1
00:00:01,750 --> 00:00:08,110
OK now I'd like to show you an escrow injection and then the different file and different page and I'll

2
00:00:08,110 --> 00:00:13,560
show you a few different things that you can do to exploit that vulnerability.

3
00:00:13,900 --> 00:00:21,280
So the first thing I'm going to go to the log in page which is your user info.

4
00:00:21,280 --> 00:00:26,950
So the first I went to the logon page from there this time I went to the user info page.

5
00:00:26,950 --> 00:00:32,350
So this fit this page will show you the information about the user provided you give the username and

6
00:00:32,350 --> 00:00:32,980
password.

7
00:00:32,980 --> 00:00:39,340
So I'm going to do it and I'm going to put my password on two three four five six and it'll show my

8
00:00:39,340 --> 00:00:44,020
D-cells username and password then my signature is a.

9
00:00:44,110 --> 00:00:48,910
So the statement that's been executed here is similar to what was being executed when you log in.

10
00:00:49,090 --> 00:00:55,540
So selecting start from accounts where username is what you put in the user field and password is what

11
00:00:55,540 --> 00:00:57,670
you put in the password field.

12
00:00:57,670 --> 00:01:04,510
So what we're going to do now is we're going to see a different way of exploiting this kind of vulnerability

13
00:01:04,510 --> 00:01:05,730
in the previous video.

14
00:01:05,880 --> 00:01:09,950
We were doing it using a post text text box.

15
00:01:10,210 --> 00:01:17,010
So whatever you put in the text box was being posted using a POST method to the web application.

16
00:01:17,020 --> 00:01:19,230
Now these vulnerabilities can exist.

17
00:01:19,270 --> 00:01:24,780
To get and what I mean by get is when you do get one something isn't as good.

18
00:01:24,850 --> 00:01:26,670
You will see it here and you're out.

19
00:01:27,010 --> 00:01:32,770
So if you look at the R L here you see it's being sent as the usernames and passwords one two three

20
00:01:32,770 --> 00:01:34,890
four five six.

21
00:01:35,090 --> 00:01:37,100
So let me just copy this your L here.

22
00:01:38,660 --> 00:01:45,580
And we'll start playing with it from the R L and instead of doing it on the web page I just want to

23
00:01:45,580 --> 00:01:51,270
show you a different example cause in many places there might not even be text boxes for example that

24
00:01:51,280 --> 00:01:55,180
could be something like in news and news ph.

25
00:01:55,270 --> 00:01:58,790
So we can see here for example in this example it's indexed ph.

26
00:01:59,020 --> 00:02:03,010
And in Europe interesting you might see something like you use that BHB.

27
00:02:03,400 --> 00:02:08,680
And for example ideas you call Too-Too and then you can try to inject stuff in there.

28
00:02:09,010 --> 00:02:14,410
So we're having an example here where we're going to be injecting things into the user in any field

29
00:02:14,410 --> 00:02:19,210
which is this field and we're going to be injecting stuff in here.

30
00:02:20,270 --> 00:02:25,460
So any time when you're doing your practice any time you see parameters like this you should try to

31
00:02:25,460 --> 00:02:30,970
inject them any time you see something that Ph.D. and then you have a parameter equal something they

32
00:02:30,980 --> 00:02:34,610
always try to inject stuff in there and see if it works for you.

33
00:02:35,530 --> 00:02:42,790
So we also see a way of discovering the injection and that was used in the quotation mark and using

34
00:02:42,840 --> 00:02:43,170
the.

35
00:02:43,200 --> 00:02:49,080
And so we do a false on and a true and and one is equal to one and then and one is equal to two.

36
00:02:49,210 --> 00:02:55,860
And if the server is executing what we want then we're going to know that there is an Asgill injection.

37
00:02:56,010 --> 00:03:02,440
I'm going to show you another way of discovering these exploits and it's using the order by as the name

38
00:03:02,440 --> 00:03:10,770
suggests the order by statement is used to order the results that we get on the screen based on a specific

39
00:03:10,780 --> 00:03:11,920
column.

40
00:03:11,920 --> 00:03:24,550
So our injection is going to be like this so I'm going to do over there a one so this if if the injection

41
00:03:24,580 --> 00:03:31,480
exists this should work because in each select statement there should be at least one column is being

42
00:03:31,480 --> 00:03:32,240
selected.

43
00:03:32,290 --> 00:03:38,190
Therefore when we say order by one we're saying I want to order the results based on the first column.

44
00:03:38,320 --> 00:03:46,830
Therefore this should always be acceptable by the database and return a true or something that we expect.

45
00:03:47,080 --> 00:03:53,370
We also need to add the comment in here and execute this code so it's exactly like before.

46
00:03:53,370 --> 00:04:01,130
So when we're doing this basically this is where you are and what's going to happen on the database

47
00:04:01,130 --> 00:04:03,910
or this is the code that's been executed on the database.

48
00:04:04,100 --> 00:04:06,080
It's going to look like this.

49
00:04:13,180 --> 00:04:19,030
So it's going to be select staff from my class who are usernames equal to Zayde and note how this is

50
00:04:19,030 --> 00:04:20,310
close in the code.

51
00:04:20,500 --> 00:04:28,680
And we're going to do an order by one and there should be this code here for the and and this this comment

52
00:04:28,720 --> 00:04:34,040
comment will tell the escarole interpreter that to ignore anything that comes in after it.

53
00:04:34,050 --> 00:04:35,980
So all of this is going to be ignored.

54
00:04:39,550 --> 00:04:40,900
So I'm copying this

55
00:04:45,740 --> 00:04:52,070
so you can actually paste this injection for Zayde order by one into the name right here and that's

56
00:04:52,070 --> 00:04:53,010
going to work.

57
00:04:53,060 --> 00:04:57,850
But I again I just want to show you a different way of doing it by injecting it through the browser.

58
00:04:58,160 --> 00:05:04,250
Another thing that I want you to note is when you inject yourself into the browser the browser the code

59
00:05:04,520 --> 00:05:06,140
should be encoded.

60
00:05:06,200 --> 00:05:12,650
So for example this sign usually when you put it on you or else it should be written as a percentage

61
00:05:12,670 --> 00:05:21,650
23 spaces for example gets converted to percentage 20 and percentage 23 is the comment that we're using.

62
00:05:21,800 --> 00:05:27,300
So I copy that and replace my common sign with.

63
00:05:27,520 --> 00:05:32,170
Now you can google hash ETP encoder and you'll see online there is online tools that will just convert

64
00:05:32,170 --> 00:05:33,220
this for you.

65
00:05:33,460 --> 00:05:38,800
For me now I know that the high side can be converted to percentage 23.

66
00:05:38,920 --> 00:05:40,590
So that's why I'm using it there.

67
00:05:40,990 --> 00:05:47,130
And I'm going to hit enter and as you can see now we're seeing something that's acceptable

68
00:05:49,860 --> 00:05:51,070
nothin wrong.

69
00:05:51,090 --> 00:05:56,060
And then it's showing me the information about Zayde 1 2 3 4 5 6 and something with signature.

70
00:05:56,070 --> 00:05:57,670
So it is ignoring the password.

71
00:05:57,720 --> 00:06:03,290
So the injection worked and it's ordering by one so it's not doing anything wrong.

72
00:06:03,300 --> 00:06:05,290
Let's try to make this number one.

73
00:06:05,290 --> 00:06:09,610
A very large number so put in 10000 or 100000 out.

74
00:06:09,690 --> 00:06:15,270
So what we're seeing right now is I want you to order the results that will be returned by the current

75
00:06:15,270 --> 00:06:19,170
select statement based on column 100000.

76
00:06:19,170 --> 00:06:25,620
Now chances are there aren't 100000 columns used in this select statement and therefore this should

77
00:06:25,620 --> 00:06:27,330
return an error.

78
00:06:27,330 --> 00:06:34,760
So when I execute this you'll see that there is an error and the error is in the order close and tell

79
00:06:34,830 --> 00:06:38,690
us that there is an unknown column for 100000.

80
00:06:38,830 --> 00:06:43,950
And this is great cause now we know that the database is executing what we want so when we told that

81
00:06:43,950 --> 00:06:48,130
to order the results based on the first column it showed us results.

82
00:06:48,150 --> 00:06:50,300
So it followed what we told it.

83
00:06:50,400 --> 00:06:57,490
And then when we told it to order the results based on a column that does not exist it gave us an error.

84
00:06:57,510 --> 00:07:00,640
So it's obviously vulnerable to scale injections.