1
00:00:00,120 --> 00:00:02,310
Hello everybody and welcome back.

2
00:00:02,310 --> 00:00:08,850
And in this video I will show you how to download a specific tool which you can use in order to automate

3
00:00:08,850 --> 00:00:11,490
the process of external injection.

4
00:00:11,520 --> 00:00:14,880
Now in the previous video we saw how to do it manually.

5
00:00:14,880 --> 00:00:22,020
And we did contains function and we were able to gather the usernames and passwords of different accounts

6
00:00:22,260 --> 00:00:25,720
on that Web site in the x amount database.

7
00:00:25,740 --> 00:00:31,150
Now that was the manual process of attacking that web.

8
00:00:31,170 --> 00:00:38,970
But since you do not want to do it every time you can just download a simple tool and it from automate

9
00:00:39,000 --> 00:00:41,000
the entire process for you.

10
00:00:41,100 --> 00:00:47,450
Now I will not cover that all since using tools is much easier than actually doing the manual attack

11
00:00:47,960 --> 00:00:52,800
so you can just check out some of the options that the tool gives you and you can use it.

12
00:00:53,010 --> 00:00:55,560
And I will just show you how you can install it.

13
00:00:57,200 --> 00:01:04,160
So in order to get this tool since it is not a principle in the clinics what you want to do is run basic

14
00:01:04,160 --> 00:01:12,350
two commands one of them is apt get install Python three minus Pip.

15
00:01:12,380 --> 00:01:17,990
Now I already have this installed so this will not install anything for me but for you it will start

16
00:01:18,080 --> 00:01:24,650
installing the Python 3 Pip which you will use a lot not only for this tool you will use to download

17
00:01:24,770 --> 00:01:28,400
all of the other tools that we will use for now on.

18
00:01:28,430 --> 00:01:30,370
Well not all of them but some of them.

19
00:01:30,410 --> 00:01:34,350
So if you just type here the if you just type enter.

20
00:01:34,490 --> 00:01:35,300
Let me just see.

21
00:01:35,300 --> 00:01:36,330
Oh yeah.

22
00:01:36,350 --> 00:01:38,350
So it it is not installed.

23
00:01:38,360 --> 00:01:41,750
It is installed this press your enter.

24
00:01:41,750 --> 00:01:45,580
And as we can see I already have it right here.

25
00:01:45,740 --> 00:01:48,060
Download it you can download it yourself.

26
00:01:48,080 --> 00:01:53,930
And once you do that what you want to do is in easy download the program itself.

27
00:01:53,990 --> 00:01:59,270
Now I already have the program downloaded as well but I will show you the command in order to do that

28
00:01:59,300 --> 00:02:08,910
which is step three and then install X cat once you type this command presenter and it should start

29
00:02:08,940 --> 00:02:11,250
downloading the comment for you.

30
00:02:11,250 --> 00:02:16,640
And since I already have it install it says right here the requirement already satisfied.

31
00:02:16,850 --> 00:02:24,710
Now once you finish this and once you have all the required satisfied and have three installed you can

32
00:02:24,710 --> 00:02:30,210
just basically run X cat and see the available options that you have for that.

33
00:02:30,740 --> 00:02:36,830
And then you can also try to run the manual and the automated attack on the website that we already

34
00:02:36,950 --> 00:02:43,590
attacked in the previous lecture but that's about it for the example injection.

35
00:02:43,760 --> 00:02:47,620
We will not cover it in great detail such as a map and cross-eyed pretenses.

36
00:02:47,630 --> 00:02:56,720
It is not that important for us at the moment and in the next video we will cover the cross-eyed scripting

37
00:02:56,720 --> 00:03:00,200
attacks and I will show you the part.

38
00:03:00,240 --> 00:03:09,640
The the power of these scripting languages on a certain Web site so let's before we end this.

39
00:03:09,660 --> 00:03:15,900
Let me just tell you how you can prevent all of these attacks if you for example wanted to create your

40
00:03:15,900 --> 00:03:17,840
own website or something like that.

41
00:03:17,850 --> 00:03:25,410
You could easily prevent these attacks by filtering the user input so the user input whether it is in

42
00:03:25,410 --> 00:03:31,530
the search bar or for example typing in the username and password or basically anywhere where you allow

43
00:03:31,860 --> 00:03:38,640
the user of that Web site to type something you should always filter for potentially dangerous characters

44
00:03:39,510 --> 00:03:47,670
or any characters that could involve or that could possibly be interpreted as a part of code.

45
00:03:47,820 --> 00:03:55,890
So especially the dangerous characters such as the apostrophe or double quotes or something like that

46
00:03:55,980 --> 00:04:02,460
as we saw it can make a lot of problem especially in the SGI injection and as well in the eczema injection

47
00:04:02,460 --> 00:04:04,510
as we saw in the previous video.

48
00:04:04,720 --> 00:04:10,780
You want to filter out the big and small parentheses as well so not just the quote marks you want to

49
00:04:10,930 --> 00:04:13,240
filter out all of these characters.

50
00:04:13,240 --> 00:04:20,620
You also want to filter out some of the special characters such as question mark karma or something

51
00:04:20,620 --> 00:04:23,390
like that a percentage sign and all of that.

52
00:04:23,440 --> 00:04:27,730
And also what you want to filter out is the common characters.

53
00:04:27,730 --> 00:04:33,460
So the common characters as we saw in the actual injection is the hash tag but it doesn't have to be

54
00:04:33,460 --> 00:04:39,130
the hash tag the common characters are also in the SPL are two slashes like this.

55
00:04:39,190 --> 00:04:45,070
This can also be interpreted as a comment which means that everything come after the these two slashes

56
00:04:45,130 --> 00:04:48,980
will not be read as a part of code will not be read at all.

57
00:04:48,990 --> 00:04:57,670
And for those of you who who learn C you know that this is also the two slashes are all also the interpretation

58
00:04:57,730 --> 00:04:58,450
for comment.

59
00:04:58,510 --> 00:04:58,860
Indeed.

60
00:04:58,870 --> 00:05:00,710
See language as well.

61
00:05:00,920 --> 00:05:04,780
Another type of comment can be the double dash.

62
00:05:04,780 --> 00:05:08,210
So just type your dash dash or minus minus.

63
00:05:08,230 --> 00:05:13,210
It is also our version of comment in the actual language as well.

64
00:05:13,210 --> 00:05:18,790
So in the previous videos where we cover desk you all and type the hash at the end you could have typed

65
00:05:18,910 --> 00:05:19,830
any of these three.

66
00:05:20,350 --> 00:05:23,310
I just chose hash as it is only one character.

67
00:05:23,500 --> 00:05:24,910
It makes it easier.

68
00:05:25,060 --> 00:05:30,530
And basically what you want to do is filter out all of these special characters in order for user to

69
00:05:30,530 --> 00:05:38,670
not be able to communicate with the code on the server and that's about it for these lectures x amount

70
00:05:38,680 --> 00:05:44,490
Industrial Injection in the next one I will show you the cross-eyed scripting attack and we will finish

71
00:05:44,490 --> 00:05:46,710
the event penetration testing there.

72
00:05:46,710 --> 00:05:50,040
So I hope I see you in the next lecture and take out my.