1
00:00:02,500 --> 00:00:08,080
OK, so another type of directory traversal allows us to read the content of any file.

2
00:00:09,190 --> 00:00:13,450
So are these such bugs we need to climb and traverse between folders again.

3
00:00:14,170 --> 00:00:17,110
So we'll go to county and log in to be Web.

4
00:00:18,100 --> 00:00:20,950
Open directory traversal file from the menu above.

5
00:00:24,210 --> 00:00:25,590
And here's a sample page.

6
00:00:26,610 --> 00:00:31,020
As you can see, there's nothing with the page itself.

7
00:00:32,480 --> 00:00:36,020
So this means that you've got to pay attention.

8
00:00:37,270 --> 00:00:39,790
To the you are l just like the previous lessem.

9
00:00:41,350 --> 00:00:46,510
Now, it's easy to guess that this time the application displays the content of the file passes page

10
00:00:46,510 --> 00:00:47,440
parameter, right.

11
00:00:48,310 --> 00:00:52,870
And call the magic file slash ATC slash password.

12
00:00:55,520 --> 00:00:59,780
And here's the content of the file, see how perfect this is.

13
00:01:01,210 --> 00:01:04,450
So now we can try to climb to reach that same file.

14
00:01:05,550 --> 00:01:06,870
Climb up one more level.

15
00:01:08,100 --> 00:01:14,550
Now, then climb up more again, no, and climb up one more level.

16
00:01:16,210 --> 00:01:17,380
Oh, there it is.

17
00:01:18,700 --> 00:01:24,970
So over this kind of traversal attack, we can use it to end called dot, dot, own.

18
00:01:26,910 --> 00:01:32,370
Now, it's very easy to use, but first we do need to capture the request.

19
00:01:33,550 --> 00:01:35,050
So enable Foxe proxy.

20
00:01:35,980 --> 00:01:38,530
Then open berp in interception mode.

21
00:01:40,140 --> 00:01:42,900
I'm just going to rearrange the screens for a little bit of you.

22
00:01:44,370 --> 00:01:46,200
OK, so now refresh the page.

23
00:01:47,530 --> 00:01:49,300
And here is a request in berp.

24
00:01:51,720 --> 00:01:55,530
So now I'm going to change here to the string traversal.

25
00:01:57,870 --> 00:02:00,120
And copy this request to a file.

26
00:02:02,140 --> 00:02:06,490
And let's call it DTT and save.

27
00:02:08,570 --> 00:02:09,350
OK, good.

28
00:02:09,380 --> 00:02:16,580
So now go to your terminal, simply type dot, dot, PWI in and we'll look at the options.

29
00:02:17,870 --> 00:02:23,240
And the options are very clear, so let's run, dot, dot, own against BEA Web.

30
00:02:24,490 --> 00:02:28,450
Type dot dot P.W. N. m payload.

31
00:02:29,340 --> 00:02:32,700
So the mm parameter is used, you specify the module.

32
00:02:33,970 --> 00:02:38,080
Now, because we're going to use the berp output, we should choose this module.

33
00:02:39,600 --> 00:02:43,320
And then H for the name of the host.

34
00:02:46,500 --> 00:02:49,890
And P for the burbs output file.

35
00:02:51,540 --> 00:02:58,920
Oh, Eunuch's, you can use this parameter if you know the target operating system, it's not necessarily

36
00:02:58,920 --> 00:03:09,120
necessary and f etsi password, so it is you can look for a specific file on the target file system.

37
00:03:09,730 --> 00:03:11,550
Told you earlier I like the password.

38
00:03:13,650 --> 00:03:16,860
The three to specify the depth of the payload.

39
00:03:17,930 --> 00:03:21,740
And X 80, and that specifies a port No.

40
00:03:23,310 --> 00:03:28,260
So finally be to quit after the first vulnerability's found.

41
00:03:29,970 --> 00:03:31,380
OK, so now we can hit enter.

42
00:03:32,450 --> 00:03:33,680
Oh, dear.

43
00:03:33,710 --> 00:03:34,550
Something went wrong.

44
00:03:35,180 --> 00:03:36,800
Let me just have a look quickly.

45
00:03:37,750 --> 00:03:44,230
And OK, yeah, so I forgot to add a parameter, the parameter K, so add K root.

46
00:03:46,570 --> 00:03:51,740
To make the tool understand if it is able to read the final content or not.

47
00:03:52,690 --> 00:03:54,220
OK, then go.

48
00:03:57,780 --> 00:03:59,850
And it discovered the traversal.

49
00:04:00,950 --> 00:04:05,510
And as you can see, it detects the same way we do three consecutive climbs.

50
00:04:07,890 --> 00:04:10,700
Now I'm going to exclude the parameter B.

51
00:04:12,490 --> 00:04:15,880
So this time it's going to discover as many payloads as it can.

52
00:04:19,750 --> 00:04:22,690
All right, so it finds three different versions of payload.

53
00:04:24,900 --> 00:04:27,330
OK, so then go to the Web browser again.

54
00:04:29,130 --> 00:04:30,660
Disable Foxe proxy.

55
00:04:32,020 --> 00:04:33,640
And now change it to a medium level.

56
00:04:37,250 --> 00:04:40,430
So I'm going to add the path that we used before.

57
00:04:41,510 --> 00:04:42,820
OK, so it doesn't work.

58
00:04:44,510 --> 00:04:47,420
OK, so I can delete the first two placeholders.

59
00:04:48,300 --> 00:04:50,210
And it works pretty well, huh?

60
00:04:51,440 --> 00:04:52,850
And for the last level.

61
00:04:54,340 --> 00:04:55,870
I will add the same payload.

62
00:04:57,080 --> 00:04:57,850
And it doesn't work.

63
00:04:59,520 --> 00:05:01,930
OK, so to be honest, I was waiting for this result.

64
00:05:01,950 --> 00:05:02,990
I'm not surprised.

65
00:05:04,640 --> 00:05:11,600
But I want to set it up on purpose, obviously, but I want to show you another trick to use here.

66
00:05:12,800 --> 00:05:14,450
The final protocols.

67
00:05:15,590 --> 00:05:25,490
So type file Colin Haggar, slash etsi slash password, and there you have it.

68
00:05:26,650 --> 00:05:34,810
OK, so I want to show you the vulnerable code as well, but it really isn't actually very different

69
00:05:34,810 --> 00:05:36,950
than the first one, so I'm going to leave it for you to look at.

70
00:05:37,210 --> 00:05:37,630
All right.

71
00:05:39,590 --> 00:05:40,070
Good job.