1
00:00:00,840 --> 00:00:03,180
Hello, everyone, and welcome to this video.

2
00:00:04,050 --> 00:00:08,700
So in the previous video we have seen about the micro strategy.

3
00:00:09,510 --> 00:00:13,500
This is a refundability which was identified into the Facebook account.

4
00:00:13,710 --> 00:00:17,630
So we are going to replicate this same vulnerability over here.

5
00:00:18,180 --> 00:00:24,990
So to do that, first of all, what we are going to do is we are going to write down a few steps.

6
00:00:25,440 --> 00:00:27,890
So let me just open up the editor.

7
00:00:28,350 --> 00:00:35,190
So the first step is we are going to identify a micro strategy, Vladik, on any subduing.

8
00:00:35,700 --> 00:00:42,450
So first we're going to identify a subdomain and we are going to see if it redirects to MicroStrategy,

9
00:00:42,720 --> 00:00:47,340
a Web portal, as we saw into the Facebook, and it was giving error.

10
00:00:47,370 --> 00:00:54,750
So we are going to expect that once we have identified the target domain, which is running on MicroStrategy,

11
00:00:55,110 --> 00:01:01,000
we are going to input Google dot com to see if the you are it is valid or not.

12
00:01:01,350 --> 00:01:05,260
And then from there we can confirm if the URL is working or not.

13
00:01:05,910 --> 00:01:13,170
So as in the U.S., we saw that you all would not work because into the software configuration dimmy

14
00:01:13,170 --> 00:01:17,180
you worry is something which will only work.

15
00:01:17,640 --> 00:01:22,920
So we are going to try with tiny you all and we are going to see if it correctly loads or not.

16
00:01:23,340 --> 00:01:30,180
And then we are going to load our tiny you are based exercice

17
00:01:32,550 --> 00:01:41,700
page or the exercise payload over here to make this one from SRF to exercise to increase the impact

18
00:01:41,700 --> 00:01:44,940
and overall security of the vulnerability.

19
00:01:45,690 --> 00:01:52,920
We can also make the same flow page of the target of application as we saw into the Facebook scenario,

20
00:01:53,280 --> 00:01:58,170
and then we can fish credentials of any legitimate user.

21
00:01:58,980 --> 00:01:59,420
All right.

22
00:01:59,430 --> 00:02:04,770
So let's quickly jump onto the practical and let's see these steps one by one.

23
00:02:06,820 --> 00:02:12,490
All right, so here, as you can see, this is one of the subcommunities reporting.

24
00:02:14,300 --> 00:02:16,980
Dr. Baron, LTG dot com.

25
00:02:17,000 --> 00:02:25,460
So when I just go onto that subdomain, it automatically redirects me over here, which means the first

26
00:02:25,460 --> 00:02:31,020
step has successfully satisfied it redirects to MicroStrategy.

27
00:02:31,550 --> 00:02:32,210
All right.

28
00:02:32,220 --> 00:02:34,340
So this is a wonderful target.

29
00:02:34,700 --> 00:02:38,810
Now, let's quickly copy the injection point that we saw.

30
00:02:39,810 --> 00:02:42,540
Which was the targeted you are endpoint.

31
00:02:42,570 --> 00:02:47,250
So let's just copy this, go into the browser and try to open.

32
00:02:47,610 --> 00:02:56,370
So you're you have to notice that we are trying to open Google dot com and as expected, we have got

33
00:02:56,370 --> 00:03:04,380
an error that Google dot com is not a see if you are or it would not work here as we knew.

34
00:03:04,380 --> 00:03:08,510
It is not going to work because it is written into the software configuration.

35
00:03:08,910 --> 00:03:10,260
So let's try with Tiny.

36
00:03:10,260 --> 00:03:12,950
You are dot com and let's see if it works or not.

37
00:03:13,530 --> 00:03:22,290
And you can see we are successfully able to open tiny you are inside reporting dot badon, ltg dot com,

38
00:03:22,680 --> 00:03:24,800
which is our venerable life domain.

39
00:03:25,650 --> 00:03:26,150
Perfect.

40
00:03:26,400 --> 00:03:33,720
It is working as expected and now we are successfully able to load the time neural domain to.

41
00:03:34,740 --> 00:03:43,240
Now let's just quickly navigate to assassinate your daughter X, Y, Z of Yemen where I have posted

42
00:03:43,240 --> 00:03:51,300
an editorial page which contains a exercice payload of executing the document, not Cookie.

43
00:03:51,690 --> 00:03:55,390
So I'm just going to copy that and I'm going to paste it over here.

44
00:03:56,040 --> 00:04:00,880
Now we know it is not going to work because it does not load any.

45
00:04:00,880 --> 00:04:02,970
You are apart from Dinny.

46
00:04:02,970 --> 00:04:03,290
You are.

47
00:04:03,320 --> 00:04:06,380
And so we have to convert that as well.

48
00:04:07,170 --> 00:04:10,590
So you saw we got an error which was expected.

49
00:04:10,860 --> 00:04:16,400
So now let's quickly open dining you hall and we are going to convert over time.

50
00:04:16,480 --> 00:04:24,750
You know, also, if I show you the error into Chrome browser, you can see this is how the error is

51
00:04:25,470 --> 00:04:29,760
displayed into the response, which is the source, you are told is not valid.

52
00:04:30,000 --> 00:04:36,030
And if you remember, we were getting the same error into the previous video, into the Facebook IPO

53
00:04:36,120 --> 00:04:36,500
case.

54
00:04:37,350 --> 00:04:37,800
Perfect.

55
00:04:38,190 --> 00:04:43,320
Now, let's quickly make a tiny order to exploit this to exist.

56
00:04:43,860 --> 00:04:45,150
So let's open tiny.

57
00:04:45,150 --> 00:04:46,170
You are a little dot com.

58
00:04:47,220 --> 00:04:57,390
Go over there and copy the link of singular direct phys ed slash SRF, dot its general and paste it

59
00:04:57,390 --> 00:05:01,860
over here so you can see ended along your order to make Tiny.

60
00:05:01,860 --> 00:05:07,520
So we are going to be straight over here and it is automatically going to shorten over.

61
00:05:07,530 --> 00:05:15,450
You are so just hit on, make tiny order and envied and you can see the you are and has successfully

62
00:05:15,780 --> 00:05:18,810
shortened and converted to a tiny.

63
00:05:18,810 --> 00:05:20,060
You are perfect.

64
00:05:20,670 --> 00:05:26,310
Now let's just copy this, go back to our target and try to load it over there.

65
00:05:26,910 --> 00:05:27,800
Over here.

66
00:05:28,860 --> 00:05:32,310
So if you recall, we are not able to open.

67
00:05:32,310 --> 00:05:33,900
As I said, you ordered x rays.

68
00:05:33,900 --> 00:05:38,310
It is after estimate which contains our excess payload.

69
00:05:38,520 --> 00:05:46,980
But when we replace this with Dinubile, which basically points to our secure payload, we are able

70
00:05:46,980 --> 00:05:49,980
to successfully get the exercise execution.

71
00:05:49,980 --> 00:05:57,050
As you can see here, you can also see the cookie over here because the payload is document, not a

72
00:05:57,060 --> 00:05:58,050
cookie, not attack.

73
00:05:58,050 --> 00:05:59,970
Attacker can utilize this to steal it.

74
00:05:59,970 --> 00:06:06,760
Obviously, to make another scenario, we can also make a similar phishing clone of this target for

75
00:06:06,780 --> 00:06:14,260
application and try to load it over here by shortening the you are with the help of training your.

76
00:06:14,670 --> 00:06:23,340
So I hope you guys understood how we are able to replicate the same PEOC or the same attack of SRF that

77
00:06:23,340 --> 00:06:26,460
was reported to Facebook on the Alive website.

78
00:06:26,850 --> 00:06:28,140
I hope you guys understood.

79
00:06:28,330 --> 00:06:28,920
Thank you.