Hacking a hotel’s system for free Wifi with SQL Injection


I Recently went to a hotel which unfortunately didn’t have free Wi-Fi. However, it did have paid Wi-Fi. The Wi-Fi login page looks something like this. It had a place to put in the access code and also a place to get one. The place we’re going to be focusing on is the access code. Here, We’re gonna try and look in if we can get the Wi-Fi for free. The first step in the process of ethical hacking is reconnaissance. Reconnaissance is extremely important. It’s the act of information gathering. This could mean getting things like what OS the server is running on and other things. So if we would look at the URL at the top, we can go the index of that webpage. Even though we got a 401 response we get something critical. At the bottom it shows us Red Hat Linux which means that the server is running Linux. Just for this case, I’m gonna create a web page that can accept the code and validated it. For the purpose of this video I’m gonna print any error messages. The backend for this website is written using flask and SQLite for the simplicity of this video. If you want to try it for yourself, I love the link in the description to do so. The first thing that comes to mind would be to try every single combination. However, this is definitely not a valid option in our case. We would have a string with the length of four, but in a real case the code would be six or more characters. Let’s say we’re using ASCII which has 256 characters. the number of possible codes is 256 to the power of 4 Which is about 4 billion. If the request takes a second to establish and send the form it would take over 136 years. In reality if they were using 6 characters it would take about 900,000 years. This makes trying every possible code not a valid option. Let’s try to be a little bit more smart. This is how the structure of our program could look. We have JavaScript and HTML running on a browser and a flask API that connects to a SQL database. But first of all, what’s a database? Think of a database as being an Excel spreadsheet. We can have tables with rows and columns and each of the columns have a name, With the rows being the data. In this case, we can have a database with all the codes possible which could look like this. SQL is a language that’s used for manipulating databases. It’s incredibly popular and our website uses it too. Let’s go over a few SQL statements. The create table creates a table like creating a spreadsheet in Excel or Google sheets. Here, You can specify the names of all the columns and the type of data that goes in like integer, text. There’s also something called private key. This means that this field is always unique. The insert into statement allows us to insert data into our database. We can make queries with the Select statement. This is the most important one for us. For example we can select all the data from a table. We can also select with some condition. In this case the Select statement for our website could look like this. This changes based on what’s inputted into the text field. The way we test for vulnerability is by using the escape character quote like single quote. You can see how the statement would throw an error the quote never completes itself. If the text is inputted into the SQL statement without any validation, We can manipulate the statement to always determine something such an SQL statement could look like this. If we could get the SQL statement to look like this we would have successfully accomplished what we are trying to do. If we insert something like this, it successfully completes the statement. Okay, let’s actually see how we can do this here. I’ve printed every single possible code so you can see 1XFF, you know, so now let’s go to a login page, And, Let’s try the code 1XFF. Here you can see it says Wi-Fi connection established. And I actually printed out the SQL statement so we can see what’s going on. Now. Let’s try doing like 1234. Here you can say you see it says Invalid code because 1234 does not exist in the database. Now let’s try what we did before so we’re gonna complete this quote. So we’re gonna do that and Then we do all 1=1 like we said before it’s gonna get everything from the database. Now, we’re gonna do another or and Then we have to complete this quote. So we’re gonna do open quote again. You can see it says Wi-Fi connection established. And this SQL statement will select everything from the database just because of this 1=1 Although we did this manually there are a lot of great tools to do the work for us. For the Kali Linux distribution, you can use a SQLMAP or SQL ninja to find which text fields are vulnerable and Perform the injection. There’s also an other one called JSQL injection, which can make Automated SQL injections. They’re all in the description. Keep in mind do not use this on any website in the real world. It’s highly illegal. This video is for educational purposes only.

Tags:, ,

Add a Comment

Your email address will not be published. Required fields are marked *