1
00:00:01,700 --> 00:00:02,110
OK.

2
00:00:02,120 --> 00:00:08,360
Now I'd like to show you an Eskimo injection and then a different file and different page and I'll show

3
00:00:08,360 --> 00:00:13,820
you a few different things that you can do to exploit that vulnerability.

4
00:00:13,850 --> 00:00:20,180
So the first thing I'm going to go to the log in page which is here.

5
00:00:20,600 --> 00:00:21,230
User info.

6
00:00:21,260 --> 00:00:24,440
So the first time I went to the log and page from there.

7
00:00:24,440 --> 00:00:26,780
This time we went to the user info page.

8
00:00:26,960 --> 00:00:32,360
So this for this page will show you the information about the user provided you give the username and

9
00:00:32,360 --> 00:00:32,940
password.

10
00:00:32,960 --> 00:00:35,680
So I'm going to Zaid and I'm going to put my password.

11
00:00:35,690 --> 00:00:37,610
One two three four five six.

12
00:00:37,790 --> 00:00:45,750
And it'll show my details username and password and my signature is a so the statement that's been executed

13
00:00:45,750 --> 00:00:48,110
here is similar to what was being executed.

14
00:00:48,120 --> 00:00:54,000
When you log in so it's selecting star from accounts where user name is what you put in the user field

15
00:00:54,390 --> 00:00:57,650
and password is what you put in the password field.

16
00:00:57,690 --> 00:01:04,530
So what we're going to do now is we're going to see a different way of exploiting this kind of vulnerability

17
00:01:04,560 --> 00:01:10,260
in the previous video we were doing it using a post text text box.

18
00:01:10,260 --> 00:01:17,030
So whatever you put in the text box was being posted using a post method to the web application.

19
00:01:17,040 --> 00:01:23,430
Now these vulnerabilities can exist in to get and what I mean by get is when you do a get when something

20
00:01:23,460 --> 00:01:26,430
is sent as get you will see it here in the URL.

21
00:01:27,060 --> 00:01:33,030
So if you look at the URL here you see it's being sent as the user name Zaid and password 1 2 3 FOUR

22
00:01:33,030 --> 00:01:33,720
FIVE SIX.

23
00:01:35,160 --> 00:01:41,880
So let me just copy this your e-mail here and we'll start playing with it from the URL and instead of

24
00:01:41,880 --> 00:01:49,230
doing it on the web page I just want to show you a different example because in many places there might

25
00:01:49,230 --> 00:01:55,310
not even be text boxes for example it could be something like in use and use that BHP.

26
00:01:55,380 --> 00:02:01,020
So we can see here for example in this example it's indexed BHP and in your pan testing you might see

27
00:02:01,020 --> 00:02:08,070
something like in use that BHP and for example I.D. equal to two and then you can try to inject stuff

28
00:02:08,070 --> 00:02:09,040
in there.

29
00:02:09,090 --> 00:02:14,760
So we're having an example here where we're going to be injecting things into the user name field which

30
00:02:14,760 --> 00:02:22,600
is this field and we're going to be injecting stuff in here so anytime when you're doing your pen test

31
00:02:22,630 --> 00:02:28,590
anytime you see parameters like this you should try to inject them anytime you see something that BHP

32
00:02:28,600 --> 00:02:33,910
and then you have a parameter equals something that always try to inject stuff in there and see if it

33
00:02:33,910 --> 00:02:34,550
works for you.

34
00:02:35,650 --> 00:02:43,180
So we also seen a way of discovering the injection and that was using the quotation mark and using the

35
00:02:43,180 --> 00:02:49,630
and so we do are false and and a true and and one is equal to one and then and one is equal to two and

36
00:02:49,630 --> 00:02:56,290
if the server is executing what we want then we're going to know that there is an Eskil injection I'm

37
00:02:56,290 --> 00:03:02,590
going to show you another way of discovering these exploits and it's using the order by as the name

38
00:03:02,590 --> 00:03:10,870
suggests the order by statement is used to order the results that we get on the screen based on a specific

39
00:03:10,930 --> 00:03:12,030
column.

40
00:03:12,070 --> 00:03:14,850
So our injection is going to be like this.

41
00:03:14,860 --> 00:03:21,240
So I'm going to do or there by 1.

42
00:03:21,420 --> 00:03:29,910
So this if if the injection exists this should work because in each select statement there should be

43
00:03:29,910 --> 00:03:32,460
at least one column is being selected.

44
00:03:32,460 --> 00:03:38,420
Therefore when we say order by one we're saying I want to order the results based on the first column.

45
00:03:38,490 --> 00:03:45,810
Therefore this should always be acceptable by the database and return true or something that we expect

46
00:03:47,280 --> 00:03:51,960
we also need to add the comment in here and execute this code.

47
00:03:51,960 --> 00:03:53,580
So it's exactly like before.

48
00:03:53,580 --> 00:04:01,290
So when we're doing this basically this is our U.R.L. URL and what's going to happen on the database

49
00:04:01,290 --> 00:04:06,140
so this is the code that's been executed on the database it's going to look like this

50
00:04:13,400 --> 00:04:19,570
so it's gonna be select star from accounts who user are usernames equal to Z and note how this is close

51
00:04:19,570 --> 00:04:27,630
in the quote and we're gonna do an order by one and there should be this code here for the end.

52
00:04:27,630 --> 00:04:33,660
And this this comment comment will tell the school interpreter that to ignore anything that comes in

53
00:04:33,660 --> 00:04:34,290
after it.

54
00:04:34,290 --> 00:04:36,030
So all of this is going to be ignored.

55
00:04:39,790 --> 00:04:41,160
So I'm copying this

56
00:04:45,990 --> 00:04:52,500
so you can actually paste this injection for Z order by one into the name right here and that's gonna

57
00:04:52,530 --> 00:04:53,100
work.

58
00:04:53,310 --> 00:04:58,420
But I again I just want to show you a different way of doing it by injecting it through the browser.

59
00:04:58,420 --> 00:05:04,530
Another thing that I want you to note is when you inject himself into the browser the browser the code

60
00:05:04,800 --> 00:05:06,470
should be encoded.

61
00:05:06,480 --> 00:05:14,730
So for example this sign usually when you put it on your URL it should be written as percentage 23 spaces

62
00:05:14,730 --> 00:05:22,080
for example get converted to percentage 20 and percentage 23 is the comment that we're using.

63
00:05:22,110 --> 00:05:27,730
So I'm going to copy that and replace my common sign with.

64
00:05:27,800 --> 00:05:32,670
Now we can google Hey CTP encoder and you'll see online there is online tools that'll just confirm this

65
00:05:32,670 --> 00:05:34,170
for you for me.

66
00:05:34,170 --> 00:05:39,170
Now I know that the hash tag can be converted to percentage 23.

67
00:05:39,240 --> 00:05:46,430
So that's why I'm using it there and I'm going to hit enter and as you can see now we're seeing something

68
00:05:46,430 --> 00:05:47,440
that's acceptable

69
00:05:50,240 --> 00:05:53,700
nothin wrong and then it's shown me the information about Z.

70
00:05:53,710 --> 00:05:56,370
One two three four five six and seven with the signature.

71
00:05:56,390 --> 00:05:58,010
So it is ignoring the password.

72
00:05:58,040 --> 00:06:03,110
So the injection worked and it's ordering by 1 so it's not shown me anything wrong.

73
00:06:03,620 --> 00:06:09,650
Let's try to make this number one a very large number so put in 10000 or 100000 now.

74
00:06:10,040 --> 00:06:15,590
So what we're seeing right now is I want you to order the results that will be returned by the current

75
00:06:15,590 --> 00:06:19,490
select statement based on column one hundred thousand.

76
00:06:19,490 --> 00:06:25,970
Now chances are there aren't 100000 columns used in this select statement and therefore this should

77
00:06:25,970 --> 00:06:27,670
return an error.

78
00:06:27,680 --> 00:06:35,250
So when I execute this you'll see that there is an error and the error is in the order close and still

79
00:06:35,350 --> 00:06:38,960
that there is an unknown column for 100000.

80
00:06:39,140 --> 00:06:43,580
And this is great because now we know that the database is executing what we want.

81
00:06:43,580 --> 00:06:48,500
So when we told it to order the results based on the first column it showed us results.

82
00:06:48,500 --> 00:06:50,540
So it followed what we told it.

83
00:06:50,780 --> 00:06:57,860
And then when we told it to order the results based on a column that does not exist it gave us an error.

84
00:06:57,890 --> 00:07:01,040
So it's obviously vulnerable to a scale injections.