When exploiting SQLi, one the most important parts is to identify the names of the tables in the DB in order to find interesting data. Another important option is reading OS files, as we can obtain more passwords and get the source code of the app to find
- [Narrator] Hi and welcome back.…In this video we're going to continue adding features…to our SQLi script.…In the previous video, we saw how to extract data…from the DB through an SQL Injection vulnerability.…In this video, we're going got add a function to read…all the table names from the database,…and we're going to add a function to read the files…from the database server OS.…First, we're going to see how we can…obtain all the table names that are in the database…in order to see if we see something of interest.…
And then we're going to add the capability to read files…from the OS file system.…Now, let's open the file SQLinjector-3.py.…We have a new function in here that will help us…to obtain the table names in the different schemers,…except the ones we are filtering out…to reduce the noise in the output.…The structure is the same as before.…We have the query we need with the tokens…to help parse in the results,…and the regular expression for parsing is.…
And then we print he results.…Finally, we add the function call in the launcher.…
Stop using automated testing tools. Customize and write your own tests with Python! While there are an increasing number of sophisticated ready-made tools to scan systems for vulnerabilities, Python allows testers to write system-specific scripts—or alter and extend existing testing tools—to find, exploit, and record as many security weaknesses as possible. This course will give you the necessary skills to write custom tools for different scenarios and modify existing Python tools to suit your application's needs.
Christian Martorella starts off by providing an overview of the web application penetration testing process and the tools the professionals use to perform these tests. Next he shows how to interact with web applications using Python, HTTP, and the Requests library. Then follow the web application penetration testing methodology. Each section contains practical Python examples. To finish off, Christian shows how to use the tools against a vulnerable web application created specifically for this course.
- Understanding web penetration testing
- Interacting with web applications via HTTP and the Requests library
- Analyzing HTTP responses
- Web crawling with Scrapy
- Extracting information
- Discovering resources
- Testing passwords
- Detecting and exploiting SQL injection vulnerabilities
- Intercepting HTTP requests