1
00:00:01,570 --> 00:00:06,230
I hope you remember what we did in the blindest fuel injection lessons.

2
00:00:08,030 --> 00:00:13,010
We saw how to perform a boolean and time based blind escarole injection XPoint.

3
00:00:13,940 --> 00:00:19,940
And, of course, manually exploiting such a vulnerability is a time consuming event.

4
00:00:21,800 --> 00:00:24,390
And it's also just very hard to go step by step.

5
00:00:25,860 --> 00:00:29,280
So we can use Escorial map to get over these obstacles.

6
00:00:30,630 --> 00:00:34,770
So first, I'm going to start with bullion based one.

7
00:00:36,570 --> 00:00:43,950
And so there's a search box here, I think you know what's happening, just enable Foxe proxy.

8
00:00:45,420 --> 00:00:47,370
Then type something in and search.

9
00:00:49,130 --> 00:00:49,970
Now go to berp.

10
00:00:51,690 --> 00:00:57,270
And the request questions here, so before forwarding, copy it to a file.

11
00:00:58,990 --> 00:01:01,540
And I'm going to use the same file and save.

12
00:01:02,560 --> 00:01:04,300
Then let the request go.

13
00:01:06,190 --> 00:01:12,550
OK, open your terminal, then type Escorial, map R and request the file path.

14
00:01:15,820 --> 00:01:16,720
He title.

15
00:01:17,850 --> 00:01:23,670
Age and test Colin 28 08 to 09.

16
00:01:24,460 --> 00:01:25,240
And run.

17
00:01:31,240 --> 00:01:36,640
Now, it's funny because we're looking for a boolean based escarole injection.

18
00:01:37,880 --> 00:01:40,280
But we discover a time-based one.

19
00:01:41,930 --> 00:01:43,940
Yeah, so you can skip testing the others.

20
00:01:45,360 --> 00:01:49,890
OK, so, yeah, the exploit is with an integer value.

21
00:01:52,660 --> 00:01:53,830
OK, again.

22
00:01:55,500 --> 00:01:57,290
And this can always happen to you.

23
00:01:58,480 --> 00:02:03,430
OK, now, directly, I'm going to point to the bullion based injection.

24
00:02:06,660 --> 00:02:08,010
B is for Boolean based.

25
00:02:09,610 --> 00:02:12,430
It executes, but nothing is found.

26
00:02:13,960 --> 00:02:16,840
So maybe providing the DBMS can help.

27
00:02:19,720 --> 00:02:20,710
But nothing is found.

28
00:02:21,910 --> 00:02:23,840
Oh, no, I'm getting nervous.

29
00:02:25,870 --> 00:02:29,410
OK, so I'm going to add two more parameters.

30
00:02:30,100 --> 00:02:33,820
Level five, there were five those.

31
00:02:34,760 --> 00:02:44,290
The default value is one where a limited number of tests or request are performed and vice versa.

32
00:02:44,290 --> 00:02:50,430
Level five will test were Beausoleil for a much larger number of payloads and boundaries.

33
00:02:51,640 --> 00:02:59,680
So all at all, the harder it is to detect Enescu oil injection, the higher the level must be set and

34
00:03:00,070 --> 00:03:00,970
risk three.

35
00:03:03,220 --> 00:03:05,170
And there are three risk values.

36
00:03:06,490 --> 00:03:11,440
The default value is one which is innocuous for the majority of escarole injection points.

37
00:03:12,950 --> 00:03:20,120
Risk value, too, adds to the default level, the test for heavy query time based rescue, well, injections

38
00:03:20,780 --> 00:03:25,940
and in value three ads also or based escarole injection tests.

39
00:03:27,940 --> 00:03:29,110
Super.

40
00:03:30,330 --> 00:03:34,860
All right, so finally we discover the boolean based blind injection.

41
00:03:35,810 --> 00:03:42,860
No, no, don't test any other, just look at the result is MAP discovers a hard injection type for

42
00:03:42,860 --> 00:03:43,070
us.

43
00:03:44,130 --> 00:03:47,720
OK, so bring in the banner data for me.

44
00:03:52,920 --> 00:03:58,740
And sure enough, it brings the better information for the operating system, web application and server.

45
00:04:01,230 --> 00:04:06,840
So now think how hard it was for us to get one character of the version information.

46
00:04:08,570 --> 00:04:10,160
OK, so get the current database.

47
00:04:14,880 --> 00:04:15,310
OK.

48
00:04:15,460 --> 00:04:25,020
Something went wrong because the escarole map runs in a single thread mode, some data retrieval problems

49
00:04:25,020 --> 00:04:25,590
can happen.

50
00:04:27,150 --> 00:04:34,050
But I'm going to show you that thread a few seconds later, so before adding threads, I'll add these

51
00:04:34,050 --> 00:04:34,860
parameters.

52
00:04:35,970 --> 00:04:45,180
Prefix will add what I write before as Google Maps, payload and suffix will add what I write after

53
00:04:45,180 --> 00:04:46,950
the Escorial Maps payload.

54
00:04:48,390 --> 00:04:53,670
Then I can refresh the school map session to start exploiting from the beginning.

55
00:04:59,490 --> 00:05:03,350
Now, have a look at the payload, it puts everything in place.

56
00:05:06,870 --> 00:05:08,400
So now get the current user.

57
00:05:12,230 --> 00:05:17,300
OK, and add read 10 to retrieve data fast.

58
00:05:21,220 --> 00:05:24,290
Now, I I couldn't see what happened, did you?

59
00:05:24,340 --> 00:05:30,130
It was very fast, so we can use the threads parameter for bigger ResultSet.

60
00:05:31,040 --> 00:05:36,020
Yeah, let's see, for example, this one and make the thread 10.

61
00:05:38,800 --> 00:05:39,730
Look at how fast it is.

62
00:05:45,800 --> 00:05:48,800
So no and no, I don't want to crack hashas now.

63
00:05:50,520 --> 00:05:57,090
OK, so I think we're done with the Bulleen based Bascule injection, so let's have a look to see if

64
00:05:57,090 --> 00:05:57,750
there's another one.

65
00:05:58,360 --> 00:06:00,120
OK, so we go to Firefox's.

66
00:06:01,270 --> 00:06:03,370
Open an appropriate page from the menu.

67
00:06:06,100 --> 00:06:09,340
And I need a request file, so.

68
00:06:11,260 --> 00:06:12,550
Type something in and search.

69
00:06:15,160 --> 00:06:15,850
Open berp.

70
00:06:16,700 --> 00:06:25,040
And the request is here, so copy this to a file and say, OK, so go to the terminal again.

71
00:06:26,410 --> 00:06:27,070
And then run.

72
00:06:31,770 --> 00:06:35,940
And it will get a time based blind rescue injection.

73
00:06:37,410 --> 00:06:39,480
OK, so we know this is not a surprise.

74
00:06:42,050 --> 00:06:45,530
We can also point with a technique parameter like that.

75
00:06:49,830 --> 00:06:51,540
OK, so get the better information.

76
00:06:57,460 --> 00:06:59,500
Oh, yes, please do optimise.

77
00:07:06,290 --> 00:07:12,410
OK, so I'm going to stop it here because even Escorial map has its boundaries.

78
00:07:14,200 --> 00:07:20,170
So as we've done, Escorial map should also wait and time based escarole injections.

79
00:07:22,500 --> 00:07:26,090
So now you may think, well, adding threads to the parameter can solve it.

80
00:07:27,720 --> 00:07:34,560
Well, good thought, but I am so very sorry it doesn't work for time-based escarole injections.

81
00:07:37,420 --> 00:07:46,480
And as you can see, Ezekial Map is very clever, it completes the previous data retrieval process.

82
00:07:48,450 --> 00:07:55,800
OK, so I just I just can't wait that much, so finally we come to the end of the school injection part

83
00:07:55,800 --> 00:07:59,070
of this course, I hope you enjoy that.