1
00:00:00,980 --> 00:00:05,510
While testing, it is very important to look at all input fields.

2
00:00:06,540 --> 00:00:10,050
And when you find an input field, you will try your payloads.

3
00:00:11,180 --> 00:00:14,370
But you probably won't get escalator's.

4
00:00:16,230 --> 00:00:20,340
Then you might think, well, then that means there's no escarole injection here.

5
00:00:21,540 --> 00:00:31,440
So actually, yeah, it's possible because Web applications can send generic errors, right, so you

6
00:00:31,440 --> 00:00:35,120
may get confused to see whether you're a valid excuse or not.

7
00:00:37,220 --> 00:00:38,030
Let me show you something.

8
00:00:38,780 --> 00:00:42,950
So now go to Caleigh and log in to be Web.

9
00:00:45,110 --> 00:00:49,220
And we're going to look at another escarole injection type.

10
00:00:50,910 --> 00:00:54,870
So from the menu, choose escarole injection blind boolean based.

11
00:00:56,440 --> 00:00:58,420
And it's a simple search box.

12
00:01:00,140 --> 00:01:06,170
Now, if you look for a movie and a database, you will get a positive result.

13
00:01:07,440 --> 00:01:11,000
And if the movie's not in the database, then you'll get this negative message.

14
00:01:12,850 --> 00:01:20,140
And if you try something to break the squirrel syntax or to cause an injection, OK, then you'll get

15
00:01:20,140 --> 00:01:22,160
this generic error.

16
00:01:22,600 --> 00:01:23,410
So this point.

17
00:01:24,570 --> 00:01:27,450
What do we do, we've got nothing left, right.

18
00:01:28,540 --> 00:01:32,080
OK, I mean, I turned to you know, I'm just kidding.

19
00:01:33,780 --> 00:01:39,660
But in the real world, for instance, you will get a four or four page in this situation.

20
00:01:41,100 --> 00:01:43,120
But you and me now, we're not going to give up, are we?

21
00:01:43,440 --> 00:01:44,100
So what do we do?

22
00:01:44,480 --> 00:01:47,520
Oh, let's go and open terminal and let's have a look at the code.

23
00:01:51,720 --> 00:01:55,770
Now, we always see these checks, so scroll down.

24
00:01:58,980 --> 00:02:04,470
And so here's the part that I want to show you, here is the Eskil query.

25
00:02:05,900 --> 00:02:12,500
So see how it uses the title parameter coming from the user, then the query executes.

26
00:02:13,560 --> 00:02:19,020
And if there is an execution error, it will print incorrect syntax error.

27
00:02:20,590 --> 00:02:25,660
But then if there is no, it looks to the recordset, see whether it's empty or not.

28
00:02:26,900 --> 00:02:33,860
So if it's not empty, this means that the movie exists, if it is empty, the movie doesn't exist in

29
00:02:33,860 --> 00:02:34,550
the database.

30
00:02:35,010 --> 00:02:37,940
OK, so let's go back to Firefox's.

31
00:02:39,440 --> 00:02:45,770
Now we're going to blindly try our payloads to verify if there is an actual injection.

32
00:02:47,500 --> 00:02:50,350
Now, I said blindly but logically.

33
00:02:51,560 --> 00:02:53,330
Write this one to test.

34
00:02:55,070 --> 00:02:58,250
And it breaks the syntax, but we don't know how.

35
00:02:59,770 --> 00:03:00,990
So now try this one.

36
00:03:03,350 --> 00:03:07,210
Now, I think it should work, but we do get a negative result.

37
00:03:08,410 --> 00:03:09,430
So now try this one.

38
00:03:14,000 --> 00:03:17,860
And once again, I think it works and we get a positive message.

39
00:03:17,900 --> 00:03:22,760
So now change one to two and try.

40
00:03:24,400 --> 00:03:28,870
It works, but a negative result of years.

41
00:03:30,760 --> 00:03:35,410
OK, so we can understand if our payload executes or not.

42
00:03:36,890 --> 00:03:41,900
And also, we can pull data by checking the execution result, whether it's positive or negative.

43
00:03:43,780 --> 00:03:45,720
So now I'm going to add something here.

44
00:03:47,290 --> 00:03:53,080
The first part of the payload before and is always true, right?

45
00:03:54,390 --> 00:04:01,620
And my ask well, we'll check if the second part after and is true or not.

46
00:04:02,830 --> 00:04:06,730
And then that way we can learn the length of the current database name.

47
00:04:08,770 --> 00:04:11,380
Negative, the length is not one.

48
00:04:12,520 --> 00:04:17,950
So change one, two, five positive, the length is five.

49
00:04:19,160 --> 00:04:20,180
So now yours is.

50
00:04:21,120 --> 00:04:25,410
And it will check the first character of the current database name.

51
00:04:26,880 --> 00:04:28,020
It is not a.

52
00:04:30,910 --> 00:04:31,780
It is the.

53
00:04:33,300 --> 00:04:35,280
Is the second character W.

54
00:04:37,610 --> 00:04:38,480
Yes.

55
00:04:40,250 --> 00:04:41,870
Is a third character, A.

56
00:04:43,120 --> 00:04:43,870
Yes.

57
00:04:45,430 --> 00:04:47,770
Is the fourth character P.

58
00:04:49,070 --> 00:04:49,850
Yes.

59
00:04:51,080 --> 00:04:53,960
And is the fifth character P..

60
00:04:55,110 --> 00:04:55,740
Yes.

61
00:04:56,950 --> 00:05:00,050
So the database name is Beware.

62
00:05:00,850 --> 00:05:05,350
I think you get the point, so we use boolean operators.

63
00:05:06,290 --> 00:05:08,270
As well as some other functions to compare.

64
00:05:10,180 --> 00:05:15,130
Now, of course, there are there are multiple ways of comparing this is just one of them.

65
00:05:16,870 --> 00:05:21,970
But a checks of the ASCII value of the first character of the database name is greater than 64.

66
00:05:23,150 --> 00:05:24,050
Positive result.

67
00:05:24,920 --> 00:05:29,720
So the first character can be either lower case or upper case letter.

68
00:05:30,740 --> 00:05:31,790
So I use this one.

69
00:05:33,110 --> 00:05:36,560
So now we get the first character is a lowercase letter.

70
00:05:37,490 --> 00:05:40,880
And we can make a boolean search to find the first character.

71
00:05:41,980 --> 00:05:50,160
So is ASCII value greater than one oh nine no is ASCII value greater than one or two?

72
00:05:50,200 --> 00:05:50,590
No.

73
00:05:51,790 --> 00:05:55,870
And is ASCII value greater than 99, no.

74
00:05:57,770 --> 00:06:01,760
And as ASCII value greater than 97, yes.

75
00:06:02,730 --> 00:06:06,250
OK, is ASCII value 97?

76
00:06:07,170 --> 00:06:11,340
Yes, so finally we get the ASCII value of the first character.

77
00:06:13,210 --> 00:06:18,130
Now you can perform almost the same payloads to get other data from that database.

78
00:06:19,860 --> 00:06:25,620
Of course, you might be tired and bored because this is really long, right, takes a long time, but

79
00:06:25,620 --> 00:06:26,730
you're seeing how it works.

80
00:06:27,480 --> 00:06:35,790
But think about the nature of the information, the quality of the information that you can get from

81
00:06:35,790 --> 00:06:37,550
a real world database.

82
00:06:38,830 --> 00:06:40,270
You need to be proud of yourself.

83
00:06:41,650 --> 00:06:43,330
But me, I'm going to stop here.

84
00:06:44,700 --> 00:06:49,770
But you can go ahead and try some of the other payloads and figure out what else you can do.

85
00:06:50,660 --> 00:06:51,910
All right, cool.