1
00:00:00,820 --> 00:00:03,220
Hello, everyone, and welcome to this video.

2
00:00:03,970 --> 00:00:11,110
So in this video, we are going to see one of the ESKIL injection on a Dutch government website which

3
00:00:11,110 --> 00:00:13,570
has a responsible disclosure policy.

4
00:00:14,380 --> 00:00:14,760
All right.

5
00:00:14,770 --> 00:00:17,680
So first, let's see the target.

6
00:00:17,680 --> 00:00:25,150
And this is a life target, which is Albatros Kamdar, N.L., which is a Netherlands based Web application.

7
00:00:25,200 --> 00:00:25,590
All right.

8
00:00:26,200 --> 00:00:35,710
So into this Web application, let's go to one of the functionality to retrieve a parameter or ID before

9
00:00:35,710 --> 00:00:36,060
that.

10
00:00:36,070 --> 00:00:43,630
Let's quickly start our website as well, because we are going to use it maybe to spidered application

11
00:00:43,630 --> 00:00:48,200
and to identify more endpoints through the application.

12
00:00:48,760 --> 00:00:51,700
So remember, guys, always a spidering.

13
00:00:51,700 --> 00:01:00,730
Your application gives you more increased scope of effort that can be used and that can be barometer's,

14
00:01:00,940 --> 00:01:08,470
which helps you definitely in identification of more and more injection points and identification of

15
00:01:08,470 --> 00:01:09,220
a vulnerability.

16
00:01:09,970 --> 00:01:15,010
So as you can see, I have got this end point, which is a get request.

17
00:01:15,370 --> 00:01:18,610
And I have added this to my scope.

18
00:01:18,760 --> 00:01:27,030
As you can see over here now, I will just wait for Bob for identification of a more and more you also,

19
00:01:27,850 --> 00:01:32,860
as I'm under the Bobzilla community edition, this is the latest edition of 20/20.

20
00:01:32,860 --> 00:01:37,930
And there is a restriction of a lot of features.

21
00:01:37,930 --> 00:01:46,150
But still, this version runs a passive crawler which will crawl to you all for me automatically and

22
00:01:46,150 --> 00:01:49,630
which will be visible to you over here, as you can see.

23
00:01:50,140 --> 00:01:56,910
Now, I will just simply double click patterns because I want to see the parameter based asset or you

24
00:01:56,920 --> 00:02:01,040
are and I'm going to try on one of the other.

25
00:02:01,300 --> 00:02:06,940
So let's say we pick up this, which is get detailed at BHP.

26
00:02:07,090 --> 00:02:10,350
Questionmark it equals to then perfect.

27
00:02:10,750 --> 00:02:16,310
So let's say, for instance, make it to 20 and we are able to get a response.

28
00:02:16,580 --> 00:02:21,000
Now let's click on Render and let's see what do we get over here.

29
00:02:21,160 --> 00:02:28,000
And you can see there is a page which gets rendered with the image on Idy equals to twenty.

30
00:02:28,480 --> 00:02:34,210
Let's identify if this is vulnerable and let's give a single code and hit send.

31
00:02:35,050 --> 00:02:39,910
Now let's wait for the response and I can see it is still loading.

32
00:02:40,240 --> 00:02:45,390
Let's give one more error and you could see we got error actually, OK.

33
00:02:45,560 --> 00:02:51,370
So if you missed it, let's do it again and let's wait for the error to pop up and we will confirm that

34
00:02:51,370 --> 00:02:54,280
there is a vulnerability of SQL injection.

35
00:02:54,280 --> 00:02:54,700
Perfect.

36
00:02:55,090 --> 00:03:03,390
As you can see, we have got error, which is my Escuela Nimruz expects parameter one to be my escalator's

37
00:03:03,700 --> 00:03:04,710
boolean given.

38
00:03:04,720 --> 00:03:05,080
All right.

39
00:03:05,090 --> 00:03:13,330
So we have error, which means we have identified our injection point and this target is vulnerable

40
00:03:13,330 --> 00:03:15,160
to escarole injection.

41
00:03:15,340 --> 00:03:15,820
Perfect.

42
00:03:16,270 --> 00:03:24,850
Now let's copy the order of this target and fire up Escorial map, which is going to help us in automating

43
00:03:24,850 --> 00:03:28,240
the exploitation for this application.

44
00:03:28,660 --> 00:03:36,630
So let me just quickly go into the folder of high school math and start Partan Eskil mapped out by Hyphen

45
00:03:36,640 --> 00:03:36,820
U.

46
00:03:36,820 --> 00:03:42,070
Stands for the target you all, but you need to give it give in double code.

47
00:03:42,250 --> 00:03:49,270
And I'm going to add the custom inflection point where ID equals to with the help of start and right

48
00:03:49,270 --> 00:03:52,450
hyphen hyphen Bache hyphen hyphen Bhanot.

49
00:03:52,870 --> 00:04:00,430
Which means I want to run all the task or request or take the decisions by a school math and bano means

50
00:04:00,790 --> 00:04:06,560
that I want to do Baner grabbing and identify the technology and the database version.

51
00:04:07,780 --> 00:04:15,310
You just need to hit enter and it will start the scanning and exploitation on that specific target.

52
00:04:15,790 --> 00:04:22,290
It will do some of the test to identify and do bana grab onto that specific target and let some.

53
00:04:23,180 --> 00:04:31,580
And let's see what is the output of this, so let's wait and see if we get something.

54
00:04:31,590 --> 00:04:37,120
And you can see we have already got a message here, which is you are a barometer.

55
00:04:37,130 --> 00:04:45,260
When is my Escorial greater than equal to 5.0 or Atavist, which means there is an error based on ability.

56
00:04:45,260 --> 00:04:50,530
And we know that we give a single good at it equal to 20 and we got the error.

57
00:04:50,690 --> 00:04:54,080
And this is actually the same thing that Eskil map is telling us.

58
00:04:54,290 --> 00:04:54,740
Perfect.

59
00:04:56,000 --> 00:04:58,440
So I will just skip this a little bit.

60
00:04:58,460 --> 00:05:05,900
So let's go to where it identifies something sensitive from the server.

61
00:05:05,900 --> 00:05:14,930
And you can see it has identified that target you are appears to have 17 columns into the query.

62
00:05:15,590 --> 00:05:16,820
All right, let's wait for this.

63
00:05:16,820 --> 00:05:19,460
And yeah, it has successfully completed.

64
00:05:19,940 --> 00:05:23,360
And you can see the Web server operating system is Linux.

65
00:05:23,750 --> 00:05:28,200
The Web application technology is Ingenix or Plesac.

66
00:05:28,220 --> 00:05:33,950
And you can see the back and DBMS is MySQL greater than equal to five point zero.

67
00:05:34,700 --> 00:05:35,130
Perfect.

68
00:05:35,630 --> 00:05:43,460
So we have identified a lot of information about the target from here and now it's time to exploit it

69
00:05:43,730 --> 00:05:47,960
and get more sensitive information, which is.

70
00:05:49,180 --> 00:05:56,010
The database names so know we have one of the payload, which is bullion based blind, and you can see

71
00:05:56,020 --> 00:06:03,170
or hear, so I'm just going to copy this into my browser and see what we get.

72
00:06:03,430 --> 00:06:04,720
And you can see.

73
00:06:05,960 --> 00:06:13,760
Let's understand the bailout quickly, but you can see that it is and and a true condition, which is

74
00:06:13,760 --> 00:06:16,280
six to one nine equals to six to one name.

75
00:06:16,880 --> 00:06:20,860
And when I load this, you can see the application is behaving properly.

76
00:06:21,230 --> 00:06:26,180
But when I make this condition is false, the application does not give anything.

77
00:06:26,780 --> 00:06:29,900
As you can see, there is a change in the behavior.

78
00:06:30,080 --> 00:06:37,100
When I make it to the equals, which has seen it again, loads the application so we can see that the

79
00:06:37,100 --> 00:06:38,630
payload is working over there.

80
00:06:39,410 --> 00:06:41,500
Similarly, we have more other queries.

81
00:06:42,170 --> 00:06:44,960
Now we are going to exploit the database.

82
00:06:44,960 --> 00:06:48,020
That is, we want to know the names of the database.

83
00:06:48,350 --> 00:06:52,480
And for that we know that we need to type hyphen, hyphen DHBs.

84
00:06:53,120 --> 00:06:55,490
So I will just type that and hit enter.

85
00:06:55,670 --> 00:07:00,160
And you can see we have identified in total of two databases, are there.

86
00:07:00,650 --> 00:07:05,110
The first one is Alberto and the second one is information schema.

87
00:07:05,480 --> 00:07:08,750
So I'm much more interested in the first database.

88
00:07:11,890 --> 00:07:18,640
So I'm going to write Hyphen Capitally and the name of the database, and we want all the tables from

89
00:07:18,640 --> 00:07:18,870
it.

90
00:07:22,580 --> 00:07:29,400
Now, as you can see, it have started fetching the tables for the database Albatros, and you can see

91
00:07:29,400 --> 00:07:38,700
it has retrieved the first one, which is image description, link table project backup, new site projects,

92
00:07:39,400 --> 00:07:45,350
projects, back up, all side projects modified from old site and text, etc..

93
00:07:46,190 --> 00:07:52,900
Now we have the database as well as we have the name of the tables.

94
00:07:53,150 --> 00:07:57,110
So let's do one thing and let's go into one off the table.

95
00:07:57,620 --> 00:08:05,450
So let's see the interesting one which looks like is projects and see what are the columns into this

96
00:08:06,260 --> 00:08:07,990
table, which is products.

97
00:08:08,450 --> 00:08:16,210
So for that you need to type hyphen D the table and hyphenation columns and just hit enter.

98
00:08:16,640 --> 00:08:24,080
Let's wait for this to complete and you will get the results in, which is a real map will identify

99
00:08:24,440 --> 00:08:27,510
the number of columns into the target.

100
00:08:30,760 --> 00:08:38,590
And you can see it has started fetching the columns for projects and you can see it is Idy title is

101
00:08:38,590 --> 00:08:42,460
Project Publish Description Ordering.

102
00:08:42,700 --> 00:08:43,220
Perfect.

103
00:08:43,240 --> 00:08:49,840
So we have also identified the columns now and you can see it is still retrieving more and more.

104
00:08:50,680 --> 00:08:51,160
Now.

105
00:08:52,410 --> 00:08:59,040
While I was reporting this rocket to the organization or to the Dutch government, I did not try to

106
00:08:59,040 --> 00:08:59,930
dump the data.

107
00:08:59,940 --> 00:09:05,490
So in this proof of concept, I'm not going to dump any data from the target for application.

108
00:09:05,790 --> 00:09:12,630
And I'm just going to send a screenshot of the database names and the table names, which is more than

109
00:09:12,630 --> 00:09:20,670
sufficient for the target organization to prove the vulnerability exist into their Web application.

110
00:09:21,120 --> 00:09:27,450
Remember, I have already expressed that you should not dump any sensitive data information from the

111
00:09:27,450 --> 00:09:33,990
target application, identification of database names or even names is more than enough to prove this

112
00:09:33,990 --> 00:09:34,810
one liability.

113
00:09:35,460 --> 00:09:38,070
So I hope you guys understand how you can do this.

114
00:09:39,040 --> 00:09:39,550
Thank you.