1
00:00:01,240 --> 00:00:06,310
All the javascript injections that we've done so far we used to inject them like this or we used to

2
00:00:06,310 --> 00:00:13,330
actually inject them in the hasty code and we used to have to put descript alert exercise script or

3
00:00:13,750 --> 00:00:17,770
put anything in here depending on the cheat sheet that you shared with you.

4
00:00:19,610 --> 00:00:25,640
Now I've said earlier with skill injections the payload or the exploit can vary from website to website

5
00:00:25,850 --> 00:00:29,470
dependent on the way the website is programmed or the page is programmed.

6
00:00:29,690 --> 00:00:35,660
And exercise is the same so you always need to approach the Web sites and think about it in a general

7
00:00:35,660 --> 00:00:39,390
idea and try to exploit it depending on the page itself.

8
00:00:39,400 --> 00:00:45,560
And don't always just copy and paste the exploits or the payloads and to do that I'm just going to show

9
00:00:45,560 --> 00:00:47,190
you another example today.

10
00:00:47,670 --> 00:00:54,200
And we're going to do it in Matel day and we're going to go to the injection and I'm going to go to

11
00:00:54,200 --> 00:00:58,670
the javascript injection and to the password generator.

12
00:00:58,670 --> 00:01:04,410
Now what this page does basically you click on the generate and it just generates random password.

13
00:01:04,400 --> 00:01:08,150
So there are a lot of Web sites on the Internet that just do that for you.

14
00:01:09,830 --> 00:01:17,510
Looking at this Web site it's almost this password is for anonymous looking at your elk we can see that

15
00:01:17,570 --> 00:01:23,330
it's given a user name and the user name is given and they are all in the username parameter and it's

16
00:01:23,330 --> 00:01:28,290
given anonymous so we can just change that name to a name we want.

17
00:01:28,290 --> 00:01:30,100
So for example if we change that is a

18
00:01:33,390 --> 00:01:37,280
Esselmont that the password is being generated for zayd.

19
00:01:37,440 --> 00:01:40,340
And if we generate it's going to be generated.

20
00:01:40,410 --> 00:01:45,570
Now note that whatever you write in here is being displayed here and this should instantly tell you

21
00:01:45,570 --> 00:01:53,130
that maybe this could be vulnerable to an Access vulnerability because whatever your type is being displayed.

22
00:01:53,130 --> 00:01:59,630
So let's try and use the same exploit that we always use and try to get it injected in the code and

23
00:01:59,630 --> 00:02:06,380
the page.

24
00:02:06,420 --> 00:02:12,140
Now as you can see the exploit didn't run so we didn't actually get a pop up box telling us that there

25
00:02:12,140 --> 00:02:15,760
is an excess in the page but something went wrong.

26
00:02:15,770 --> 00:02:20,060
As you can see now some of the codes being thrown at the page this shouldn't be shown in here.

27
00:02:20,090 --> 00:02:24,800
You've seen in the basic case when you just put a normal name you don't actually see this code.

28
00:02:24,950 --> 00:02:28,610
So that means something is happening something is going wrong in this page.

29
00:02:28,610 --> 00:02:30,320
So let's try to inspect the element

30
00:02:33,350 --> 00:02:38,650
and I'm just going to make this bigger.

31
00:02:38,790 --> 00:02:43,800
Now what they want to focus on is the part of the code that's been thrown in here on the screen so I'm

32
00:02:43,800 --> 00:02:49,610
going to right click it and again inspect element just so that we get navigated automatically to her

33
00:02:49,650 --> 00:02:53,280
that is in the code and I'm going to go down

34
00:02:57,880 --> 00:03:00,940
and I can see that this part of the code is being broken.

35
00:03:01,030 --> 00:03:06,860
We usually add the script tags ourselves when we when we try to inject like you'd like to see in here.

36
00:03:06,940 --> 00:03:13,570
But what's happening in this page it's automatically trying to put what we import our user input inside

37
00:03:13,570 --> 00:03:16,110
to script this one and this one.

38
00:03:16,120 --> 00:03:18,730
So first of all we know that we don't need these

39
00:03:22,250 --> 00:03:23,940
because they're already there.

40
00:03:25,140 --> 00:03:30,320
Also note that our code is being injected here so this is my code script alert exercise.

41
00:03:30,330 --> 00:03:38,720
This is what I entered for the username and you can see that this is being placed inside a single quotation.

42
00:03:38,760 --> 00:03:45,050
So in order to exit this quotation mark I'm going to add one in my exploit.

43
00:03:45,050 --> 00:03:51,230
OK so that's going to close this for me and then I remove the script so it's going to become alert access

44
00:03:51,290 --> 00:03:52,520
which looks really good.

45
00:03:52,610 --> 00:03:56,540
And then we have the end of the script here.

46
00:03:56,650 --> 00:04:01,180
So let's have a look again on the code so you have the first line of saying document that get that get

47
00:04:01,180 --> 00:04:02,400
element by ID.

48
00:04:02,410 --> 00:04:07,450
Now I actually don't know how to program in javascript so you don't need to be a javascript programmer

49
00:04:07,720 --> 00:04:11,800
but you just need to have like a general idea on how this is going to work.

50
00:04:12,010 --> 00:04:18,100
So we can see that this is the first line of the code and it's saying this in our haste M-L is equal

51
00:04:18,100 --> 00:04:21,890
to this password is and whatever we import between the two quotes.

52
00:04:21,940 --> 00:04:23,810
So what we did we closed this.

53
00:04:23,980 --> 00:04:27,310
And then the next line is going to become our alert exercise.

54
00:04:27,580 --> 00:04:32,140
So in javascript to end one line you actually have to add a semicolon.

55
00:04:32,590 --> 00:04:39,130
So we're going to close and add a semicolon in here and our exploit.

56
00:04:39,220 --> 00:04:44,710
And what this will does it will close the code here and it will execute this as another line as the

57
00:04:44,710 --> 00:04:48,840
next line of the semi-colon here at the end just in case.

58
00:04:49,410 --> 00:04:51,340
And we're going to copy this.

59
00:04:51,490 --> 00:04:54,150
I'm going to inject it and I'll show you what the code looks like.

60
00:04:54,160 --> 00:04:56,630
After we injected it will become even clearer.

61
00:04:57,130 --> 00:04:59,070
So I'm going to inject it here.

62
00:05:02,170 --> 00:05:07,560
Now as you can see there is nothing but if we click on the generate now looks like there's something

63
00:05:07,560 --> 00:05:08,160
still wrong.

64
00:05:08,160 --> 00:05:10,470
So we still didn't really inject it properly.

65
00:05:10,500 --> 00:05:11,820
Let's have a look on the code again.

66
00:05:11,820 --> 00:05:20,670
So again right click inspect element and we're going to go down to where the codes for the user right

67
00:05:20,670 --> 00:05:23,220
here.

68
00:05:23,310 --> 00:05:25,470
And this is what our code looks like now.

69
00:05:25,500 --> 00:05:30,180
So it's saying try Documenta again get element by ID.

70
00:05:30,390 --> 00:05:34,200
And this is TELL and this is equal to this password is for.

71
00:05:34,200 --> 00:05:34,970
We close that.

72
00:05:34,970 --> 00:05:36,200
So that's really good.

73
00:05:36,210 --> 00:05:39,930
We added a semicolon purrfect and then we said alert access.

74
00:05:39,960 --> 00:05:41,560
Very good semicolon.

75
00:05:41,580 --> 00:05:46,440
Perfect but then we have this single quote and this semi-colon.

76
00:05:46,590 --> 00:05:49,430
And these are coming from the original code.

77
00:05:49,590 --> 00:05:53,130
So these are used to close this statement originally.

78
00:05:53,220 --> 00:05:58,420
So they're actually being hardcoded or inserted by the code in the page.

79
00:05:58,440 --> 00:06:04,080
So all we have to do is do like what we used to do with the SPL injections and just the comment here

80
00:06:04,290 --> 00:06:08,350
to comment everything that comes after this so that it doesn't break our code.

81
00:06:08,850 --> 00:06:10,050
So again I'm going to copy this

82
00:06:12,900 --> 00:06:14,410
paste it in here.

83
00:06:17,650 --> 00:06:23,790
And as you can see now our code runs and we manage to run javascript code on the target website.

84
00:06:23,800 --> 00:06:29,710
Now you can share this link with any javascript code you want and that will be executed on the target

85
00:06:29,710 --> 00:06:32,100
person on the person that runs this link.

86
00:06:32,200 --> 00:06:37,810
So you can go ahead and look up any types of codes or javascript or you can use beef like I'm going

87
00:06:37,810 --> 00:06:40,990
to show you in the next lectures.

88
00:06:41,010 --> 00:06:47,210
So the take home message from this lecture is the way you exploit vulnerabilities not only job not only

89
00:06:47,220 --> 00:06:52,890
access or Asgill injections any vulnerability is going to vary from website to website so you have to

90
00:06:52,890 --> 00:06:58,050
always think about it maybe you look at the source code look at how the data is being transmitted between

91
00:06:58,050 --> 00:07:02,810
the websites and try to adapt your exploit to that specific web page.