1 00:00:01,640 --> 00:00:06,390 And all of the lectures so far we were exploiting Asgill injections manually. 2 00:00:06,560 --> 00:00:13,700 So we were injecting the code into the R L R into the text boxes and this video I'm going to show you 3 00:00:13,700 --> 00:00:20,160 a tool called a secure map which allows you to do everything we learned so far and even more stuff. 4 00:00:21,350 --> 00:00:26,760 This tool can be used against my skill databases which one that we were having the example on. 5 00:00:26,870 --> 00:00:33,320 It can also be used against Microsoft Escorial Oracle and other database types. 6 00:00:33,380 --> 00:00:36,790 The tool is very useful and is very handy in many cases. 7 00:00:36,830 --> 00:00:42,740 Sometimes the injections aren't as nice as the one we see and sometimes you only get one output for 8 00:00:42,740 --> 00:00:48,620 each record and you have to look through all the outputs so that you can automate that and just do everything 9 00:00:48,620 --> 00:00:52,330 for you much easier and much simpler. 10 00:00:52,340 --> 00:00:56,600 So let's first of all get the or else that we were using for the injection. 11 00:00:56,780 --> 00:01:02,350 So I have that text file here that we were using and I have the URL that we were using before so is 12 00:01:02,360 --> 00:01:06,640 the user informed APHC usernames admin password admin password. 13 00:01:06,740 --> 00:01:09,170 You don't really need to know the username password. 14 00:01:09,170 --> 00:01:12,430 So I'm actually just going to post anything here. 15 00:01:12,470 --> 00:01:17,480 So just assume that we don't know the password so we're only inject injecting Escorial injections we 16 00:01:17,480 --> 00:01:19,490 don't really need to know any of this stuff. 17 00:01:20,330 --> 00:01:30,840 I'm going to do is copy this and then I'm going to run as cure up and I'm going to do you specify the 18 00:01:30,930 --> 00:01:39,310 owl and I'll put my target and I'm going to make sure that I happens between two quotation marks so 19 00:01:39,310 --> 00:01:41,030 that it doesn't ignore anything. 20 00:01:41,280 --> 00:01:46,200 And any signs in the middle so we have some signs and characters in the middle that I wanted to all 21 00:01:46,210 --> 00:01:48,520 be treated as one you're out. 22 00:01:48,580 --> 00:01:56,450 So all I did is SKM up you my target and then hit enter and to automatically look through all the parameters 23 00:01:56,450 --> 00:02:01,630 so it's going to look through the user info through the username and password to see if any of them 24 00:02:01,630 --> 00:02:02,940 is injectable. 25 00:02:03,010 --> 00:02:08,260 And then once it does that it's going to store it in its memory so it's good to know that this is injectable 26 00:02:08,440 --> 00:02:15,220 and then we'll be able to further exploit the target so you can see now it's stink that our target could 27 00:02:15,220 --> 00:02:22,270 be my screen or cross-dress as well as asking me if I if it should skip other tests and I'm going to 28 00:02:22,270 --> 00:02:29,740 say yes because I know it's my Asgill and now it's asking me if it should do all the tests for both 29 00:02:29,740 --> 00:02:33,480 databases and I'm gonna say yes assuming that I'm not sure which one it is. 30 00:02:33,700 --> 00:02:38,440 I know it's my ASCII art but I'm just going to let it do its thing and will see if it can do it properly 31 00:02:38,440 --> 00:02:39,060 or not. 32 00:02:40,960 --> 00:02:47,320 So at the moment is checking if it's postgresql you UL and I'll miss you when it's gone. 33 00:02:47,400 --> 00:02:54,500 No that's not and then it works and it's going to know that it's might as well just found out that the 34 00:02:54,500 --> 00:03:03,120 user name seems to be injectable and sure enough would still Nazia that the parameter username is vulnerable 35 00:03:03,480 --> 00:03:04,630 and we can inject it. 36 00:03:04,620 --> 00:03:08,880 So it's asking me do I want to check the other parameters such as the password and all of them. 37 00:03:08,880 --> 00:03:10,310 I can say yes and do it. 38 00:03:10,320 --> 00:03:15,080 I'm going to say no because I don't mind if it just uses the username for the injection. 39 00:03:15,090 --> 00:03:16,200 So it's all good. 40 00:03:16,740 --> 00:03:23,370 Now as Mark knows that the target is injectable and it knows that it's going to use the username parameter 41 00:03:23,580 --> 00:03:30,780 to inject stuff and I guess that it figured out that it's running Linux you want to and it's figured 42 00:03:30,780 --> 00:03:38,700 out that it's used in BHB with Apache to point to point 8 and it's use in my s server as database server. 43 00:03:39,270 --> 00:03:42,410 So let's rescue all my help and see what we can do now. 44 00:03:43,840 --> 00:03:47,230 Now this tool is really big and allows you to do a lot of things. 45 00:03:47,230 --> 00:03:53,870 So in this video you're just going to show you a quick look on the video and I recommend you spend more 46 00:03:53,870 --> 00:03:57,880 time with it and try to see what else you can do with it. 47 00:03:59,450 --> 00:03:59,830 OK. 48 00:03:59,860 --> 00:04:06,370 So let's try to get the current user and are going to try to get the current database. 49 00:04:06,550 --> 00:04:11,190 So we're going to use the same command that we used before and I'm just going to add to it. 50 00:04:12,840 --> 00:04:15,780 D-B I'm asked to get the current databases 51 00:04:20,270 --> 00:04:21,030 ODBC. 52 00:04:21,060 --> 00:04:26,160 Sorry as you can see we got all the database that we have. 53 00:04:26,190 --> 00:04:29,860 So we have the B W H we have information schema ammeters. 54 00:04:29,890 --> 00:04:34,630 Lloyd my school was 10 which was the one that we were exploiting before. 55 00:04:34,650 --> 00:04:39,570 A.G. We now if we do current user 56 00:04:45,270 --> 00:04:47,290 you can see that we are root. 57 00:04:47,300 --> 00:04:49,390 And if I do care and database 58 00:04:52,260 --> 00:04:55,920 we will see that I was that is our current database. 59 00:04:55,970 --> 00:04:58,800 So now let's try to get the tables for us. 60 00:04:58,830 --> 00:05:06,280 So remember when we did select table name from information schema tables where table name work table 61 00:05:06,280 --> 00:05:09,230 schema is equal to all was that we're going to do. 62 00:05:09,230 --> 00:05:11,720 Again let me ask you a map to all of that for us. 63 00:05:11,740 --> 00:05:18,760 And so the command is going to be we're going to ask you to get all the tables for us and we're going 64 00:05:18,760 --> 00:05:29,650 to use the D option to specify the database and our database is going to be called out US 10. 65 00:05:29,770 --> 00:05:32,330 And as you can see it got us all the tables that exist. 66 00:05:32,340 --> 00:05:38,430 And remember it's the same we got accounts logs table and the credit cards as well. 67 00:05:38,840 --> 00:05:44,630 And now we want to get the columns then we can use the same come out again and we're going to say Get 68 00:05:44,630 --> 00:05:46,420 me the columns 69 00:05:49,530 --> 00:06:02,150 where the table is cold accounts and the database is was 10 and right here we can see that we got the 70 00:06:02,150 --> 00:06:02,840 columns. 71 00:06:02,990 --> 00:06:11,120 So we have these admin password in the username and we can get the data using the dump option. 72 00:06:11,970 --> 00:06:18,940 So the same command that were used before so will get in the from the table that's called accounts and 73 00:06:18,940 --> 00:06:21,610 the database that is called our turn. 74 00:06:21,690 --> 00:06:24,280 I want you to get me all the data. 75 00:06:25,050 --> 00:06:31,110 And here we go we got all the data we have the admin password admin pass and we have Adrian and his 76 00:06:31,110 --> 00:06:36,270 password is password and we got all the data right here. 77 00:06:36,270 --> 00:06:38,970 So as I said the tool is very useful. 78 00:06:39,030 --> 00:06:42,020 It can be used to make our life much easier. 79 00:06:42,060 --> 00:06:47,000 It does everything automatically and it can do everything we did and can even do more stuff.