1
00:00:00,930 --> 00:00:06,510
Now, if you remember in the previous lesson, we exploited as fuel injection vulnerability in a search

2
00:00:06,510 --> 00:00:06,870
box.

3
00:00:07,890 --> 00:00:09,000
And the search function.

4
00:00:10,190 --> 00:00:16,670
Basically compares the user's input into a database by using a like statement by.

5
00:00:18,560 --> 00:00:22,820
So then we created ask you all queries that can work well with the like statement.

6
00:00:23,820 --> 00:00:28,470
So now we're going to do almost the same thing, but this time.

7
00:00:29,640 --> 00:00:38,730
With something different, let me show you, so go to be web, choose escarole injection, post, select.

8
00:00:39,890 --> 00:00:42,260
So on this page, you select a movie.

9
00:00:43,310 --> 00:00:47,390
And the information about movies will show in the table below.

10
00:00:49,030 --> 00:00:52,930
And to see the FDP request enable Foxe proxy.

11
00:00:53,880 --> 00:00:55,140
And select a movie.

12
00:00:56,900 --> 00:00:59,120
And it is a post request.

13
00:01:00,600 --> 00:01:02,580
And the movie ideas sent to the server.

14
00:01:03,590 --> 00:01:08,750
All right, so nothing else needs to be in the request, just send the request to the repeater tool

15
00:01:09,410 --> 00:01:10,400
and forward it.

16
00:01:11,950 --> 00:01:16,750
And look at that, see the information about the movie is in the table here.

17
00:01:17,840 --> 00:01:20,210
Then forward an intercept of.

18
00:01:21,350 --> 00:01:23,990
Now, before we go any further, let's have a look at the code.

19
00:01:27,150 --> 00:01:32,850
So function is here to call security checks according to security levels.

20
00:01:33,700 --> 00:01:41,580
OK, we already displayed the functions, so scroll down to see the scroll query and here's a query.

21
00:01:42,450 --> 00:01:43,830
So it has two parts.

22
00:01:44,370 --> 00:01:48,210
Now, the second part is where user input comes in.

23
00:01:49,170 --> 00:01:51,750
So it takes an exact numeric value.

24
00:01:52,610 --> 00:01:54,740
And then she likes everything about this record.

25
00:01:56,220 --> 00:02:00,840
So we need to write appropriate queries to work with this query.

26
00:02:02,280 --> 00:02:06,990
And then the remaining code will display the output, but now.

27
00:02:07,900 --> 00:02:15,010
Here's a problem, only the first record can be displayed, so in pulling data, we need to be concerned

28
00:02:15,010 --> 00:02:18,250
with this, OK, only the first record can be displayed.

29
00:02:19,270 --> 00:02:19,930
Remember that?

30
00:02:20,650 --> 00:02:23,170
OK, so go back open repeater.

31
00:02:24,310 --> 00:02:25,720
Check the Maine request again.

32
00:02:28,030 --> 00:02:29,440
And it shows the data.

33
00:02:30,670 --> 00:02:31,780
So put a single quote.

34
00:02:33,610 --> 00:02:35,740
And look, we have a syntax error.

35
00:02:36,860 --> 00:02:38,600
So then put another single quote.

36
00:02:40,290 --> 00:02:43,950
And there's the same syntax error, another one.

37
00:02:46,350 --> 00:02:47,460
Syntax error again.

38
00:02:48,870 --> 00:02:51,630
All right, so I'm going to add a different payload.

39
00:02:55,680 --> 00:03:01,620
And this time it works, so I think this movie must be the first record.

40
00:03:03,990 --> 00:03:06,480
So now I'll discover the column numbers.

41
00:03:07,430 --> 00:03:08,330
Or to buy one.

42
00:03:11,730 --> 00:03:13,050
The movie name has changed.

43
00:03:14,530 --> 00:03:17,200
That also proves the vulnerability.

44
00:03:18,420 --> 00:03:19,380
Three columns.

45
00:03:21,280 --> 00:03:23,500
No, five columns.

46
00:03:24,830 --> 00:03:25,820
No.

47
00:03:26,300 --> 00:03:26,900
Seven.

48
00:03:29,050 --> 00:03:31,990
No, nine columns.

49
00:03:33,090 --> 00:03:35,910
No, but we do get an error, eight columns.

50
00:03:37,600 --> 00:03:44,470
No, in an area again, so the number of this column in the select statement is seven.

51
00:03:46,020 --> 00:03:51,660
Of course, I already know it, but let's have a look at the way that we detected it, so I followed

52
00:03:51,660 --> 00:03:52,260
it this way.

53
00:03:54,790 --> 00:03:58,810
OK, so now write this to discover which columns are displayed.

54
00:04:01,100 --> 00:04:03,560
So except one, all are displayed.

55
00:04:04,640 --> 00:04:06,560
Escarole injection is identified.

56
00:04:07,580 --> 00:04:11,250
So we should pull actual data and metadata about the server.

57
00:04:12,500 --> 00:04:17,000
So first let's pull version, user and current database.

58
00:04:19,100 --> 00:04:22,940
We are the route user and use the Web database.

59
00:04:23,940 --> 00:04:33,150
And the version is 5.0 dot nine six, and we can also look up vulnerability's for this version, but

60
00:04:33,150 --> 00:04:35,730
it's not and what we're doing right now.

61
00:04:36,710 --> 00:04:41,060
And by the way, you can always change his number to know it'll also work.

62
00:04:44,000 --> 00:04:45,980
OK, so get the database names.

63
00:04:48,930 --> 00:04:51,660
In this query only gets the first record.

64
00:04:52,940 --> 00:04:53,960
So we need to change it.

65
00:04:55,020 --> 00:05:01,560
So if you add a limit clause like that, you can pull all the database names in turn.

66
00:05:02,570 --> 00:05:04,820
And this will get the information schema.

67
00:05:07,240 --> 00:05:08,500
So next one is BWP.

68
00:05:09,870 --> 00:05:10,680
Then to.

69
00:05:11,690 --> 00:05:12,680
Then three.

70
00:05:14,500 --> 00:05:15,790
You can also try this one.

71
00:05:18,960 --> 00:05:24,630
All right, so now we have all the database names, so then we can get the table names.

72
00:05:26,030 --> 00:05:28,660
And it will display only the first one as well.

73
00:05:29,810 --> 00:05:34,100
And we can use a limit clause just like that to specify all the tables.

74
00:05:36,090 --> 00:05:38,430
Or this payload to group them.

75
00:05:39,910 --> 00:05:47,650
All tables are in one row now, so they get the tables of the BW database, use this.

76
00:05:49,810 --> 00:05:51,310
Five table names are here.

77
00:05:52,520 --> 00:05:54,320
And then we need to call them names.

78
00:05:55,510 --> 00:06:03,730
And this restriction looks familiar, the just the first record, so adding the limit clause, we can

79
00:06:03,730 --> 00:06:04,540
pull the columns.

80
00:06:05,930 --> 00:06:12,130
Yeah, but it's not very efficient, is it, especially when you manually exploit the application,

81
00:06:12,230 --> 00:06:17,540
so you use this to get the columns of the movies table.

82
00:06:19,210 --> 00:06:20,080
This one's better.

83
00:06:22,240 --> 00:06:28,800
So now we know the information about the database and tables so we can pull the actual data.

84
00:06:30,470 --> 00:06:32,480
And this payload can work.

85
00:06:34,240 --> 00:06:38,260
But we need to get over a one line problem, how are we going to do that?

86
00:06:38,830 --> 00:06:41,110
Well, the limit clause can help us again.

87
00:06:43,430 --> 00:06:47,030
But I know this way is kind of boring and slow, but.

88
00:06:48,110 --> 00:06:50,530
Let's just stop for a second.

89
00:06:51,020 --> 00:06:55,190
It's not an exercise anymore, let's think of it as a very important table.

90
00:06:55,560 --> 00:06:57,920
So it's worth the step by step approach.

91
00:06:59,760 --> 00:07:04,410
Of course, you can also write a crazy query like this.

92
00:07:07,060 --> 00:07:11,140
All right, so anyway, all data is grouped into one line.

93
00:07:13,050 --> 00:07:17,430
And due to being able to read and write files from and to the system.

94
00:07:18,530 --> 00:07:20,600
I think you can go ahead and run this payload.

95
00:07:21,760 --> 00:07:24,490
And then this payload will send the result to a file.

96
00:07:25,350 --> 00:07:27,450
And don't worry about the warning, it works.

97
00:07:28,510 --> 00:07:31,960
And with his new payload, you can view that file.

98
00:07:33,610 --> 00:07:36,550
OK, so now it's time to increase our level of medium.

99
00:07:37,920 --> 00:07:45,440
So I'm going to just change this here to one, but this time the query below won't work.

100
00:07:47,040 --> 00:07:52,110
So the problem here is single quotes, the application sanitizes the input.

101
00:07:52,860 --> 00:07:54,420
So that means we need get rid of them.

102
00:07:55,330 --> 00:08:01,630
But instead of just writing strings in a single quote, I'm going to use the Charra function with ASCII

103
00:08:01,630 --> 00:08:04,450
values, so let's see how that works.

104
00:08:06,190 --> 00:08:08,110
Just like that in the columns.

105
00:08:10,030 --> 00:08:11,200
They are all here.

106
00:08:13,380 --> 00:08:14,430
And the magic file.

107
00:08:16,000 --> 00:08:21,760
And you know this so good and the rest is here for you to discover.