1
00:00:12,280 --> 00:00:14,940
Hey, guys, welcome back to another episode on how the heck.

2
00:00:15,370 --> 00:00:18,580
So now we got to discuss about Xixi part two.

3
00:00:18,610 --> 00:00:25,330
All right, so this is the part where we are going to try to launch the attack against your Web application

4
00:00:25,330 --> 00:00:30,850
system so we're can lesson number four of Web going under a, for example, external entities.

5
00:00:31,450 --> 00:00:34,950
So all we could to do right now is to look under this section.

6
00:00:34,990 --> 00:00:35,240
All right.

7
00:00:35,260 --> 00:00:36,550
So he stays in this assignment.

8
00:00:36,550 --> 00:00:42,880
You add a comment to the photo when submitting to form, try to execute an injection with the comments

9
00:00:42,890 --> 00:00:46,080
you try listing to directorate of the file system.

10
00:00:46,600 --> 00:00:51,270
So the first thing we want to do is just go ahead with the normal process.

11
00:00:51,280 --> 00:00:51,520
All right.

12
00:00:51,520 --> 00:00:59,230
So which is to understand what happens when you go through how a normal user will actually input data

13
00:00:59,230 --> 00:01:03,350
into the system or into the database and ultimately returning as a result.

14
00:01:03,760 --> 00:01:09,640
So it can enter, for example, test and I can click submit and immediately we can see over here that

15
00:01:09,640 --> 00:01:11,170
we have the result test.

16
00:01:11,590 --> 00:01:14,710
So we have input at something right into the system.

17
00:01:14,710 --> 00:01:18,220
So it returns the following information under your command view.

18
00:01:18,280 --> 00:01:18,690
All right.

19
00:01:19,270 --> 00:01:22,240
So what we can do next is to investigate the situation.

20
00:01:22,540 --> 00:01:28,510
So first thing is you can actually go to a top right corner of your Firefox or Chrome and go under web

21
00:01:28,510 --> 00:01:31,280
developer, click under network.

22
00:01:31,330 --> 00:01:31,570
All right.

23
00:01:31,570 --> 00:01:35,950
So right now, in this case, I'm going to enter tests and click submit.

24
00:01:36,370 --> 00:01:36,640
All right.

25
00:01:36,640 --> 00:01:37,650
And I'm going to pass here.

26
00:01:37,960 --> 00:01:42,790
So, of course, we have the lesson overview lesson manual that again, comes a lot of times to get

27
00:01:42,800 --> 00:01:44,080
a web good.

28
00:01:44,260 --> 00:01:46,990
But what we're looking for is to post instruction here.

29
00:01:46,990 --> 00:01:53,410
So under simple, I can click on it and we can look at the parameters and in this case on the programs,

30
00:01:53,410 --> 00:01:59,100
we can see the XML version equal 1.0 and followed by tax tests.

31
00:01:59,590 --> 00:01:59,880
All right.

32
00:01:59,890 --> 00:02:03,130
And of course, we got a response and this is the feedback.

33
00:02:03,610 --> 00:02:05,190
Sorry, the solution is not correct.

34
00:02:05,200 --> 00:02:09,340
Please try again so we can look at the parameters and we can do a right.

35
00:02:09,340 --> 00:02:12,640
Click onto the roll and click on edit and reset.

36
00:02:13,510 --> 00:02:17,590
So over here on the edit and then we can look at the information.

37
00:02:17,590 --> 00:02:17,660
Right.

38
00:02:17,680 --> 00:02:25,390
So we have to host the user agent ASEP language, the referral and we have these J session ID.

39
00:02:25,630 --> 00:02:27,720
And of course what's really important is the content type.

40
00:02:27,730 --> 00:02:31,260
So in this case we have the application XML.

41
00:02:31,450 --> 00:02:35,030
So in many cases it could be different type of content type.

42
00:02:35,290 --> 00:02:37,030
So it could be other types of application.

43
00:02:37,270 --> 00:02:43,120
And as we submit all these different instructions in a Web application system, we can also change how

44
00:02:43,450 --> 00:02:49,510
we want to tell the Web application system what kind of application or content type it is about using

45
00:02:49,510 --> 00:02:52,610
applications XML as part of the declaration.

46
00:02:53,320 --> 00:02:59,800
So under the request body over here we have XML version equal 1.0, OK, and we have come in.

47
00:02:59,810 --> 00:03:00,970
So what are we going to do right now?

48
00:03:00,970 --> 00:03:03,700
Is that every place to Paillot for us?

49
00:03:04,090 --> 00:03:09,100
So over here we have the XML version and we can just copy the following over here.

50
00:03:09,100 --> 00:03:11,020
So I'm going to explain to you what it all means.

51
00:03:11,080 --> 00:03:11,350
All right.

52
00:03:11,350 --> 00:03:12,220
So I'm going to pass it.

53
00:03:13,130 --> 00:03:13,390
All right.

54
00:03:13,420 --> 00:03:17,430
So we have to doctype we have to change law and then we have the entity.

55
00:03:17,440 --> 00:03:22,120
So in this case, we're naming entity as E and we have system fall.

56
00:03:22,120 --> 00:03:29,470
And of course I can enter slash plus W.D. And of course in this case, under the comment part, I'm

57
00:03:29,470 --> 00:03:30,550
going to change this.

58
00:03:30,550 --> 00:03:30,860
All right.

59
00:03:30,880 --> 00:03:33,140
Into the end sign.

60
00:03:33,310 --> 00:03:33,670
All right.

61
00:03:33,670 --> 00:03:35,350
Which is right above seven.

62
00:03:35,350 --> 00:03:36,190
And then we can enter.

63
00:03:37,660 --> 00:03:43,480
So once you've seen all those details, you can actually run it and you can go in, enter Sayne, OK?

64
00:03:43,570 --> 00:03:45,470
And we can pass the information right here.

65
00:03:45,970 --> 00:03:50,530
So, again, what we're doing is we're trying to submit information into the Web application system,

66
00:03:50,830 --> 00:03:53,000
trying to get some kind of response from the system.

67
00:03:53,020 --> 00:03:53,320
All right.

68
00:03:53,330 --> 00:03:54,440
So that's one of those ways.

69
00:03:54,910 --> 00:04:01,680
So, of course, if I do a refresh, I may or may not see the results being placed into the into the

70
00:04:01,780 --> 00:04:02,560
comment section.

71
00:04:02,800 --> 00:04:03,770
So no worries about it.

72
00:04:04,150 --> 00:04:09,610
So what we can do once again is to enter, for example, test completists, click summit, OK, and

73
00:04:09,610 --> 00:04:15,940
pass it once again, go all the way down to the bottom under simple right so I can do a edit in recent.

74
00:04:16,390 --> 00:04:19,330
And right now I'm going to page the same information again.

75
00:04:19,330 --> 00:04:23,550
But this time around with Volp the specification etek possibility.

76
00:04:23,740 --> 00:04:24,150
All right.

77
00:04:24,160 --> 00:04:29,200
So I'm just going to change this, for example, to the end sign followed by XXXI.

78
00:04:29,260 --> 00:04:29,470
All right.

79
00:04:29,540 --> 00:04:34,660
So once you have all this information and input being put in place, I can play it and I can click on

80
00:04:34,660 --> 00:04:35,090
send.

81
00:04:35,800 --> 00:04:40,630
So once has been sent into the Web application system for processing, I could go in and double click

82
00:04:40,660 --> 00:04:40,960
on it.

83
00:04:41,260 --> 00:04:41,620
All right.

84
00:04:41,770 --> 00:04:42,930
And we can see over here.

85
00:04:42,970 --> 00:04:43,240
All right.

86
00:04:43,240 --> 00:04:48,160
So we got different results coming in and it says, sorry, the solution is not correct and it says

87
00:04:48,160 --> 00:04:49,510
must end with a sample.

88
00:04:49,540 --> 00:04:54,040
OK, we so we are getting our messages coming in from the feedback.

89
00:04:54,170 --> 00:04:54,440
All right.

90
00:04:54,460 --> 00:04:56,740
From the Web application system or from the POZA.

91
00:04:56,740 --> 00:04:59,940
And of course, here we can see Java X XML.

92
00:04:59,950 --> 00:05:03,750
So go back into recession, OK?

93
00:05:03,800 --> 00:05:09,940
And of course, in this case, I should have placed in a semicolon at the end of the declaration.

94
00:05:10,050 --> 00:05:15,840
So I can play it now and I can click on Sene, so once I'm done with it, let me pause it double click

95
00:05:15,870 --> 00:05:17,130
on it right now, OK?

96
00:05:17,130 --> 00:05:18,510
And we can see congratulations.

97
00:05:18,870 --> 00:05:21,350
You have successfully completed the assignment.

98
00:05:22,020 --> 00:05:28,490
So this is one of the ways where we can use DELYS Web developer onto network tap to edit our payload

99
00:05:28,500 --> 00:05:32,850
and sending it over into the web application system as it does to parsing.

100
00:05:33,390 --> 00:05:36,540
The next option that we have is to actually turn on Bourbon Street.

101
00:05:36,570 --> 00:05:40,850
OK, so I can over here, open up a terminal and enter suite.

102
00:05:40,860 --> 00:05:42,450
So this will start up sweet.

103
00:05:42,850 --> 00:05:43,280
All right.

104
00:05:43,620 --> 00:05:48,120
So once we started, we can click on NEC's and we can start berp, OK?

105
00:05:48,450 --> 00:05:56,220
And we can go back under the proxy and we can enable the proxy and I can edit it over here so I can

106
00:05:56,220 --> 00:05:56,960
buy into port.

107
00:05:57,330 --> 00:05:57,780
All right.

108
00:05:57,990 --> 00:05:59,490
Eight, eight, eight, eight and click.

109
00:05:59,550 --> 00:06:00,590
OK, OK.

110
00:06:00,600 --> 00:06:06,930
So once we got it, we can click into Septet and I can go back under Firefox and I can go on to preferences

111
00:06:07,290 --> 00:06:12,090
and go on to settings and click under Manuell proxy configuration click.

112
00:06:12,090 --> 00:06:17,340
OK, so once we have that we can see all the instructions coming in so we can drop all these different

113
00:06:17,340 --> 00:06:23,520
details and I can go back into the web server and now I can go ahead and enter, for example, another

114
00:06:23,520 --> 00:06:24,030
one here.

115
00:06:24,360 --> 00:06:28,810
I can enter test and click submit and will get picked up by Bourbon Street.

116
00:06:28,890 --> 00:06:33,740
OK, so I can drop the lesson manual MVC lesson above you don't MVC.

117
00:06:34,140 --> 00:06:34,580
All right.

118
00:06:35,010 --> 00:06:39,330
And this is the one you were looking for, which is post SWEPCO slash simple.

119
00:06:39,960 --> 00:06:46,500
And we have, for example, over here the XML version so I can do a right click and send to repeater

120
00:06:46,680 --> 00:06:47,430
or control.

121
00:06:47,430 --> 00:06:47,780
Ah.

122
00:06:48,240 --> 00:06:50,800
So once we click understand a repeater over here.

123
00:06:50,820 --> 00:06:56,250
So this all the information that we already have and you can click send and once you click send you

124
00:06:56,250 --> 00:06:57,360
get a results coming back.

125
00:06:57,360 --> 00:06:57,470
Right.

126
00:06:57,510 --> 00:07:00,340
So he says sorry, the solution is not correct.

127
00:07:00,360 --> 00:07:01,830
Please try again.

128
00:07:02,040 --> 00:07:05,070
OK, so right now I'm going to go back into Depay Loaded.

129
00:07:05,070 --> 00:07:06,810
I've crafted for you so I can do it right.

130
00:07:06,810 --> 00:07:10,020
Click copy and now we can pass it over.

131
00:07:10,250 --> 00:07:10,620
All right.

132
00:07:10,770 --> 00:07:14,570
Replacing the existing XML that we already have already.

133
00:07:14,620 --> 00:07:18,060
So I can write click and I can paste the results over here.

134
00:07:18,330 --> 00:07:19,980
OK, so we have the following.

135
00:07:19,980 --> 00:07:20,250
Right.

136
00:07:20,730 --> 00:07:24,770
And we can go in and click on the center and of course immediately we get a result.

137
00:07:25,080 --> 00:07:25,980
Congratulations.

138
00:07:25,980 --> 00:07:34,020
You have successfully completed the assignment so I can also enter, for example, Etsy plus W.T..

139
00:07:34,230 --> 00:07:34,530
All right.

140
00:07:34,530 --> 00:07:35,730
And I can also click send.

141
00:07:36,120 --> 00:07:38,690
So of course in this case it says sorry, dissolution.

142
00:07:38,910 --> 00:07:39,150
Correct.

143
00:07:39,150 --> 00:07:39,840
But no worries.

144
00:07:40,020 --> 00:07:44,760
What we're trying to do is we're trying to get back certain results from the Web application system.

145
00:07:44,790 --> 00:07:49,920
OK, so once we're done with this, I can go back to Web, go, all right.

146
00:07:50,160 --> 00:07:56,160
And I can go on to preferences and I can Temperley turn afte proxy and I can just click on the refresh.

147
00:07:56,370 --> 00:07:56,640
All right.

148
00:07:56,680 --> 00:07:58,300
And we can see the results coming in.

149
00:07:58,320 --> 00:08:04,740
So in this case, we can see over here we have the list of users under ETEK possibility that we have

150
00:08:04,740 --> 00:08:05,520
enumerated.

151
00:08:05,970 --> 00:08:11,520
And we also have, for example, over here, which is the list of all the directories inside the root

152
00:08:11,520 --> 00:08:11,940
folder.

153
00:08:11,940 --> 00:08:15,100
As you can see here, we have Opti Amante and so on.

154
00:08:15,420 --> 00:08:22,230
So, again, there are a lot of things that we can do as part of an attack where we can make the system

155
00:08:22,230 --> 00:08:29,310
do all sorts of instruction, listing down directories, giving us a differential, putting up a back

156
00:08:29,310 --> 00:08:33,780
door and many, many different type of attacks that can be followed up from here.

157
00:08:33,840 --> 00:08:36,780
So once again, I hope you've learned something valuable in today's tutorial.

158
00:08:37,020 --> 00:08:40,130
And if if any questions, feel free to leave a comment below trama.

159
00:08:40,140 --> 00:08:40,750
Best answer.

160
00:08:40,750 --> 00:08:42,870
And of course, sort of like sharing.

161
00:08:42,870 --> 00:08:46,920
Subscribe to a channel so that you can be kept abreast of the latest cybersecurity tutorial.

162
00:08:47,070 --> 00:08:48,480
Thank you so much once again for watching.