1
00:00:00,270 --> 00:00:08,640
Now, we've already discovered this you URL, so I'm passing those things and we will find an alibi

2
00:00:08,640 --> 00:00:15,530
for this version of Ask Your Manager, but doesn't mean there can't be any other vulnerabilities.

3
00:00:16,440 --> 00:00:19,590
So why don't we go ahead and open exploit DBI, dotcom.

4
00:00:20,910 --> 00:00:26,520
And there is a remote code injection for this version that we have in box.

5
00:00:27,890 --> 00:00:30,350
Now, the content of the export code is here.

6
00:00:31,550 --> 00:00:38,600
I'm sure that you don't need this file, you can accomplish it manually, so don't download it, just

7
00:00:38,810 --> 00:00:44,330
open as you like, manager interface, and then you can start by creating a new database.

8
00:00:45,430 --> 00:00:48,550
So I'm just going to name it Shell and I'm going to save it.

9
00:00:49,690 --> 00:00:51,190
Shell, that BHP.

10
00:00:52,480 --> 00:00:56,050
OK, so now quick ask you, Will, from the menu.

11
00:00:57,190 --> 00:01:02,410
And we will see this code pain, so this is where we're going to inject our payload.

12
00:01:03,930 --> 00:01:10,620
So I'm going to paste this school code and a code creates a table and adds a value.

13
00:01:11,620 --> 00:01:19,000
But the value is a bar code that executes operating system commands and it looks for net cat's directory,

14
00:01:19,930 --> 00:01:20,770
then execute.

15
00:01:21,960 --> 00:01:30,120
And the value was added, so if you click table one, then click display, you can view the entry.

16
00:01:31,820 --> 00:01:38,960
Now, you may wonder where this file is, so click Shell or your database name click options.

17
00:01:40,060 --> 00:01:43,580
And the location property will show the path.

18
00:01:44,870 --> 00:01:48,410
OK, then open this path from Firefox.

19
00:01:51,630 --> 00:01:52,890
And here's a result.

20
00:01:54,560 --> 00:01:55,700
Now view the source.

21
00:01:57,050 --> 00:02:00,440
So this is binary data and here is our result.

22
00:02:02,480 --> 00:02:05,030
OK, so now I go over to the manager interface.

23
00:02:06,020 --> 00:02:07,520
Display the table one again.

24
00:02:08,600 --> 00:02:10,250
And edit the entry.

25
00:02:11,740 --> 00:02:13,630
So instead of this input, use this one.

26
00:02:15,870 --> 00:02:19,110
The one line reverse net catch shell.

27
00:02:20,290 --> 00:02:21,040
Then save.

28
00:02:23,200 --> 00:02:23,920
Go to Sheldon.

29
00:02:25,510 --> 00:02:28,090
Oh, I forgot to open that listener.

30
00:02:32,360 --> 00:02:33,650
OK, so that's done.

31
00:02:34,740 --> 00:02:36,180
Now refresh the page.

32
00:02:38,500 --> 00:02:40,720
And Beatbox connects back to Kelly.

33
00:02:42,460 --> 00:02:45,940
So now you can type of Linux commands and.

34
00:02:46,860 --> 00:02:47,610
Hostname.

35
00:02:48,790 --> 00:02:53,680
Or quite convening a pace, this python code to get a bash style show.