1
00:00:00,560 --> 00:00:06,090
So here's yet another lesson on known vulnerabilities, it's almost inexhaustible, really.

2
00:00:07,280 --> 00:00:13,820
So in this lesson, we're going to exploit and other rescue like manage your vulnerability, but this

3
00:00:13,820 --> 00:00:19,370
time you're going to memorize your access knowledge and I'm going to skip the detection of rescue.

4
00:00:19,380 --> 00:00:19,610
Right.

5
00:00:19,610 --> 00:00:20,600
Manager and version.

6
00:00:21,990 --> 00:00:24,330
So right now, go to exploit database.

7
00:00:25,510 --> 00:00:28,090
And we have already listed the vulnerabilities.

8
00:00:29,240 --> 00:00:31,370
And we've even exploited two of them.

9
00:00:32,600 --> 00:00:39,740
And there are a bunch of others that match our askew white manager version B box, so there are several

10
00:00:39,740 --> 00:00:41,100
excess has vulnerabilities.

11
00:00:41,130 --> 00:00:41,450
Yes.

12
00:00:42,540 --> 00:00:43,950
So I'm going to open all of them.

13
00:00:46,130 --> 00:00:51,680
And I think this one doesn't actually work with our version on our system, so I'm just going to eliminate

14
00:00:51,680 --> 00:00:51,830
it.

15
00:00:53,240 --> 00:00:54,170
And the second one.

16
00:00:55,060 --> 00:00:56,650
All right, so this version matches.

17
00:00:58,300 --> 00:01:05,020
Now it looks like there is an excel in the DB SPL parameter in the you are Al.

18
00:01:06,310 --> 00:01:07,450
And the other one.

19
00:01:08,610 --> 00:01:12,610
But this one is only for Internet Explorer, so I'm going to skip this one.

20
00:01:13,830 --> 00:01:16,490
OK, so I'm going to look for this, your URL.

21
00:01:17,250 --> 00:01:22,860
So go to the manager interface, enable Foxe proxy.

22
00:01:24,390 --> 00:01:25,980
Now click the database.

23
00:01:28,280 --> 00:01:29,420
And go to berp.

24
00:01:30,840 --> 00:01:32,770
So the request will look like that.

25
00:01:33,630 --> 00:01:35,970
So send it to the repeater and then forward.

26
00:01:37,320 --> 00:01:38,300
Forward again.

27
00:01:40,240 --> 00:01:48,190
Another DCL parameter is in the euro, send this to the repeater as well, and then forward.

28
00:01:49,530 --> 00:01:52,080
Another request with DCL.

29
00:01:54,250 --> 00:01:56,770
And send that to the repeater and forward.

30
00:01:58,180 --> 00:01:59,950
And then go ahead and forward the rest.

31
00:02:01,460 --> 00:02:02,060
OK.

32
00:02:03,450 --> 00:02:06,570
So the page loads now up in the repeater.

33
00:02:08,060 --> 00:02:14,780
So this is the first request we sent and I'm going to paste the payload here, then send.

34
00:02:16,030 --> 00:02:20,470
And the response turns back, so type here, alert.

35
00:02:21,790 --> 00:02:23,170
And we have the payload here.

36
00:02:25,190 --> 00:02:33,020
And they can cause excess has vulnerabilities, but the last double quotes after the payload can prevent

37
00:02:33,020 --> 00:02:33,830
execution.

38
00:02:35,460 --> 00:02:37,710
So open the second request.

39
00:02:39,820 --> 00:02:41,850
And paste the payload here as well.

40
00:02:43,470 --> 00:02:44,250
Then send.

41
00:02:48,130 --> 00:02:54,760
There's no alert code in response, so this means that the payload does not work here, so we'll go

42
00:02:54,760 --> 00:02:56,500
to the third request.

43
00:02:57,970 --> 00:03:00,340
This payload here is well and send it.

44
00:03:04,160 --> 00:03:06,350
OK, so now we can see the color code here.

45
00:03:07,440 --> 00:03:12,270
And also, the exploit code shows this you, Earl, so let's try it.

46
00:03:14,530 --> 00:03:16,060
Delete this part of the URL.

47
00:03:17,230 --> 00:03:18,520
And right, the payload.

48
00:03:21,360 --> 00:03:24,660
And sure enough, the JavaScript code executes.

49
00:03:26,750 --> 00:03:31,440
But to exploit a user, this page is not very convincing.

50
00:03:31,460 --> 00:03:32,120
I don't think.

51
00:03:33,460 --> 00:03:36,400
So we are going to need to make a few changes.

52
00:03:37,610 --> 00:03:43,860
So let's copy this HTML code and we're going to prepare a payload step by step.

53
00:03:44,990 --> 00:03:47,120
So first, let's close this tag.

54
00:03:48,300 --> 00:03:50,280
Now, put in the alert code.

55
00:03:52,390 --> 00:03:57,460
And then add a script tag to put the rest between script gags.

56
00:04:01,870 --> 00:04:04,360
So paste it into the URL and go.

57
00:04:06,090 --> 00:04:06,810
This time.

58
00:04:07,820 --> 00:04:10,460
The page this way is much better.

59
00:04:12,460 --> 00:04:13,900
So will view the source.

60
00:04:17,330 --> 00:04:20,060
We can also complete the tag.

61
00:04:22,800 --> 00:04:24,090
So use this payload.

62
00:04:26,560 --> 00:04:27,340
That works well.

63
00:04:29,130 --> 00:04:29,940
View source.

64
00:04:32,950 --> 00:04:34,360
OK, this horse is better now.

65
00:04:35,690 --> 00:04:40,910
Now we can write more accurate and more powerful JavaScript payloads.

66
00:04:42,650 --> 00:04:51,500
Because the first part is complete and there's no error, so then our actual action payload comes.

67
00:04:52,630 --> 00:04:56,920
And the last script tag eliminates the remaining HTML code.

68
00:04:58,560 --> 00:05:06,060
OK, then open web developer, and now we can cookie the cookie stealer app.

69
00:05:07,180 --> 00:05:09,190
So paste this payload and go.

70
00:05:11,140 --> 00:05:13,270
But nothing sent to our server.

71
00:05:13,720 --> 00:05:15,760
OK, let me just check the payload real quick.

72
00:05:16,760 --> 00:05:18,260
OK, let's view the source code.

73
00:05:21,310 --> 00:05:22,420
Now it seems right.

74
00:05:23,850 --> 00:05:25,890
Ah, so here's our payload.

75
00:05:26,130 --> 00:05:32,790
I see what's wrong, so something happens to the plus sign at the back end.

76
00:05:33,730 --> 00:05:37,570
So we need to find a solution instead of this plus sign.

77
00:05:38,890 --> 00:05:45,100
Yeah, you probably guess what we're going to do, we can solve this problem with a JavaScript function,

78
00:05:46,090 --> 00:05:50,230
so I'll just change the plus sign to concat as our function.

79
00:05:51,940 --> 00:05:56,680
And paste our new payload into the You are Al.

80
00:05:58,500 --> 00:06:00,930
OK, so this time it sends the cookie value.

81
00:06:02,050 --> 00:06:05,470
Open up the STELARA application and refresh the page.

82
00:06:06,880 --> 00:06:07,960
There's one session.

83
00:06:09,520 --> 00:06:10,300
So log in.

84
00:06:13,300 --> 00:06:14,710
And here is a new session.

85
00:06:16,250 --> 00:06:18,080
So let's check to see if it's alive.

86
00:06:19,780 --> 00:06:20,710
And it is live.

87
00:06:23,360 --> 00:06:24,620
So go to session.

88
00:06:25,850 --> 00:06:27,860
And here is the user be.

89
00:06:29,410 --> 00:06:36,070
OK, so in this lesson, we exploited an excess of vulnerability on askew light manager.

90
00:06:37,590 --> 00:06:41,480
So we also get the BWB session ID as well.