommend this to my group so they can watch it too. Thank you very much. Wishing you all the best in life. Cheers!!!
@Cybrcom 3 жыл бұрын
Thank you for recommending! People like you are what helps us keep going!
@nagizah8 Жыл бұрын
found your video while researching for materials for my undergrad paper about SQL Injections. You are a better teacher than my college one xD
@Cybrcom Жыл бұрын
That's so sweet, tyvm! Glad you found the video!
@rockguru6656 3 жыл бұрын
Your life saver .. bro surely u will grow .. plz make videos on kali tutorials
@Cybrcom 3 жыл бұрын
Our free eBook covers the topics reviewed in our course. It explores one of the biggest risks facing web applications today: SQL injections. Think of this as your reference guide that includes concepts to understand, attacks you can perform in safe & legal environments, and defense controls you can implement for your network, applications, and databases. Download your free eBook here: cybr.com/ebooks/sql-injection-attacks/
@mynamejeff2880 3 жыл бұрын
what not even 1 k subscribers cmon man this guy deserves better
@Cybrcom 3 жыл бұрын
Haha thank you, that's very kind! The best way to help us grow is to help share our videos if you think someone could benefit from it! Thanks!!
@che3tah205 3 жыл бұрын
feeling lucky to find you even before you hit your first 100 subscribers. Wishing you for 1M subscribers.
@Cybrcom 3 жыл бұрын
Thank you for the kind words!
@mahesh6307 4 ай бұрын
Most underrated
@Cybrcom 4 ай бұрын
❤️
@WickedTwitches 3 жыл бұрын
Holy crap this is exactly what I wanted.
@Cybrcom 3 жыл бұрын
Haha awesome! Glad you found it :D
@mohsenbaarzegar 3 ай бұрын
Very awesome
@7838007133 3 жыл бұрын
your English is so clear to understand non-English native speakers like me. Thank you so much!
@Cybrcom 3 жыл бұрын
So happy to hear that! Glad you enjoyed it!
@zaksam3745 2 жыл бұрын
thanks
@janekmachnicki2593 2 жыл бұрын
I brought your course from Udemy so well spent money THANKS
@Cybrcom 2 жыл бұрын
Thank you for your support ♥
@janekmachnicki2593 2 жыл бұрын
@@Cybrcom iv just brought another one form udemy " The Practical Guide to sqlmap for SQL Injections"
@justkiddieng6317 2 жыл бұрын
1:39:24. LOL, well a lot of time this is true but we need it. LOL. thanks for this, course I hope you will upload more video to help us especially for beginners. THAANNKSKSSSS
@Cybrcom 2 жыл бұрын
You got it!
@FLUFFYCAT_PNW Жыл бұрын
Really great and informative video.
@Cybrcom Жыл бұрын
Thank you! Glad you liked it
@bricer4894 2 жыл бұрын
woow, am half way through but enjoying it. I feel like i can hack any database now haha. Thanks for this content
@Cybrcom 2 жыл бұрын
Glad you're enjoying it!
@uuusa7 3 жыл бұрын
Bro great job help me too much to learn, hopefully more video of you. Thanks
@Cybrcom 3 жыл бұрын
Glad it helped :-)
@lichking5834 Жыл бұрын
thank you sooo much man
@Cybrcom Жыл бұрын
glad it helped!
@itsksujan 7 ай бұрын
Great video on SQL injection, appreciate your effort 👏
@justkiddieng6317 2 жыл бұрын
If you can upload more full course about web security thanksss....
@nimcoabdi8822 Жыл бұрын
Thanks I’m here to prepare my interview for cyber security consultant
@Cybrcom Жыл бұрын
Good luck! Hope it goes well
@justkiddieng6317 2 жыл бұрын
Please do more videos. That would be great.
@Cybrcom 2 жыл бұрын
You got it!
@sigge.g2193 Жыл бұрын
If you having troubles with virtualbox and it is "aborted" make sure to enable "amd v" in bios setting
@sgshanks 2 жыл бұрын
Solid content with clear explanation
@Cybrcom 2 жыл бұрын
Thank you ♥
@xanvong1501 2 жыл бұрын
Thanks! So awesome of you! Learning so much!
@cyberone14 2 жыл бұрын
your studying cyber security ?
@xanvong1501 2 жыл бұрын
@@cyberone14 yes, I recently graduated in Cybersecurity certification ( 30 credits). It is a competitive field to enter as an entry-level. I am thinking of pursuing Cloud certification with Azure or AWS. Application security job is in high demand and less competitive with others job applicants.
@cyberone14 2 жыл бұрын
@@xanvong1501 well done :)
@Cybrcom 2 жыл бұрын
@@xanvong1501 congratuations, and that's a great idea. The cloud is in high demand and will remain so for the long-term, especially security!
@xanvong1501 2 жыл бұрын
@@Cybrcom Thanks so much 🙏
@user-wu1qj6uu5n 5 ай бұрын
is there a course to get more advanced on this attack? like for example bypass some stuff that very common in sql injection attack?
@aadilroshan7822 Жыл бұрын
I love you man
@Cybrcom Жыл бұрын
Love you too :)
@SEYIDMOHAMEDELKORY Жыл бұрын
waiting for your course about the new version of zap. it's completely different
@profesurtom 18 күн бұрын
Hey if we shut down our system or close the docker seession do we need to download them again . and btw i love your videos and content you provide . THANKS FOR THEM , you are just helping us more than you think.!!!
@Cybrcom 18 күн бұрын
You don't need to re-download the docker images, you can just re-launch a new container with the same image(s). But if you take actions in the container, those actions will get wiped every time you shut down the system or destroy the container. You can get around this if you need to by setting up persistent storage though: docs.docker.com/guides/docker-concepts/running-containers/persisting-container-data/
@chizzlemo3094 3 жыл бұрын
hi mate, like your presenting style, does [arch=amd64] apply if the PC using intel, I'm confused? Thanks ya'll
@Cybrcom 3 жыл бұрын
Yes it does. Super confusing, I know. Here's a brief explanation of why it is what it is: wiki.debian.org/DebianAMD64Faq TL;DR: ""AMD64" is the name chosen by AMD for their 64-bit extension to the Intel x86 instruction set."
@user-fu6nj8lv5b 4 ай бұрын
In 53:12 what is % refering to? Is that encoded of single quote or empty?
@bricer4894 2 жыл бұрын
Does the order matter when writting commands for sqlmap eg (-u, --batch, --threads) or the command can run regardless of the arrangement ? Thanks
@Cybrcom 2 жыл бұрын
The order of options doesn't matter much in terms of running the command, nope!
@user-gg8sj2ck3o 4 ай бұрын
is that working if i apply this union sqli query param=')) union select name,name,name,name,name,name,name,name,name from sqlite_master where type='table' -- in login field to get all tables?, im asking because i've been tried it out but nothing happend, is that because the login field doesn't vulnerable to this query?
@profesurtom 15 күн бұрын
isn't the scaning a target is a 2nd phase for pentesting?? while not Info Gathering?
@ivanshyshkevich9301 9 ай бұрын
Question: why are you deploying Kali Linux through VirtualBox? Wouldn't it be easier to pull it through Docker as well? Great course, thank you!
@Cybrcom 9 ай бұрын
Hey, normally I use VMs (something like VirtualBox for local or else cloud-based ones) for anything requiring a GUI, and Docker when I just need to run a server, an app, or scripts, either locally or as part of deployment pipelines... it entirely depends on what you want/need and your comfort level, but you have many options nowadays!
@mdzyrd407 Жыл бұрын
Hello! I am having a problem when pressing the launch browser in the manual explore. The browser displays, however, the zap hud is not showing and the search bar is color red instead of yellow or orange like in the video. It only displays the OWASP Juice Shop web application. Any help will be appreciated! Edit: changed OWSAP to OWASP
@Cybrcom Жыл бұрын
I’ve had a few other reports of this issue and believe it’s caused by an update to Firefox. Honestly, the HUD is not that useful once you start getting more familiar with ZAP, so learning how to use the HUD instead of the main ZAP client is not very important and could definitely be skipped. If you want to try a prior Firefox version though, that should fix it. Up to you!
@mdzyrd407 Жыл бұрын
@@Cybrcom thanks for the reply, I recently knew that I do not really need the hud, I can use the desktop client which is for me is better. Btw really great video and tutorial, I learned a lot and thanks again for replying to my message!!! Cheers!
@geuxmer2355 10 ай бұрын
Idk why but it feels like every second im not learning cybersecurity, things are getting more secure and one day soon hscking will be phased out completely
@Cybrcom 9 ай бұрын
I wouldn’t worry about it anymore because that’s definitely not the case :)
@Louisianish 6 ай бұрын
Cybersecurity professionals are more in demand than ever, and that demand is only growing.
@kuil 6 ай бұрын
It is getting harder to hack, but as new technologies are created, new exploits will be too.
@night0x1 12 күн бұрын
Always be creative on your payloads and think out the box
@user-gg8sj2ck3o 4 ай бұрын
how do you know that we should use a lot of column based on target table, or that what w should do in every union attack?
@Cybrcom 3 ай бұрын
This would require a lot of trial and error to get the number of columns matching right if you were doing a blackbox test. Otherwise, this is information you could get from the engineering (app/database) team
@zbgh7693 2 жыл бұрын
Might be late but question, can mastering this tool get me a start up job? Great video 🔥🙏🏼
@Cybrcom 2 жыл бұрын
It certainly wouldn't hurt, but you will need more than just mastering this specific tool (assuming you are referring to sqlmap). Most job postings will require knowledge of multiple tools and other concepts
@zbgh7693 2 жыл бұрын
@@Cybrcom I see yeah makes sense, would it be possible if you make a video on what are the things you should know in order to land a start up job or an internship in cyber security, I’m currently a 3rd year software engineering students and I’m all over the place. Would really appreciate it
@syamakella1297 3 жыл бұрын
bro can u make a video on how to run dvwa on aws kali instance
@Cybrcom 2 жыл бұрын
Sure!
@AfricanMemes-oq9eu 3 ай бұрын
Good morning,please at the beginning while trying to set up docker .. When I run the command...docker run --rm -it -p 80:80 vulnerables/web-dvwa I get am error messages saying Error starting userland proxy Address already in use Docker: error response from daemon
@Cybrcom 27 күн бұрын
Hi, did you get this resolved? Just in case for others who may have that problem: the error message tells you that port 80 is already in use. You either already ran that command the didn't kill the container before re-running it, or you have another service on your computer running on port 80. You can simply map it to a different port, like this: -p 8084:80
@smert6379 8 ай бұрын
When i do the automated scan on ZAP, it just crashed after a while every time. And i need to restart my VM to get it to open again. Any help?
@Cybrcom 8 ай бұрын
Take a look at the error log and see what’s causing the issue. More details here: www.zaproxy.org/faq/somethings-not-working-what-should-i-do/
@user-wu1qj6uu5n 5 ай бұрын
Is DROP query can delete database and column?
@Cybrcom 5 ай бұрын
www.w3schools.com/sql/sql_drop_table.asp
@user-fu6nj8lv5b 5 ай бұрын
Is that possible to sql injection the impossible level on dvwa blind sqli?
@Cybrcom 5 ай бұрын
It’s not supposed to be but you never know ;)
@fluidman777 2 жыл бұрын
Hello, Thanks a lot. at 53:30 after executing the union payload am getting "Invalid HTML header" any solution.? I have cross-checked everything.
@Cybrcom 2 жыл бұрын
Try copy/pasting directly from here. It's possible that a weird character snuck in: ')) UNION SELECT name,name,name,name,name,name,name,name,name FROM sqlite_master WHERE type='table' -- Alternatively, make sure you didn't accidentally modify or delete any of the other headers, and make sure the GET request is on a separate line from the User-Agent line
@fluidman777 2 жыл бұрын
@@Cybrcom thank you!
@fluidman777 2 жыл бұрын
@@Cybrcom it worked!thanks.
@Cybrcom 2 жыл бұрын
@@fluidman777 awesome!
@fluidman777 2 жыл бұрын
@@Cybrcom could you be the one who was teaching Redhat sysadmin prep on udemy? had bought the course but i can no longer find it.
@johncracker6934 3 жыл бұрын
Actually in the minute 32:44 it will fail because it still got a closing quote the workijng payload will be something like : 346'%20OR%20'1'='1
@Cybrcom 2 жыл бұрын
Thanks! Must have missed that one
@footballforall3113 3 жыл бұрын
make of xxe tooo please
@Cybrcom 3 жыл бұрын
I've actually got a brief section on XXE in the full version of this course here: cybr.com/courses/injection-attacks-the-free-guide/ (Check out the "XML and XPATH injections" section)
@rtzgf67games7 2 жыл бұрын
Note to myself: 1:22:47
@ingriedsiegbert9799 6 ай бұрын
What is „Chi Chi“?
@Cybrcom 6 ай бұрын
Huh?
@user-fu6nj8lv5b 4 ай бұрын
In 53:12 , what the % stand for?
@Cybrcom 3 ай бұрын
in SQL, it acts as a wildcard. So since it's paired with LIKE '%' it means match everything. If it were instead LIKE 's%' it would match every column that starts with the character s, and so on
@mohammadpatel2315 3 жыл бұрын
When I try sqlmap I get parameter 'id' is not injectable
@Cybrcom 3 жыл бұрын
At which step in the course are you getting this message? And are you running the same command as shown in the video?
@pratibhasharma5935 2 жыл бұрын
@@Cybrcom I am getting the same error. This error is shown when I use the same command as shown at 1:21:10
@medorrah 10 ай бұрын
I need anyone that is very good in injecting sql to come to my aid
@user-wu1qj6uu5n 5 ай бұрын
Can I create a new table in SQL Fiddle?
@Cybrcom 5 ай бұрын
Yes
@Cybrcom 5 ай бұрын
@@user-fu6nj8lv5bI'm not sure what you mean or what you're referring to
@user-gg8sj2ck3o 4 ай бұрын
name is a column or function?
@Cybrcom 3 ай бұрын
Timestamp please
@raviranjan5519 3 жыл бұрын
can you teach me digital forensic
@Cybrcom 3 жыл бұрын
We're talking to a couple of potential authors who are knowledgeable in digital forensics, and are hoping that will lead to courses on that topic!
@francisdonald4298 2 жыл бұрын
Why here seems easier but in live targets doesn't work!!!!?????????
@Cybrcom 2 жыл бұрын
It’s part of the grind & hunt!
@SQLxGuy Жыл бұрын
How is it like being a good guy hacker?
@karthikiyer1309 3 жыл бұрын
Right now you don't have 1k subs but I'm seeing ads on your video...how???
@Cybrcom 3 жыл бұрын
KZfaq just announced a change to their ToS so they are now monetizing videos even if the channel isn't monetizing :(
@Cybrcom 3 жыл бұрын
From KZfaq's announcement: "KZfaq’s right to monetize: KZfaq has the right to monetize all content on the platform and ads may appear on videos from channels not in the KZfaq Partner Program."
@emochain75 2 жыл бұрын
brother I got this video ..Does it need to have wireless adapter for sql injection ? Cause I donot have money so that I can buy it ,,,, And my laptop dont have that ..plzz reply😪😊
@Cybrcom 2 жыл бұрын
No wireless adapter is needed for SQL injection
@god9233 3 жыл бұрын
brother but like this you teaching people how to sql attack.....
@Cybrcom 3 жыл бұрын
You have to understand how attacks can be carried out in order to truly protect your assets. The hope is that more people do good things with their skillset than bad, but ultimately you don't prevent bad things from happening by limiting training. Quite the opposite!
@belharra5756 3 жыл бұрын
@@Cybrcom yes your right also i would appriciate if you could make sql injection video with the New kali Linux because many things changed like the docker download
@Cybrcom 3 жыл бұрын
@@belharra5756 here's an update on how to install Docker on the new Kali version. It's actually much simpler now! cybr.com/app-data-security-archives/how-to-set-up-the-dvwa-on-kali-with-docker/ TL;DR: sudo apt update sudo apt install -y docker.io sudo systemctl enable docker --now sudo usermod -aG docker $USER newgrp docker
@god9233 3 жыл бұрын
@@Cybrcom brother could you Pls make an updated version of sql injection on how to bypass waf
@Cybrcom 3 жыл бұрын
@@god9233 I'm actually working on one right now that will include that :-D
@Puseyeater69 Жыл бұрын
🙂👍
@Cybrcom Жыл бұрын
❤️
@turalkanal2113 Жыл бұрын
could you please assist me to solve this error: Failed to load R0 module D:\/VMMR0.r0: The path is not clean of leading double slashes: 'D:\/VMMR0.r0' (VERR_SUPLIB_PATH_NOT_CLEAN). Failed to load VMMR0.r0 (VERR_SUPLIB_PATH_NOT_CLEAN). Result Code: E_FAIL (0x80004005) Component: ConsoleWrap Interface: IConsole {872da645-4a9b-1727-bee2-5585105b9eed} I have been trying to solve for 3 days .
@turalkanal2113 Жыл бұрын
when I want to start the machine
@Cybrcom Жыл бұрын
Did you figure this out? You might want to uninstall/reinstall
@turalkanal2113 Жыл бұрын
@@Cybrcom I installed VB to c:/
@GodsGreatest Жыл бұрын
Ask Chatgpt
@user-cn2uv1ms2t 5 ай бұрын
do you have video to prevent sql injection using ML
@Cybrcom 5 ай бұрын
I do not and haven’t seen one I can recommend
David Bombal
Рет қаралды 163 М.