1
00:00:01,820 --> 00:00:08,880
And this lecture I'd like to show you how we can use Eskil injections to read any file in the server.

2
00:00:08,920 --> 00:00:15,640
So even if the file exists outside the WWE route we'll be able to read it exactly like a file disclosure

3
00:00:15,640 --> 00:00:16,850
vulnerability.

4
00:00:17,020 --> 00:00:23,610
And we'll also see how we can use it to write files and upload them to the system just like a file upload

5
00:00:23,620 --> 00:00:24,420
vulnerability.

6
00:00:25,060 --> 00:00:31,770
So the first thing we're going to have a look at is the read in the file and I'm going to set everything

7
00:00:31,770 --> 00:00:32,430
to null here.

8
00:00:32,430 --> 00:00:36,030
So I have my statement here and I'm gonna set select one.

9
00:00:36,030 --> 00:00:42,300
I'm gonna need leave number two cause I'm gonna do stuff on that and we're gonna do another three no's

10
00:00:42,300 --> 00:00:42,530
here.

11
00:00:42,540 --> 00:00:48,480
So no no no.

12
00:00:48,490 --> 00:00:50,650
So we have select now something.

13
00:00:50,650 --> 00:00:51,400
No no no.

14
00:00:51,460 --> 00:00:58,960
So 5 because we have five records when we did the order by and instead of selecting something.

15
00:00:58,960 --> 00:01:06,420
Remember in the third video we did select database for example and it showed us the current database.

16
00:01:06,420 --> 00:01:11,340
What I want to do now is I want to do another function and that function is called Load File

17
00:01:15,240 --> 00:01:21,330
and in here I'm gonna set the file that I want to load and I'm going to use the same file that we had

18
00:01:21,330 --> 00:01:30,170
the lock on and the file inclusion vulnerability and it was HTC password so we're trying to read that

19
00:01:30,170 --> 00:01:35,480
file and our statement is unique and select that file and that's it.

20
00:01:35,690 --> 00:01:42,490
So I'm going to copy this and I'm going to inject it here and I'm going to add my percentage 23 which

21
00:01:42,490 --> 00:01:47,660
is my comment.

22
00:01:47,810 --> 00:01:56,030
And as you can see we managed to read all the information all the content of ATC password even though

23
00:01:56,030 --> 00:02:01,880
it's not in the web root so it's stored in ATC password so we can read anything in the server from other

24
00:02:01,880 --> 00:02:07,460
Web sites from other files anywhere in the server we can read it by specifying the full part of the

25
00:02:07,460 --> 00:02:10,220
file.

26
00:02:10,290 --> 00:02:15,180
The next thing I'd like to show you is writing to the server.

27
00:02:15,400 --> 00:02:20,800
So we're actually going to write stuff to the server and this is very useful because you'd be able to

28
00:02:20,800 --> 00:02:23,110
write any code you want.

29
00:02:23,110 --> 00:02:29,680
So for example you can write the code for a PSP script you can write and write a code for a shell a

30
00:02:29,680 --> 00:02:33,580
virus or appear to be code to get a reverse connection to you.

31
00:02:33,580 --> 00:02:40,300
So it'll basically just act like a file upload vulnerability and to do that I'm going to write the code

32
00:02:40,300 --> 00:02:43,120
that I want to do here and I'm going to call that for example.

33
00:02:43,120 --> 00:02:51,930
Just example example and we're going to use a function called out file.

34
00:02:51,960 --> 00:02:59,650
So we're going to do into out file and then we're going to specify where we want to store that file.

35
00:02:59,650 --> 00:03:03,980
Now in best case scenarios you'd be able to write to your Web root.

36
00:03:04,240 --> 00:03:09,670
And that will mean that you can access the file through the browser and execute it so you can upload

37
00:03:10,300 --> 00:03:14,540
a weekly file and then connect to it and do stuff like that.

38
00:03:14,560 --> 00:03:16,130
So let's try to do that first.

39
00:03:16,150 --> 00:03:23,900
So we're gonna do it in var w w w and that's our web route so we'll be able to access things through

40
00:03:23,900 --> 00:03:24,050
it.

41
00:03:24,050 --> 00:03:29,210
Or you can for it even var w w w and then put Michelle day after it.

42
00:03:30,830 --> 00:03:36,990
To start in their so the commands are very simple again union select.

43
00:03:36,990 --> 00:03:42,420
Make sure you set everything to null so that nothing gets right into the file except what you put in

44
00:03:42,420 --> 00:03:42,710
here.

45
00:03:42,720 --> 00:03:50,070
And I for example example and it's going to be stored into our file and var w w w Mattel day and we'll

46
00:03:50,070 --> 00:04:12,620
call that example the steep let's try to run this and see if it works.

47
00:04:12,660 --> 00:04:14,380
Now this didn't work.

48
00:04:14,430 --> 00:04:23,520
And if you come down here you'll see that Askew L or my Eskil is not allowed to create or write to this

49
00:04:23,520 --> 00:04:24,320
directory.

50
00:04:24,360 --> 00:04:31,440
So the problem is we're not the permissions that we have don't allow us to write to this particular

51
00:04:31,500 --> 00:04:32,790
location.

52
00:04:32,850 --> 00:04:40,170
So just to test this exploit I'm going to change this location to GMP which is the temp and you'll see

53
00:04:40,170 --> 00:04:44,390
that you can actually write to temp so in real life scenarios.

54
00:04:44,390 --> 00:04:48,010
It depends you can try it and see if you're able to write stuff or not.

55
00:04:48,130 --> 00:04:58,640
And this we're trying to write a temp now and if we read in temp if we cleared that and then Ellis and

56
00:05:01,310 --> 00:05:04,730
temp you'll see that we have something called example.

57
00:05:04,760 --> 00:05:13,140
And if we try to read that you'll see that it contains obviously it contains the content of what we

58
00:05:13,140 --> 00:05:18,090
did before which was the normal selection that you'd see.

59
00:05:18,100 --> 00:05:25,270
So what you see for putting this stuff for admin and then it showed us what's in there which is example

60
00:05:25,270 --> 00:05:32,080
example which is what we wanted to write to the file.

61
00:05:32,110 --> 00:05:37,120
Now you can obviously get rid of the admin and the admin pass stuff by just pulling the wrong user name

62
00:05:37,330 --> 00:05:39,430
and nothing is gonna be displayed here.

63
00:05:39,430 --> 00:05:45,260
So the only thing that you'll see is the output which is example example.

64
00:05:45,310 --> 00:05:52,270
Well again this is only useful if you're able to write to your web server so you can access it and then

65
00:05:52,270 --> 00:05:56,790
use your shell or use your payload and further exploit the system.