1
00:00:12,310 --> 00:00:14,930
Hey, guys, welcome back to end of the episode on How to Hack.

2
00:00:15,550 --> 00:00:21,790
So over here we have mutal the day to running and Mutulu Data is a vulnerable Web application platform

3
00:00:21,790 --> 00:00:24,330
that we can perform all penetration testing on.

4
00:00:24,340 --> 00:00:29,340
So wonderful platform for us to learn all about Web application penetration testing.

5
00:00:29,350 --> 00:00:34,930
And on the left site, we have a website so open Web application security project, and we have 20,

6
00:00:34,930 --> 00:00:37,660
17, 20, 30 in 2010 and 2011 seven.

7
00:00:37,690 --> 00:00:44,350
So wonderful way for us to learn the history about all these vulnerabilities and how we could possibly

8
00:00:44,350 --> 00:00:49,160
exploit them, the evolution of all these security vulnerabilities as well.

9
00:00:49,510 --> 00:00:56,210
So if I go under the left side of Ops twenty seventeen or a one injection sequel I which stands for

10
00:00:56,210 --> 00:01:00,640
a sequel injection and we can click onto the first user info sequel.

11
00:01:00,790 --> 00:01:01,050
All right.

12
00:01:01,060 --> 00:01:04,960
So over here we need a username and password to view account details.

13
00:01:05,470 --> 00:01:10,150
So right now we don't really have a user account being registered or created.

14
00:01:10,570 --> 00:01:10,840
All right.

15
00:01:10,850 --> 00:01:14,850
So if I enter some name and password, likely not be able to indicate.

16
00:01:14,860 --> 00:01:17,060
So we need some kind of a translation mechanism.

17
00:01:17,560 --> 00:01:22,540
So the first thing that we can do is always to enter the following, which is to check.

18
00:01:22,900 --> 00:01:23,160
All right.

19
00:01:23,200 --> 00:01:27,640
Whether the login or input form is susceptible to a.

20
00:01:28,710 --> 00:01:33,720
Single quote here, so go ahead and click on view account details and immediately we see the following

21
00:01:33,720 --> 00:01:36,020
result of feedback coming from the database system.

22
00:01:36,450 --> 00:01:39,090
And in this case, it has the MySQL handler.

23
00:01:40,110 --> 00:01:40,470
All right.

24
00:01:40,470 --> 00:01:42,820
And it provides us some error messages.

25
00:01:42,870 --> 00:01:45,120
So in this case, we have the following.

26
00:01:45,330 --> 00:01:52,120
So we have you have an error in a school syntax check tomatoe to correspond to your bicycle subba version

27
00:01:52,200 --> 00:01:54,600
for the right syntax to use near, etc..

28
00:01:54,600 --> 00:01:58,400
And we have to query and it even provides us TIFU query.

29
00:01:58,410 --> 00:02:03,980
So if you think back about defense, we have to make sure that whenever there are such error messages,

30
00:02:03,990 --> 00:02:11,010
OK, all these error messages are only accessible to Internet employees like the administrator, the

31
00:02:11,010 --> 00:02:11,910
Web admin.

32
00:02:11,910 --> 00:02:12,240
All right.

33
00:02:12,390 --> 00:02:20,690
Rather than being displaced outrightly here where anyone could actually see the results of those inputs.

34
00:02:20,910 --> 00:02:25,470
So from the following technical, they'll be able to pick up all these error messages that could help

35
00:02:25,710 --> 00:02:32,520
80 hackers to perform more precise attack using very specific payloads.

36
00:02:32,580 --> 00:02:38,070
So in this case, we have to query Anastasiya following select all from a culture where username and

37
00:02:38,070 --> 00:02:38,900
password equal.

38
00:02:38,910 --> 00:02:41,220
So right here, this over here.

39
00:02:41,640 --> 00:02:41,940
All right.

40
00:02:42,060 --> 00:02:44,320
I've highlighted is where our payload went in.

41
00:02:44,600 --> 00:02:47,940
OK, so right here, the payload actually went in.

42
00:02:47,970 --> 00:02:51,170
And this is the whole structure of the Syntex.

43
00:02:51,420 --> 00:02:54,500
So what we can do next is to enter the following.

44
00:02:54,790 --> 00:02:57,390
So I can do singer all right.

45
00:02:57,390 --> 00:03:04,080
Or one equal one and I can copy the following organic and can into a password and go ahead and click

46
00:03:04,080 --> 00:03:05,810
on a view account details.

47
00:03:05,880 --> 00:03:06,120
All right.

48
00:03:06,120 --> 00:03:08,250
So what exactly are we trying to do here?

49
00:03:08,580 --> 00:03:11,730
We've been following the falling payload before I show the results.

50
00:03:12,240 --> 00:03:18,900
What we are trying to do here is to close the first part, which is the username and or one equal one.

51
00:03:19,170 --> 00:03:23,610
So anything or one equal one is always true because one is always equal to one.

52
00:03:23,640 --> 00:03:29,280
As a result of that, we are able to run dictionary as intended.

53
00:03:29,310 --> 00:03:32,940
OK, so next is also to do the same for the past few.

54
00:03:33,510 --> 00:03:39,140
So again, if we pace it, you click viewer call details and when we scroll down immediately pulls out

55
00:03:39,180 --> 00:03:42,600
all those information directly from the database.

56
00:03:42,600 --> 00:03:45,600
So you have your username, you have your password signature.

57
00:03:45,600 --> 00:03:47,470
So you got all these usernames and passwords.

58
00:03:47,490 --> 00:03:53,610
Now we can use them to actually log into the Web application server to run some attacks or further attacks

59
00:03:53,850 --> 00:03:56,720
using other people's credentials and accounts.

60
00:03:56,910 --> 00:03:59,170
So that's exactly how these hackers could do it.

61
00:03:59,580 --> 00:04:01,830
So right here, we can toggle the security level.

62
00:04:01,830 --> 00:04:06,170
And I'm going to toggle this to security level one, which is clean site security.

63
00:04:06,570 --> 00:04:12,750
So going back to Ops twenty seventeen, a one sequel injection, extract data, click on a user in full

64
00:04:12,750 --> 00:04:13,190
scale.

65
00:04:13,530 --> 00:04:14,540
So we're back here again.

66
00:04:14,970 --> 00:04:21,930
And if I enter the following payload and I click view account details immediately, we get stop by JavaScript

67
00:04:22,110 --> 00:04:25,400
states to following dangerous characters detect it.

68
00:04:25,410 --> 00:04:30,250
We can allow disk much like padlocks filtering cannot be defeated.

69
00:04:30,630 --> 00:04:36,060
So as a result of this, whenever you have any of these special characters, it gets checked at a browser

70
00:04:36,060 --> 00:04:39,720
level on the JavaScript that has been downloaded into your browser.

71
00:04:40,020 --> 00:04:45,810
It checks to Paillard before it is given the opportunity to be sent into the Web application server.

72
00:04:46,470 --> 00:04:49,160
So what we can do is go to the top right corner.

73
00:04:49,320 --> 00:04:56,250
All right, click onto the preferences tab, Orient scroll all the way down and click under network

74
00:04:56,250 --> 00:05:00,340
settings and click under menu proxy configuration.

75
00:05:00,360 --> 00:05:05,970
So this will be the proxy where you're running Web Street, all the WhatsApp or any of your own proxy

76
00:05:05,970 --> 00:05:11,130
that you want to intercept the payload before we send it over to the Web application server.

77
00:05:11,190 --> 00:05:16,770
So in my case, I'm going to enter one two seven zero zero one one followed by the Port It 080.

78
00:05:16,770 --> 00:05:19,500
So click OK on this open up terminal.

79
00:05:20,430 --> 00:05:22,440
And what it can do is go ahead and enter suite.

80
00:05:23,260 --> 00:05:23,610
All right.

81
00:05:23,610 --> 00:05:24,610
And hit enter on this.

82
00:05:24,630 --> 00:05:27,420
So this will begin the community edition.

83
00:05:28,380 --> 00:05:30,170
So go ahead and select temporary project.

84
00:05:30,540 --> 00:05:34,310
OK, click next use Burp D for Starnberg.

85
00:05:36,330 --> 00:05:40,080
So we have here the proxy that has the intercept is on.

86
00:05:40,080 --> 00:05:47,700
So I can go back to Firefox, go back to the browser and right here I'm going to enter name for example

87
00:05:47,700 --> 00:05:51,840
Tarsa as well as the password test and go in and click on a view account.

88
00:05:51,840 --> 00:05:57,180
Details so purposefully is now intercepting all connections from the browser to the Web application

89
00:05:57,180 --> 00:05:57,520
server.

90
00:05:58,050 --> 00:06:05,460
So in this case, you can do a right click and send to repeater and your repeater tap on grapeseed will

91
00:06:05,460 --> 00:06:08,640
be blinking an orange and you can see the following information.

92
00:06:08,650 --> 00:06:08,790
Right.

93
00:06:08,830 --> 00:06:12,450
So we have to your name as well as the password right here.

94
00:06:12,660 --> 00:06:14,880
OK, so we have to test as well as tests.

95
00:06:15,300 --> 00:06:18,610
So what we can do next is to actually look back into the payload.

96
00:06:19,020 --> 00:06:25,080
So I have to payload right here that we need to send over into the Web application server so we can

97
00:06:25,080 --> 00:06:27,090
send it directly from Pepsi.

98
00:06:27,660 --> 00:06:28,050
So I can.

99
00:06:28,300 --> 00:06:33,600
Hasty information here, all right, to use your name, as well as to the few pastorate, OK?

100
00:06:36,910 --> 00:06:42,460
And when you click send, you notice we get an error, so it's four hundred bed request because there

101
00:06:42,460 --> 00:06:46,830
are pallets of single cut, so you kind of messes up the you all information.

102
00:06:47,080 --> 00:06:54,210
So what we need to do instead is to go under the decoder to decode ATAP pastie information right here.

103
00:06:54,700 --> 00:07:01,180
OK, and we can look at following so we can encode as you are l and we'll get the following information

104
00:07:01,420 --> 00:07:08,350
so I can copy now, now that we have to you are including copy the information, go back to repeater.

105
00:07:08,500 --> 00:07:12,700
And in this case what we are going to do is to remove the previously use payload.

106
00:07:17,880 --> 00:07:23,820
And we replace it with the new payload from the Eurorail encoding, so pace it like Weisse for you,

107
00:07:23,820 --> 00:07:24,480
pass it for you.

108
00:07:25,470 --> 00:07:25,920
All right.

109
00:07:26,280 --> 00:07:27,720
And go ahead and click send.

110
00:07:28,710 --> 00:07:31,050
So once you click send, you can scroll all the way down.

111
00:07:31,290 --> 00:07:37,890
So this is the part where we're able now to retrieve a probable response from the Web application server.

112
00:07:58,360 --> 00:08:04,030
OK, so right here we have the results and we have the following information, twenty three records

113
00:08:04,030 --> 00:08:08,440
phone and we have to username Etman, we have to pass Impasse Pass.

114
00:08:08,860 --> 00:08:14,290
We have all these different details right now of the username, as well as a password that we can use

115
00:08:14,290 --> 00:08:17,560
to help log in and access into the Web application server.

116
00:08:18,160 --> 00:08:22,780
So right here we have security level five as part of SQL injection under user Lucka.

117
00:08:23,380 --> 00:08:28,720
So over here, what we have done is you can actually go under preferences and you can click on the network

118
00:08:28,720 --> 00:08:32,020
settings and you can set the manual proxy configuration.

119
00:08:32,020 --> 00:08:32,950
Click OK on that.

120
00:08:33,730 --> 00:08:39,550
So what we need to do is to be able to intercept a traffic that is going to be sent over from the browser

121
00:08:39,550 --> 00:08:42,370
into the Web application server.

122
00:08:42,370 --> 00:08:43,840
Click view account details.

123
00:08:43,870 --> 00:08:44,130
All right.

124
00:08:44,170 --> 00:08:50,830
And we have it here so I can go on a proxy and I can actually do a right click on this and I can send

125
00:08:50,980 --> 00:08:51,970
to repeater.

126
00:08:52,150 --> 00:08:53,380
OK, so on a repeater.

127
00:08:53,620 --> 00:08:58,870
So we have all this information like the username, the password that we will be fuzzing so you can

128
00:08:58,870 --> 00:08:59,320
do it right.

129
00:08:59,320 --> 00:09:05,050
Click and send it over into intruder so you can see the intruder tap running over here.

130
00:09:05,230 --> 00:09:10,540
And we can look at the positions that we want to highlight on so we can clear any information.

131
00:09:11,050 --> 00:09:13,490
We can reuse the same session ID.

132
00:09:13,900 --> 00:09:14,290
All right.

133
00:09:14,290 --> 00:09:19,760
And we can have the user info dash summit button to be clear as well.

134
00:09:19,780 --> 00:09:21,400
So we have to fuse that.

135
00:09:21,400 --> 00:09:23,540
We'll be testing our payloads on it.

136
00:09:24,100 --> 00:09:27,490
And of course, if you click on our payloads, we can load the payload.

137
00:09:27,700 --> 00:09:34,420
So if you go under this particular folder under us, our share what list w phos under injections.

138
00:09:34,750 --> 00:09:36,250
So we have some ejection.

139
00:09:36,280 --> 00:09:42,000
So go in and turn that and it will list out all the payloads that we can utilize as part of the attack.

140
00:09:42,040 --> 00:09:47,350
So that can be a lot, a lot more kind of payloads that we can inject into the system.

141
00:09:47,770 --> 00:09:48,070
All right.

142
00:09:48,080 --> 00:09:54,340
So once you have all these details in place, all you can do a check on the options and you can go ahead

143
00:09:54,340 --> 00:09:55,810
and click start attack.

144
00:09:56,650 --> 00:10:02,800
So once you click OK on this, this will be sending all the payloads into the Web application server.

145
00:10:02,830 --> 00:10:05,890
So in this case, we have multiple responses.

146
00:10:06,100 --> 00:10:06,510
All right.

147
00:10:06,850 --> 00:10:15,190
And of course, on level five, what it does is that it is a server site, server site check validation.

148
00:10:15,190 --> 00:10:22,000
So as you send those payload on the server side would actually be validating what kind of payload you're

149
00:10:22,000 --> 00:10:29,380
sending into orbit and ascertain that you are sending a proof list of payloads or depending on what

150
00:10:29,380 --> 00:10:34,690
kind of filtering technology they're using, what kind of ways they're utilizing to actually stop those

151
00:10:34,690 --> 00:10:36,150
potential malicious payloads.

152
00:10:36,850 --> 00:10:40,890
So I'm going to pass the intruder attack right here, OK?

153
00:10:41,200 --> 00:10:45,520
And I want to highlight what we can utilize, which is SQL Map to help us run the attack.

154
00:10:46,090 --> 00:10:54,910
So SQL Map is another form of a sequel injection or an automated sequel injection that can help us pass

155
00:10:54,910 --> 00:10:59,680
all those different payloads against the Web application server as well as the database so that we can

156
00:10:59,680 --> 00:11:02,170
ultimately retrieve those data and information.

157
00:11:02,710 --> 00:11:08,560
So I have the instruction right here, so I'm going to copy this whole list of komando instructions

158
00:11:08,570 --> 00:11:16,360
we can send, opened up a new terminal and I can pace the instruction here so I can go ahead and enter

159
00:11:16,360 --> 00:11:18,400
SQL map so I already have it.

160
00:11:19,330 --> 00:11:20,830
So we have the IP address.

161
00:11:21,010 --> 00:11:23,110
We have the link.

162
00:11:23,110 --> 00:11:23,500
All right.

163
00:11:23,620 --> 00:11:30,700
Indexed and use the dash infl and we have the username and password for you and go ahead and hit enter

164
00:11:30,700 --> 00:11:31,180
on this.

165
00:11:31,460 --> 00:11:31,870
All right.

166
00:11:32,230 --> 00:11:32,950
And right here.

167
00:11:33,200 --> 00:11:33,540
All right.

168
00:11:33,540 --> 00:11:34,180
It starts to follow.

169
00:11:34,180 --> 00:11:36,510
You have not yet declared cookies.

170
00:11:36,520 --> 00:11:36,700
All right.

171
00:11:36,730 --> 00:11:38,080
So we can use a new cookie.

172
00:11:38,350 --> 00:11:38,830
Yes.

173
00:11:39,400 --> 00:11:42,160
And of course, right here we can look at these results.

174
00:11:42,970 --> 00:11:47,080
So over here we have the following information stays to following.

175
00:11:47,620 --> 00:11:50,450
It is subjected to a time base.

176
00:11:51,280 --> 00:11:56,050
OK, so it is a blocking sequel injection, meaning that when we send the payload into the system,

177
00:11:56,260 --> 00:11:58,630
we are not sure what kind of response is coming back.

178
00:11:58,810 --> 00:12:05,140
So what we can do in those bowline base attacks is that we can do a sleep and wait, OK, so we can

179
00:12:05,140 --> 00:12:09,560
wait for the response to come back to gain or wait for some of the instructions to go through.

180
00:12:09,580 --> 00:12:15,280
So if the Web server is waiting for, say, five seconds and five seconds later, it then reload the

181
00:12:15,280 --> 00:12:21,180
page, that will be an indicator that the psychologic injection works for this particular type of payload.

182
00:12:21,850 --> 00:12:23,670
And in this case, we have the following payload.

183
00:12:23,680 --> 00:12:27,220
So we have to each user info and username.

184
00:12:27,580 --> 00:12:32,530
So we have a single quote and select nine four zero eight from Select Sleep five.

185
00:12:32,560 --> 00:12:33,000
All right.

186
00:12:33,010 --> 00:12:34,600
And and Alex.

187
00:12:34,930 --> 00:12:35,360
All right.

188
00:12:35,380 --> 00:12:36,450
And if Lobi password for you.

189
00:12:36,490 --> 00:12:40,350
So this helps us gain access to the system in a second one.

190
00:12:40,360 --> 00:12:42,580
And work is a union query.

191
00:12:42,940 --> 00:12:44,150
So unit growth right here.

192
00:12:44,440 --> 00:12:52,030
So username union all select null and Katani and we have all the payload right here and again right

193
00:12:52,030 --> 00:12:52,300
here.

194
00:12:52,330 --> 00:12:57,450
Allow us again the ability to actually access into database ultra.

195
00:12:57,690 --> 00:13:02,640
Helping us retrieve all of the database names out of the database platform.

196
00:13:02,700 --> 00:13:05,970
All right, so once again, I hope you've learned something valuable in today's tutorial.

197
00:13:06,270 --> 00:13:10,350
And if I have any questions before you leave a comment below and I'll try my best to answer all of your

198
00:13:10,350 --> 00:13:15,600
questions and feel like I've got the channel so that you can be kept abreast of the latest cybersecurity.

199
00:13:16,110 --> 00:13:17,640
Thank you so much once again for watching.