1
00:00:01,960 --> 00:00:08,650
Now to try and discover Eskil injections you need to browse through your target and try to break each

2
00:00:08,650 --> 00:00:16,100
page so whenever you see a text box or a parameter on this forum for example page those BHP then some

3
00:00:16,100 --> 00:00:19,260
things equal to something try to inject stuff here.

4
00:00:19,270 --> 00:00:26,020
So try to use a single quote try to use an aunt or the order by statement to break the page and make

5
00:00:26,020 --> 00:00:27,340
it look different.

6
00:00:27,550 --> 00:00:37,650
So I'm going to show you here an example and I'm going to go into the log page first right here and

7
00:00:37,650 --> 00:00:41,970
it's asking me to log in now I've actually registered with my own name so you can just go in here and

8
00:00:41,970 --> 00:00:42,790
register.

9
00:00:42,900 --> 00:00:47,190
I have a user name called Zaid and a password with 1 2 3 4 5 6.

10
00:00:47,220 --> 00:00:52,740
So first let's just I'm going to log in just to show you so my username is Zaid and my password is 1

11
00:00:52,740 --> 00:00:56,230
2 3 4 5 6 and now I'm logged in as a.

12
00:00:56,230 --> 00:01:04,750
Then my signature was a just not a really just like as a test so I'm going to log out and we're back

13
00:01:04,750 --> 00:01:07,470
at the log in page.

14
00:01:07,780 --> 00:01:12,340
Right here we have the page so you can try to inject in that but we'll go we'll get into that later.

15
00:01:12,340 --> 00:01:18,280
So at the moment we're having an example of injecting into text boxes so you can try to inject into

16
00:01:18,280 --> 00:01:21,090
the name and into the password.

17
00:01:21,220 --> 00:01:28,210
So I'm going to put my name Azadeh and I'm going to put a single quote so I'm putting this sign into

18
00:01:28,210 --> 00:01:37,880
my password so let's see if we can break it and as you can see now there is an error being displayed

19
00:01:37,880 --> 00:01:40,360
to us and it doesn't look like a normal error.

20
00:01:40,400 --> 00:01:42,390
It looks like it's a database error.

21
00:01:42,590 --> 00:01:45,710
And usually you'd be very lucky if you get an error like this.

22
00:01:45,710 --> 00:01:51,200
Now usually the error won't be as informative as this sometimes you'll just see that the page is not

23
00:01:51,320 --> 00:01:54,250
acting as it's expected as you expected.

24
00:01:54,260 --> 00:01:59,360
Sometimes it'll just be a page that is not does not look as it should.

25
00:01:59,360 --> 00:02:04,400
For example if it's a news page maybe it will have the article missing or if it's a blog it'll have

26
00:02:04,400 --> 00:02:07,230
one of the posts missing or different kind of posts.

27
00:02:07,280 --> 00:02:12,920
So you need to keep an eye on what's changed in this example we are actually getting a really nice error

28
00:02:13,270 --> 00:02:19,450
as soon as we file it has and is telling us that there is an error in the statement the error near and

29
00:02:19,490 --> 00:02:25,680
the quotation marks that we added and it also tells us the statement that's been executed.

30
00:02:25,680 --> 00:02:30,510
This is really good for learning because now we can see what's the statement that the system is trying

31
00:02:30,510 --> 00:02:37,110
to run and the system is trying to do a select star so strength select everything from accounts where

32
00:02:37,110 --> 00:02:44,730
the user name is equal to Zaid and the password is equal to a single quote and note that the this system

33
00:02:44,760 --> 00:02:50,190
the web application is already adding quotes around the name so when I said Zaid at other data between

34
00:02:50,190 --> 00:02:55,920
two quotes and it adds the single quote that I added between another two quotes so that's why we have

35
00:02:55,920 --> 00:02:58,210
three quotes right here.

36
00:02:58,370 --> 00:02:59,750
So from this we can.

37
00:03:00,050 --> 00:03:06,110
It's like 70 percent of the target website has a nice girl injection we're still not sure if it can

38
00:03:06,110 --> 00:03:07,970
execute what we wanted to do.

39
00:03:08,000 --> 00:03:12,030
So can I actually inject code and get it to be executed.

40
00:03:12,050 --> 00:03:13,130
Let's see if we can do that.

41
00:03:13,130 --> 00:03:21,450
So the user name is going to be Zeta again and what I'm going to do with the password I'm going to put

42
00:03:21,540 --> 00:03:27,770
my password so I'm gonna put one two three four five six and then I'm closing it.

43
00:03:28,410 --> 00:03:37,910
So I'll tell you why I'm closing it because the current statement in the system is it's select star

44
00:03:37,940 --> 00:03:38,720
from

45
00:03:42,930 --> 00:03:43,870
to Zaid

46
00:03:49,310 --> 00:03:53,450
is equal to and is going to open a single code by itself.

47
00:03:56,290 --> 00:03:59,260
So let's call this as password.

48
00:03:59,260 --> 00:04:05,740
So we're treating this as a variable and it takes in whatever I put in here whatever I'm gonna put in

49
00:04:05,740 --> 00:04:11,860
this box and is going to insert it instead of the S password which is a variable.

50
00:04:12,070 --> 00:04:13,840
So I'm just mom giving you an idea.

51
00:04:13,840 --> 00:04:16,370
So you need to be able to imagine this happening.

52
00:04:16,600 --> 00:04:23,140
So it's taken whatever I put in there and is gonna put it between two single codes and it's going to

53
00:04:23,410 --> 00:04:26,470
be inserted in there and executed on the system.

54
00:04:26,470 --> 00:04:32,040
So what I'm doing is I'm gonna put one two three four five six and I'm going to add the quote myself.

55
00:04:32,170 --> 00:04:34,480
So what I'm going to do right now.

56
00:04:34,480 --> 00:04:35,850
The code is gonna be like this.

57
00:04:35,860 --> 00:04:42,110
So it's gonna like this and password is equal to that and I have two quotes right now.

58
00:04:42,160 --> 00:04:42,980
Okay.

59
00:04:43,000 --> 00:04:44,820
And then well I'm going to do it.

60
00:04:44,830 --> 00:04:45,630
I'm gonna say.

61
00:04:45,660 --> 00:04:46,200
And

62
00:04:49,990 --> 00:04:53,030
one is equal to one.

63
00:04:53,060 --> 00:04:54,550
So one is equal to one.

64
00:04:54,710 --> 00:04:58,470
And I'm just trying to see if it's going to execute what I wanted to do.

65
00:04:58,490 --> 00:05:05,320
So my statement right now is gonna be select star from accounts where user name is equal to Zaid and

66
00:05:05,320 --> 00:05:08,020
password is equal to 1 2 3 4 5 6.

67
00:05:08,060 --> 00:05:13,870
And note I'm gonna be inserting this myself and one's is equal to 1.

68
00:05:14,120 --> 00:05:18,770
One problem that the system is gonna complain about is that we have an extra quote here because I'm

69
00:05:18,770 --> 00:05:22,160
gonna be inserting this myself in the text box.

70
00:05:22,160 --> 00:05:27,800
So it's gonna be complaining about this it's going to say this this is an open code and never be has

71
00:05:27,800 --> 00:05:28,480
been closed.

72
00:05:28,970 --> 00:05:31,340
So what I'm gonna do is I'm going to add the comment.

73
00:05:31,430 --> 00:05:37,090
And when you add the comment basically everything that comes in after the comment will not be executed.

74
00:05:37,580 --> 00:05:39,490
I'm gonna use the hash as the comment.

75
00:05:39,590 --> 00:05:43,980
So anything that comes in after the hash the system is going to ignore.

76
00:05:44,180 --> 00:05:50,830
So I'm going to inject now is gonna be this and one is equal to one and this.

77
00:05:50,880 --> 00:05:57,460
So as I said usually what you have here you have slashed your password.

78
00:05:58,510 --> 00:06:03,580
Or depending on what the programmer called it but we're just imagining this and I'm gonna be inserting

79
00:06:03,580 --> 00:06:04,900
this inside.

80
00:06:04,960 --> 00:06:10,210
So when you do that and you insert it inside this is what the code is gonna look like.

81
00:06:10,210 --> 00:06:15,310
So it's gonna look like the right user name right password and one's equal to one which is true and

82
00:06:15,310 --> 00:06:19,370
then it's not gonna it's going to ignore this quote right here.

83
00:06:19,420 --> 00:06:26,230
So if we paste this we should be able to log in it should allow me to log in and perfect.

84
00:06:26,230 --> 00:06:29,180
We were able to log in and username is eight.

85
00:06:29,260 --> 00:06:34,540
So far we haven't done anything but this kind of shows us that is it running our code.

86
00:06:34,540 --> 00:06:36,380
Let's try a different thing now.

87
00:06:38,100 --> 00:06:40,620
Let's try to add a false statement.

88
00:06:40,680 --> 00:06:46,050
So what we did we did 1 equal 1 and that was correct and it executed what we wanted.

89
00:06:46,050 --> 00:06:48,110
Let's try 1 equals 2.

90
00:06:48,300 --> 00:06:49,500
And this is false.

91
00:06:49,530 --> 00:06:55,560
So I have the right password and I have the right username but I do two and one is equal to two and

92
00:06:55,560 --> 00:07:00,020
this should be wrong because it's false one is not equal to two and I'm using an add.

93
00:07:00,060 --> 00:07:06,550
So everything has to be true so it should give me an error even though I'm gonna put the right username

94
00:07:07,200 --> 00:07:12,340
and I'm going to put the right password so I'm put in one two three four five six and one is equal to

95
00:07:12,340 --> 00:07:12,710
two.

96
00:07:12,730 --> 00:07:15,580
So it's going to be like oh this is wrong.

97
00:07:15,970 --> 00:07:20,920
And as you can see it's given me an authentication error bad username or password even though I'm given

98
00:07:20,920 --> 00:07:24,270
the right to the right password and the right username.

99
00:07:24,310 --> 00:07:30,790
So this confirms that this website is actually injecting anything we want in the password so we can

100
00:07:30,790 --> 00:07:37,480
use the password field to inject Eskew L code and it's always gonna be on this form so we're gonna put

101
00:07:37,480 --> 00:07:46,020
a password and you're going to put your code here so I'm just gonna put it in capital code here because

102
00:07:46,200 --> 00:07:51,660
we're gonna put any password closed the quote and then put the code that we want to execute on the system

103
00:07:51,660 --> 00:07:55,560
right here and it's going to be executed on the target system.