1
00:00:01,290 --> 00:00:09,410
And this lecture I'd like to show you an example of how to discover an exploit and a blind askew injection.

2
00:00:10,100 --> 00:00:15,650
Now a blind Escurial injection is one that doesn't display any errors to you.

3
00:00:15,770 --> 00:00:21,620
So we've seen in our previous examples let me just go to a skill injection and if I just put a single

4
00:00:21,620 --> 00:00:22,330
quote here

5
00:00:26,030 --> 00:00:31,370
you'll see that it actually displays an error for me which tells me that this page is vulnerable and

6
00:00:31,370 --> 00:00:37,640
I can exploit this page with a skill injection and a blindest cure injection However it will not show

7
00:00:37,640 --> 00:00:39,180
any errors for us.

8
00:00:39,200 --> 00:00:43,070
So right here in the blind this all if I put a quote and execute it.

9
00:00:43,220 --> 00:00:46,390
You see that it's not going to show me any errors at all.

10
00:00:46,430 --> 00:00:49,260
This doesn't mean that the web page isn't vulnerable.

11
00:00:49,460 --> 00:00:55,000
It just means that the Web site might not be displaying errors and this page might have applied as kill

12
00:00:55,010 --> 00:00:57,470
injection and real life scenarios.

13
00:00:57,470 --> 00:01:05,810
I always approach the pages and try to discover exploit them as nine Asgill injections so I never actually

14
00:01:05,810 --> 00:01:12,470
look for errors and I never depend on just putting a single quote The way I test for the existence of

15
00:01:12,470 --> 00:01:19,190
muscular injections is that I tried to inject a true and a false statement and then see if the if the

16
00:01:19,190 --> 00:01:22,410
page behaves according to the statements that I'm given.

17
00:01:22,430 --> 00:01:25,250
So if I give it a true statement it should give me a valid page.

18
00:01:25,400 --> 00:01:28,940
If I give a false statement it will give me an invalid page.

19
00:01:28,940 --> 00:01:33,650
What I mean by an invalid page is a page that doesn't look like what I expect.

20
00:01:33,740 --> 00:01:35,650
So it doesn't have to show an error.

21
00:01:36,020 --> 00:01:37,270
This will come more clear now.

22
00:01:37,280 --> 00:01:40,570
In the example I'm just going to put one out to see a valid page.

23
00:01:40,580 --> 00:01:46,430
So literally I'm just put in a normal user ID and we can see that it's given us a valid page so it's

24
00:01:46,430 --> 00:01:48,490
given us the first name and the surname.

25
00:01:48,650 --> 00:01:53,810
And this is what the default what a valid page looks like in this web application.

26
00:01:55,080 --> 00:02:00,070
So the first thing I'm going to try to do is try to give it a true statement a statement that returns

27
00:02:00,210 --> 00:02:02,640
true and this is going to be

28
00:02:06,670 --> 00:02:08,150
ones equal to 1.

29
00:02:08,230 --> 00:02:09,860
So this is obviously true.

30
00:02:10,000 --> 00:02:19,090
And when I inject this if the page is vulnerable it should still show me the valid page song and I'm

31
00:02:19,090 --> 00:02:26,130
going to inject it here and one is equal to one.

32
00:02:26,240 --> 00:02:27,840
I forgot to put my comment here.

33
00:02:27,840 --> 00:02:31,820
I'm just going to put the comment percentage 20:3

34
00:02:35,240 --> 00:02:40,250
Now as you can see the page is showing me a valid page again showing the first name and the surname

35
00:02:41,490 --> 00:02:46,110
so it's executed while I'm still in it at all that one is equal to on one is equal to and is a true

36
00:02:46,110 --> 00:02:46,620
statement.

37
00:02:46,620 --> 00:02:49,600
It's not going to affect the execution of the page.

38
00:02:49,650 --> 00:02:54,030
Now I'm going to do is I'm going to try to inject a false statement so I'm going to try to break the

39
00:02:54,030 --> 00:02:57,260
page even though I'm given one which is a valid ID.

40
00:02:57,540 --> 00:03:01,360
So my false statement is going to be and one is equal to zero.

41
00:03:01,860 --> 00:03:12,700
So that's going to be false and I'm going to go away and injected now and as you can see the page doesn't

42
00:03:12,700 --> 00:03:18,520
show the default varlets page even though I'm given number one so you don't see any errors like we've

43
00:03:18,520 --> 00:03:20,820
seen with the normal Asgill injections.

44
00:03:20,830 --> 00:03:22,720
But you can see that the page isn't valid.

45
00:03:22,720 --> 00:03:25,020
It's not just plain what it should display.

46
00:03:25,030 --> 00:03:27,380
Even that will give in the ID equals one.

47
00:03:27,640 --> 00:03:32,270
So when we give a true statement it's given a valid page when we give a false statement.

48
00:03:32,290 --> 00:03:34,630
It's given an invalid page.

49
00:03:34,800 --> 00:03:37,650
We can also verify this using the Order By.

50
00:03:37,710 --> 00:03:44,800
So I'm going to put one and then I'm going to ask it to order by one show order by only one column which

51
00:03:44,800 --> 00:03:46,620
basically is a true statement.

52
00:03:46,630 --> 00:03:47,970
It's always true.

53
00:03:48,320 --> 00:03:55,190
So this is going to be my true statement and I'm going to execute it here.

54
00:04:01,590 --> 00:04:07,710
And as you can see now it's displaying the valid page that we've seen with the and one is equal to one.

55
00:04:07,860 --> 00:04:13,110
So we can also change this to a false statement to give us an invalid page and we're going to ask it

56
00:04:13,110 --> 00:04:15,600
to order by a very large number.

57
00:04:15,810 --> 00:04:19,380
So I'm just going to put 1 000 zero.

58
00:04:19,470 --> 00:04:22,070
So this is going to be my fourth statement.

59
00:04:22,200 --> 00:04:32,130
And if the page is injectable then it should show me an invalid page or a page that I don't really expect.

60
00:04:32,170 --> 00:04:38,380
And again we see a page that we don't expect which means that this website is vulnerable even though

61
00:04:38,380 --> 00:04:41,860
it doesn't actually show us any error pages about the rescue effort.

62
00:04:43,910 --> 00:04:49,340
Now that we're sure that this page is vulnerable we can actually exploit this vulnerability exactly

63
00:04:49,340 --> 00:04:52,630
the same way that we exploit normal as kill injections.

64
00:04:52,730 --> 00:05:01,640
So I can just do a union select one to as you can see I can display stuff in one and two and I'm going

65
00:05:01,640 --> 00:05:03,320
to sit next table name

66
00:05:06,390 --> 00:05:11,390
from informations Kiama tables

67
00:05:14,500 --> 00:05:16,780
and I've actually misspelled schema here.

68
00:05:18,810 --> 00:05:24,970
So the exploitation part is exactly the same whether it's a blind or a normal Asgill injection.

69
00:05:24,990 --> 00:05:30,360
The only difference is the way you discover it and I recommend that you always approach your websites

70
00:05:30,600 --> 00:05:33,330
and try to discover like this kill injections.

71
00:05:33,330 --> 00:05:35,560
So I never rely on only use in a quote.

72
00:05:35,560 --> 00:05:39,560
Always try to use the and one is equal to one one is equal to zero.

73
00:05:39,690 --> 00:05:45,780
And also use the order by to try and discover this dipole vulnerabilities because if you rely on the

74
00:05:45,780 --> 00:05:49,130
quotes you'll be missing a lot of mind scale injections.

75
00:05:49,200 --> 00:05:52,290
There are just as useful as normal Asgill injections.