1
00:00:00,090 --> 00:00:02,100
Hello everybody and welcome back.

2
00:00:02,100 --> 00:00:05,650
And right now I will show you the blind Eskil injection.

3
00:00:06,330 --> 00:00:08,750
So you also have it under the Vulnerable.

4
00:00:08,810 --> 00:00:15,270
That application directory so you just log in right here where we were in the previous tutorials and

5
00:00:15,270 --> 00:00:17,510
just go onto the SPL injection.

6
00:00:17,550 --> 00:00:24,640
Blind now you will see the same the same output or not the same output.

7
00:00:24,650 --> 00:00:31,720
It is basically the same version as the visible Esko injection just right here.

8
00:00:31,760 --> 00:00:40,760
If you type the apostrophe for example it won't print out the error which makes it blind so we do not

9
00:00:40,760 --> 00:00:46,100
really know if it is vulnerable or not at all as we can see in the previous one.

10
00:00:46,100 --> 00:00:51,800
Once we type the apostrophe and submitted it gave us the error in askew syntax

11
00:00:54,330 --> 00:01:04,900
but if you take pride here you should take two and then two apostrophes you can see that it actually

12
00:01:04,900 --> 00:01:14,800
gave the output for the second user which basically means that injecting is possible.

13
00:01:14,810 --> 00:01:21,650
It didn't give us an error about syntax or anything it just gave us the output for the second user.

14
00:01:21,650 --> 00:01:23,440
Now what does this mean.

15
00:01:23,450 --> 00:01:28,180
It basically means if we type here the same command as we used in the previous one.

16
00:01:28,180 --> 00:01:39,380
So if we for example use the user under the idea of one and then we type here and one equals one and

17
00:01:39,380 --> 00:01:54,390
we submit that we will get the user under I.T. one but if we type one and one equals too late they forgot

18
00:01:54,390 --> 00:01:59,310
the apostrophe it won't give us any output.

19
00:01:59,620 --> 00:02:06,030
Now we can conclude from this that the correct statement will give us output.

20
00:02:06,040 --> 00:02:06,580
Wow.

21
00:02:06,580 --> 00:02:13,370
The wrong statement or not a true statement will not give us any output.

22
00:02:13,810 --> 00:02:16,360
So we know that 1 equals 1.

23
00:02:16,420 --> 00:02:22,750
And when we type that we notice that we do that we got the output for the user right under the idea

24
00:02:22,750 --> 00:02:23,810
number one.

25
00:02:23,830 --> 00:02:26,060
And when we type do you want equals 2.

26
00:02:26,140 --> 00:02:31,130
We got nothing as the output which means that statement is not correct.

27
00:02:33,480 --> 00:02:37,950
So we can conclude that we can only know if the answer is correct or not.

28
00:02:37,950 --> 00:02:45,030
So all make all our queries that we are using from now on need to be constructed so that you receive

29
00:02:45,150 --> 00:02:49,440
a yes or no answer Now what does that mean.

30
00:02:49,460 --> 00:02:55,670
That means that the only way that we can for example do the first step which is discovering the name

31
00:02:55,670 --> 00:03:00,360
of the database is by brute forcing every character.

32
00:03:00,380 --> 00:03:05,930
Now if you type here since we already know the since we already know the name of our database we did

33
00:03:05,930 --> 00:03:09,860
it in the previous popes Pardon me.

34
00:03:10,040 --> 00:03:11,500
What am I doing right here.

35
00:03:11,510 --> 00:03:19,940
Wait was it all the time on the on the normal Eskil let me just check it's right here.

36
00:03:19,940 --> 00:03:22,730
So we get that right here.

37
00:03:25,370 --> 00:03:30,620
And then if we try this one we get no output.

38
00:03:30,950 --> 00:03:32,180
But what about this one.

39
00:03:32,270 --> 00:03:33,770
We should get something

40
00:03:37,100 --> 00:03:40,390
oh yes it's right here so you can see that the SVR.

41
00:03:40,400 --> 00:03:41,880
Let me just go to the blind one.

42
00:03:42,080 --> 00:03:46,910
You can see that the just tape once again and one equals two.

43
00:03:46,970 --> 00:03:50,060
You can see the Astro query in the link itself.

44
00:03:52,200 --> 00:03:56,880
That means that first of all this Haskell query sent with the get request.

45
00:03:56,880 --> 00:04:07,180
And second of all we can see that the of the characters of our query are encoded for example.

46
00:04:07,180 --> 00:04:08,310
This uh.

47
00:04:08,310 --> 00:04:11,490
Percent 3 d is encoded

48
00:04:13,920 --> 00:04:15,660
basically that is the only thing that's encoded.

49
00:04:15,690 --> 00:04:23,910
But it doesn't matter what I was saying is that you basically need to brute force every character in

50
00:04:23,910 --> 00:04:30,030
order to find out whether in order to find out for example the first step which is the name of the database.

51
00:04:30,150 --> 00:04:39,010
And as I said if we type here and the database function which gives the name of the database as we saw

52
00:04:39,010 --> 00:04:46,530
in the previous video and we type you DV w hey now we know that the database name really is DV W A.

53
00:04:46,750 --> 00:04:53,500
So this will be a true statement and we will get the idea the user under the name under the I.D. one

54
00:04:54,010 --> 00:04:55,660
since this is a true statement.

55
00:04:55,780 --> 00:04:59,330
But if we type here a false statement statement.

56
00:04:59,620 --> 00:05:08,560
So we use the same here but we misspell one letter so DV w w and click here on submit you will notice

57
00:05:08,560 --> 00:05:13,730
that we actually don't get any output which means this is not a true statement.

58
00:05:13,780 --> 00:05:17,590
So the first one will here since the VW is correct.

59
00:05:17,590 --> 00:05:19,590
And the second one one print out anything.

60
00:05:19,600 --> 00:05:22,030
So it's not the correct answer.

61
00:05:22,090 --> 00:05:23,800
Now we can carry on with this.

62
00:05:23,830 --> 00:05:28,410
Uh method in order to find out the first of things.

63
00:05:28,830 --> 00:05:37,440
So what you would do is basically you would type here the same command right here and let's say you

64
00:05:37,950 --> 00:05:44,360
don't know what the name of the database is you would basically type your letter so let's say it's the.

65
00:05:45,290 --> 00:05:47,430
Oh let's say it's actually G.

66
00:05:47,610 --> 00:05:54,750
And then you go to the Burchett you turn the intercept on and then you submit this you will see that

67
00:05:54,750 --> 00:06:03,630
we send this we get the request and what you want to do is basically as we can see this is encoded and

68
00:06:03,630 --> 00:06:09,060
our letter is g and here you would send this.

69
00:06:09,240 --> 00:06:09,960
What you would do.

70
00:06:09,960 --> 00:06:14,560
Let us just go and find that packet.

71
00:06:14,710 --> 00:06:15,210
Here it is.

72
00:06:15,240 --> 00:06:23,920
What you would do is you would send this packet to the intruder and then from here you would select

73
00:06:24,400 --> 00:06:25,340
only the letter.

74
00:06:25,340 --> 00:06:32,260
The first letter and you would compare the result by the diff by the difference in the answer of the

75
00:06:32,260 --> 00:06:32,860
length.

76
00:06:32,860 --> 00:06:42,190
Now what I said basically we did this similar kind of thing in the brute forcing attack where we actually

77
00:06:42,190 --> 00:06:49,780
tried to see which response gets different length so the same method applies right here.

78
00:06:49,790 --> 00:06:57,440
And once you discover which letter uh gives different length of a response you would know that that

79
00:06:57,440 --> 00:07:00,590
letter is the first letter of the database name.

80
00:07:00,590 --> 00:07:05,960
Now also what you will need first you would clear all of this then you would select on it a letter which

81
00:07:05,960 --> 00:07:12,350
is here in the link and then you would brute force that letter with all of the letters from the alphabet

82
00:07:12,380 --> 00:07:20,300
so you would have to create a password list which is basically on the ABC d e f g and supply it in the

83
00:07:20,630 --> 00:07:21,960
payload section right here.

84
00:07:21,960 --> 00:07:22,670
Well it works.

85
00:07:22,670 --> 00:07:26,970
Wait let me open Birchwood in the payload section right here.

86
00:07:26,990 --> 00:07:29,000
You would supply that list with all of those letters.

87
00:07:29,000 --> 00:07:38,150
And then once it finishes you will see the different uh length of response for the correct letter now

88
00:07:38,240 --> 00:07:43,250
once you find the first letter you will do that for the second letter and for the third letter and for

89
00:07:43,250 --> 00:07:44,340
the fourth letter.

90
00:07:44,450 --> 00:07:50,680
And finally you will find out that d w the DV W A is the correct.

91
00:07:50,930 --> 00:07:57,760
Basically the correct name for the database and then you will proceed on with the tables and then the

92
00:07:57,770 --> 00:08:03,320
columns and then the user and all of that stuff that we covered previously.

93
00:08:04,220 --> 00:08:08,020
So that's why this would take a lot longer than the previous video.

94
00:08:08,240 --> 00:08:09,880
So I will not be doing it.

95
00:08:09,880 --> 00:08:10,630
Uh.

96
00:08:11,150 --> 00:08:17,060
There's no really point in sitting here two hours just to do the same thing as in the previous video.

97
00:08:17,060 --> 00:08:22,250
So basically it is the method where you brute force every letter and then you find out the correct name

98
00:08:22,460 --> 00:08:28,250
the the principle then the commands are all the same as in the previous video.

99
00:08:29,610 --> 00:08:36,300
So that's about it for the blind Esko injection we won't be really doing it since there is no time to

100
00:08:36,300 --> 00:08:36,940
waste.

101
00:08:36,960 --> 00:08:41,610
We need to cover more things such as the obscure old map.

102
00:08:41,730 --> 00:08:43,570
Now what is the scale map.

103
00:08:43,570 --> 00:08:47,370
So let me just close all of the things right.

104
00:08:47,370 --> 00:08:48,890
I did not want to save it.

105
00:08:48,990 --> 00:08:53,660
So let me just be here on X and click here no.

106
00:08:53,730 --> 00:09:02,170
So what is your map is is it is basically the program or tool that comes pre installed in clinics and

107
00:09:02,170 --> 00:09:07,060
it is used since it automates the process of vascular injections.

108
00:09:07,450 --> 00:09:12,460
So all of the stuff that we did manually in the previous lesson and the lesson before that we can do

109
00:09:12,520 --> 00:09:14,900
automatically by this tool.

110
00:09:15,070 --> 00:09:21,160
That's why it's easy to use and you basically don't need to know anything about obscure language or

111
00:09:21,250 --> 00:09:23,580
any type of queries in order to do this.

112
00:09:23,620 --> 00:09:30,370
You only need to provide the link the level of a level of inspection the risk and some other options

113
00:09:30,400 --> 00:09:32,860
and it'll run on its own.

114
00:09:33,190 --> 00:09:39,310
So as I said it comes installed in the clinic so just type your astral map and it will print out your

115
00:09:39,640 --> 00:09:43,710
available options or wait to print out there.

116
00:09:43,750 --> 00:09:45,870
So in order to see our options.

117
00:09:45,880 --> 00:09:46,840
Just type here.

118
00:09:46,840 --> 00:09:47,790
Does this help.

119
00:09:48,320 --> 00:09:50,980
And right now we see our available options.

120
00:09:51,010 --> 00:09:59,150
So let us call up a little bit what we have here is the reposting level then the minus you for the URL

121
00:09:59,150 --> 00:10:04,620
so you will always need to specify this then what we have is.

122
00:10:04,740 --> 00:10:12,430
Google door checked or proxy so you can set proxy cookie codes cookie so you can basically even send

123
00:10:12,470 --> 00:10:15,050
a cookie the data DNS.

124
00:10:15,110 --> 00:10:17,640
So now you can check out all of these options.

125
00:10:17,640 --> 00:10:23,960
We won't be covering in the details since we cover the harder part which is the manual count injection.

126
00:10:24,000 --> 00:10:30,650
This is only one command so we will do it on our specific website.

127
00:10:30,740 --> 00:10:34,890
We're not upset the specific page on our little machine or less.

128
00:10:34,980 --> 00:10:36,840
So let me just open up Firefox.

129
00:10:36,840 --> 00:10:37,500
Once again

130
00:10:43,570 --> 00:10:54,160
so go on to your always put the machine on and through that 168 on that 6 I believe and go right here

131
00:10:54,250 --> 00:10:58,370
on the Mall and however you spell this out.

132
00:10:58,480 --> 00:11:04,140
I would say this multiple day to practice every day using connections.

133
00:11:04,240 --> 00:11:08,290
Well that could be because I closed burps shit.

134
00:11:09,070 --> 00:11:13,210
That's what happens when you think you don't need something and then you actually do need it once again.

135
00:11:13,210 --> 00:11:17,030
So let's just open up shit real quick so quick here.

136
00:11:17,050 --> 00:11:18,390
Okay.

137
00:11:18,400 --> 00:11:20,000
Then we go here next.

138
00:11:20,010 --> 00:11:22,670
Next month it opens up.

139
00:11:23,800 --> 00:11:24,510
Let's wait for it.

140
00:11:24,520 --> 00:11:28,060
So next next time we wait for this to open.

141
00:11:28,210 --> 00:11:33,670
Now while this is opening let me just tell you that the astral map can be used both for astral injection

142
00:11:33,670 --> 00:11:39,640
and bind Esko injection and it can also find table names and columns and it can extract usernames and

143
00:11:39,640 --> 00:11:42,440
they're hashed passwords.

144
00:11:42,490 --> 00:11:48,910
Also it can use different techniques of encoding to bypass some of the defenses such as filtering and

145
00:11:48,910 --> 00:11:55,840
IBS and it also can work with these methods point framework which we didn't cover yet and we will cover

146
00:11:55,840 --> 00:12:04,220
in the future tutorials but it is a good thing to know that it is possible to mix these two so let us

147
00:12:04,280 --> 00:12:07,490
continue on to our vector machine.

148
00:12:07,490 --> 00:12:10,370
So let us reload this page.

149
00:12:10,590 --> 00:12:13,930
Where do you want to go right here.

150
00:12:13,940 --> 00:12:20,930
I believe it is under the O ASP let me just try to find it.

151
00:12:21,070 --> 00:12:25,540
User info could be a skill or maybe under the web services and then the rest.

152
00:12:25,590 --> 00:12:26,780
Ask your objection.

153
00:12:26,790 --> 00:12:30,080
User Account Management.

154
00:12:30,250 --> 00:12:32,450
No it's not right here.

155
00:12:32,470 --> 00:12:36,880
I don't know why I thought it was right here.

156
00:12:37,340 --> 00:12:38,850
Just find it.

157
00:12:42,460 --> 00:12:46,100
What about this name.

158
00:12:46,170 --> 00:12:47,240
Username Password.

159
00:12:47,320 --> 00:12:47,780
OK.

160
00:12:47,810 --> 00:12:50,380
So it is this page right here.

161
00:12:50,970 --> 00:12:56,670
And let's say since we know that this is vulnerable to the rescue since it is under the user info as

162
00:12:56,790 --> 00:13:01,800
well we can just basically try anything right here so let's just go on.

163
00:13:01,800 --> 00:13:03,330
Dee Dee Dee Dee Dee Dee Dee Dee Dee Dee.

164
00:13:03,330 --> 00:13:11,610
And then your account details you can see that there is not an account under that username and password

165
00:13:11,610 --> 00:13:14,000
of course but we got the link.

166
00:13:14,010 --> 00:13:22,050
So we want to test this Web site for the of injection for example you would just copy the link then

167
00:13:22,170 --> 00:13:23,350
you type here.

168
00:13:23,370 --> 00:13:29,780
Ask your map minus you to specify the URL then apostrophe.

169
00:13:29,820 --> 00:13:38,990
So open double apostrophe then the paste link closed apostrophe and then what we want to specify is

170
00:13:38,990 --> 00:13:42,380
the input that we want to scan.

171
00:13:42,380 --> 00:13:47,630
So let's say for this type of scan we want to scan the user name input.

172
00:13:47,630 --> 00:13:50,240
So you're just type here minus p.

173
00:13:50,420 --> 00:13:51,470
I believe it's minus B.

174
00:13:51,470 --> 00:13:59,420
Let me just enlarge this and see it for myself so minus p minus p test parameters so testable parameters

175
00:13:59,720 --> 00:14:01,940
we want to test the user name parameter.

176
00:14:02,000 --> 00:14:07,790
So just type your user name and what we want to do.

177
00:14:09,130 --> 00:14:12,150
Use it also the Shima.

178
00:14:12,150 --> 00:14:18,690
So we did that in the previous video I explained what the information she mined all of that is the P

179
00:14:18,810 --> 00:14:22,740
is the specified parameter that we scan.

180
00:14:22,740 --> 00:14:27,660
So once you do that you can also add some of the other options right here if you want to for example

181
00:14:27,960 --> 00:14:35,010
level of scan so level of test to perform default is one level of risk so you can set the risk to be

182
00:14:35,100 --> 00:14:43,490
under 3 but I believe it will be more difficult than not difficult but more detectable then.

183
00:14:43,620 --> 00:14:50,250
And here this these minus minus she might as you can see right here it says enumerate D.B. as Shima.

184
00:14:50,250 --> 00:14:54,750
So if you let this to run it will take some time I believe.

185
00:14:54,750 --> 00:14:59,250
I don't know if I finished it before so it will ask you some of the questions.

186
00:14:59,250 --> 00:15:02,770
Make sure to read them under when they pop up so it says like.

187
00:15:02,810 --> 00:15:08,970
It looks like the back and D.B. mess is my ask you all to want to skip test payload specific or other

188
00:15:09,000 --> 00:15:16,500
DP and S's we want to say yes since I believe it really is the my ask you also for the remaining tests

189
00:15:16,560 --> 00:15:22,740
do you want to include all test for my Haskell extended provide level 1 and risk 1 values we want to

190
00:15:22,740 --> 00:15:23,180
click here.

191
00:15:23,190 --> 00:15:23,840
Yes.

192
00:15:24,030 --> 00:15:28,960
If you don't want you can specify the level and risk in the comment itself.

193
00:15:29,130 --> 00:15:35,170
Basically you can let this run and it will automate the entire process of the Esko injection for you.

194
00:15:37,720 --> 00:15:45,460
Once it finishes this basically I believe it will print out the tables and columns and all of that and

195
00:15:45,490 --> 00:15:51,850
you can basically manually not manually but you can automatically with the single number choose an option

196
00:15:51,960 --> 00:15:54,130
to check out what it found.

197
00:15:54,340 --> 00:16:01,420
But I believe this process takes a little bit longer to finish so we wont be waiting for this to end.

198
00:16:01,420 --> 00:16:07,050
We will cut the editorial right now and in the next sartorial will cover the X amount injection.

199
00:16:07,210 --> 00:16:13,530
We will do it only in the one that oil since it is not that important as the actual injection and as

200
00:16:13,540 --> 00:16:17,770
the cross site scripting attack that we will do after it.

201
00:16:17,890 --> 00:16:19,980
So that's about it for this tutorial.

202
00:16:19,990 --> 00:16:22,320
You can wait for this to finish if you want to see you.

203
00:16:22,340 --> 00:16:28,420
What are the things that we will print out or what other questions it may ask you.

204
00:16:28,430 --> 00:16:33,880
And until then I hope you're having a great day and I'll see you in the next lecture by.