1
00:00:02,000 --> 00:00:08,390
Now to try and discover escarole injections you need to browse through your target and try to break

2
00:00:08,390 --> 00:00:09,460
each page.

3
00:00:09,500 --> 00:00:16,160
So whenever you see a text box or a parameter on this forum for example page those BHB then something

4
00:00:16,160 --> 00:00:23,480
is equal to something try to inject stuff here so try to use a single code try to use an island or the

5
00:00:23,480 --> 00:00:27,560
ORDER BY statement to break the page and make it look different.

6
00:00:27,560 --> 00:00:29,950
So I'm going to show you here an example.

7
00:00:31,070 --> 00:00:35,660
And I'm going to go way into the log in page first right here.

8
00:00:37,380 --> 00:00:41,850
And it's asking me to log in now if I actually registered with my own name so he can just go in here

9
00:00:41,850 --> 00:00:42,800
and register.

10
00:00:42,920 --> 00:00:47,250
I have a user name called zayd and a password with 1 2 3 4 5 6.

11
00:00:47,250 --> 00:00:52,920
So first let's just I'm going to log in just to show you so my username zayd and my password is 1 2

12
00:00:52,920 --> 00:00:54,320
3 4 5 6.

13
00:00:54,810 --> 00:01:01,950
And now I'm logged in as they do my signature was a note that really just like the test.

14
00:01:02,070 --> 00:01:08,570
So I'm going to log out and we're back at the log in page right here.

15
00:01:08,600 --> 00:01:12,380
We have the page so you can try to inject in that poll we'll get into that later.

16
00:01:12,380 --> 00:01:18,890
So at the moment we have an example of injecting into text boxes so you can try to inject into the name

17
00:01:19,010 --> 00:01:21,170
and into the password.

18
00:01:21,250 --> 00:01:26,000
So I'm going to put my name as zayd and I'm going to put a single quote.

19
00:01:26,110 --> 00:01:29,900
So I'm putting this line into my password.

20
00:01:30,300 --> 00:01:32,850
So let's see if we can break it.

21
00:01:34,830 --> 00:01:40,380
And as you can see now there is an error in display to us and it doesn't look like a normal error.

22
00:01:40,440 --> 00:01:42,280
It looks like it's a database error.

23
00:01:42,630 --> 00:01:45,720
And usually you'd be very lucky if you get an error like this.

24
00:01:45,720 --> 00:01:48,910
Now usually there won't be as informative as this.

25
00:01:48,960 --> 00:01:54,250
Sometimes you'll just see that the page is not acting as it's expected as you expected.

26
00:01:54,300 --> 00:01:59,380
Sometimes it'll just be a page that is not does not look as it should.

27
00:01:59,400 --> 00:02:04,590
For example if it's a news page maybe it'll have the article missing or if it's a blog it'll have one

28
00:02:04,590 --> 00:02:07,290
of the posts missing or different kinds of posts.

29
00:02:07,320 --> 00:02:12,630
So you need to keep an eye on what's changing and this example we were actually getting a really nice

30
00:02:12,720 --> 00:02:18,900
error Asinus which while it is and is telling us that there is an error in the statement that the error

31
00:02:18,900 --> 00:02:26,040
in near the quotation marks that we added and it also tells us the statement that we execute this is

32
00:02:26,040 --> 00:02:31,430
really good for learning because now we can see was the statement that the system is trying to run and

33
00:02:31,440 --> 00:02:37,260
the system is trying to do a select start so I was trying to select everything from accounts where the

34
00:02:37,260 --> 00:02:42,680
user name is equal to zayd and the password is equal to a single code.

35
00:02:43,020 --> 00:02:48,480
And now that the system the web application is already out in quotes around the name so when I said

36
00:02:48,480 --> 00:02:55,380
zayd and other data between two quotes and the single code that I added between another two code so

37
00:02:55,380 --> 00:02:57,200
that's why we had three quotes right here.

38
00:02:58,430 --> 00:03:05,210
So from this we can it's like 70 percent of the Target Web site has on a scale injection we're still

39
00:03:05,210 --> 00:03:08,030
not sure if it can execute what we wanted to do.

40
00:03:08,030 --> 00:03:12,010
So can I actually inject code and get it to be executed.

41
00:03:12,050 --> 00:03:13,130
Let's see if we can do that.

42
00:03:13,130 --> 00:03:14,830
So the user name is going to be.

43
00:03:14,840 --> 00:03:17,150
They can.

44
00:03:17,360 --> 00:03:22,540
And what I'm going to do with the password I'm going to put my password.

45
00:03:22,540 --> 00:03:28,110
So I'm going to put one two three four five six and then unclosing it.

46
00:03:28,440 --> 00:03:37,760
So I'll tell you why I'm closing it because the current statement of the system is it's select start

47
00:03:37,880 --> 00:03:38,710
from

48
00:03:43,170 --> 00:03:43,890
Zayd

49
00:03:49,330 --> 00:03:53,650
is equal to and is going to open a single quote by itself.

50
00:03:56,320 --> 00:04:04,360
So let's call this as passwords so we're treating this as a variable and it takes in whatever I put

51
00:04:04,360 --> 00:04:09,820
in here whatever I'm going to put in this box and it's going to be inserted instead of the password

52
00:04:09,910 --> 00:04:12,020
which is a variable.

53
00:04:12,100 --> 00:04:16,620
So I'm just giving you an idea so you need to be able to imagine this happening.

54
00:04:16,630 --> 00:04:23,610
So I second whatever I put in there is going to put it between two single codes and it's going to be

55
00:04:23,610 --> 00:04:26,490
inserted in there and executed on the system.

56
00:04:26,490 --> 00:04:32,020
So what I'm doing is I'm going to put one two three four five six and I'm going to quote myself.

57
00:04:32,190 --> 00:04:35,990
So what I'm going to do right now the code is going to be like this.

58
00:04:35,990 --> 00:04:38,320
So it's going to like this.

59
00:04:38,320 --> 00:04:41,710
And password is equal to that and I have two quotes right now.

60
00:04:42,180 --> 00:04:42,790
OK.

61
00:04:43,020 --> 00:04:46,050
And then what I'm going to do is I'm going to say and

62
00:04:50,030 --> 00:04:53,060
one is equal to one.

63
00:04:53,060 --> 00:04:54,570
So one is equal to on.

64
00:04:54,740 --> 00:04:58,520
And I'm just run and see if it's going to execute what I want it to do.

65
00:04:58,520 --> 00:05:04,460
So my statement right now is that's going to be select start from I can't where username is equal to

66
00:05:04,540 --> 00:05:08,040
Z and passersby call to 1 2 3 4 5 6.

67
00:05:08,100 --> 00:05:11,080
And note I'm going to be inserting this myself.

68
00:05:11,820 --> 00:05:14,110
And one is equal to one.

69
00:05:14,120 --> 00:05:18,800
One problem that the system is going to complain about is that we have an extra quote here because I'm

70
00:05:18,800 --> 00:05:22,070
going to be uncertain this myself in the text box.

71
00:05:22,190 --> 00:05:25,110
So it's going to be complaining about this it's going to say this.

72
00:05:25,130 --> 00:05:28,970
This is an open code and never has been closed.

73
00:05:29,000 --> 00:05:31,210
So what I'm gonna do is I'm going to add the comment.

74
00:05:31,460 --> 00:05:36,650
And when you either comment basically everything that comes in after the comment will not be executed.

75
00:05:37,610 --> 00:05:39,490
I'm going to use the harsh as the comment.

76
00:05:39,620 --> 00:05:43,950
So anything that comes in after the hash the system is going to ignore.

77
00:05:44,210 --> 00:05:50,790
So I'm going to inject now is going to be this one is equal to on this.

78
00:05:51,080 --> 00:05:59,830
So as I said usually what you have here you have slushed or password or depending on what the program

79
00:05:59,860 --> 00:06:01,940
called for just imagining this.

80
00:06:02,230 --> 00:06:04,780
And I'm going to be inserting this inside.

81
00:06:04,990 --> 00:06:10,630
So when you do that and you insert it inside this is what the code is going to look like so it's going

82
00:06:10,630 --> 00:06:14,880
to look like the right username the right password I want is equal to 1 which is true.

83
00:06:15,160 --> 00:06:19,060
And then it's not going to it's going to ignore this quote right here.

84
00:06:19,450 --> 00:06:22,690
So if we pass this we should be able to log in.

85
00:06:22,720 --> 00:06:29,040
It should allow me to log in and perfect we were able to log in and username.

86
00:06:29,290 --> 00:06:34,540
So far we haven't done anything but this kind of shows us that is it running our code.

87
00:06:34,570 --> 00:06:40,720
Let's try a different thing now let's try to add a false statement.

88
00:06:40,720 --> 00:06:46,090
So we did we did one equal one and that was correct and it executed what we wanted.

89
00:06:46,090 --> 00:06:48,010
Let's try one equals two.

90
00:06:48,340 --> 00:06:49,510
And this is false.

91
00:06:49,540 --> 00:06:55,210
So I have the right password and I have the right username but I did and one is equal to two.

92
00:06:55,390 --> 00:06:59,620
And this should be wrong because it's false one is not equal to two and I'm using it.

93
00:06:59,630 --> 00:07:01,720
And so everything has to be true.

94
00:07:03,210 --> 00:07:07,920
So it should give me an error even though I'm going to put the right username and I'm going to put the

95
00:07:07,920 --> 00:07:12,750
right password so I'm put in one two three four five six and one is equal to two.

96
00:07:12,750 --> 00:07:15,990
So it's going to be like oh this is wrong.

97
00:07:15,990 --> 00:07:20,940
And as you can see it's giving me an authentication error username and password even though I'm given

98
00:07:20,940 --> 00:07:24,320
the right the right password and the right username.

99
00:07:24,360 --> 00:07:30,810
So this confirms that this website is actually injecting anything we want in the password so we can

100
00:07:30,810 --> 00:07:34,200
use the password field to inject as cool code.

101
00:07:34,530 --> 00:07:40,710
And it's always going to be on this forum so we're going to put a password and you're going to post

102
00:07:40,830 --> 00:07:41,680
your code here.

103
00:07:41,670 --> 00:07:48,420
So I'm just going to put it in capital code here because we're going to put a password close the code

104
00:07:48,780 --> 00:07:54,180
and then put the code that we want to execute on the system right here and it's going to be executed

105
00:07:54,420 --> 00:07:55,830
on the target system.