1 00:00:01,290 --> 00:00:09,410 And this lecture I'd like to show you an example of how to discover an exploit and a blind askew injection. 2 00:00:10,100 --> 00:00:15,650 Now a blind Escurial injection is one that doesn't display any errors to you. 3 00:00:15,770 --> 00:00:21,620 So we've seen in our previous examples let me just go to a skill injection and if I just put a single 4 00:00:21,620 --> 00:00:22,330 quote here 5 00:00:26,030 --> 00:00:31,370 you'll see that it actually displays an error for me which tells me that this page is vulnerable and 6 00:00:31,370 --> 00:00:37,640 I can exploit this page with a skill injection and a blindest cure injection However it will not show 7 00:00:37,640 --> 00:00:39,180 any errors for us. 8 00:00:39,200 --> 00:00:43,070 So right here in the blind this all if I put a quote and execute it. 9 00:00:43,220 --> 00:00:46,390 You see that it's not going to show me any errors at all. 10 00:00:46,430 --> 00:00:49,260 This doesn't mean that the web page isn't vulnerable. 11 00:00:49,460 --> 00:00:55,000 It just means that the Web site might not be displaying errors and this page might have applied as kill 12 00:00:55,010 --> 00:00:57,470 injection and real life scenarios. 13 00:00:57,470 --> 00:01:05,810 I always approach the pages and try to discover exploit them as nine Asgill injections so I never actually 14 00:01:05,810 --> 00:01:12,470 look for errors and I never depend on just putting a single quote The way I test for the existence of 15 00:01:12,470 --> 00:01:19,190 muscular injections is that I tried to inject a true and a false statement and then see if the if the 16 00:01:19,190 --> 00:01:22,410 page behaves according to the statements that I'm given. 17 00:01:22,430 --> 00:01:25,250 So if I give it a true statement it should give me a valid page. 18 00:01:25,400 --> 00:01:28,940 If I give a false statement it will give me an invalid page. 19 00:01:28,940 --> 00:01:33,650 What I mean by an invalid page is a page that doesn't look like what I expect. 20 00:01:33,740 --> 00:01:35,650 So it doesn't have to show an error. 21 00:01:36,020 --> 00:01:37,270 This will come more clear now. 22 00:01:37,280 --> 00:01:40,570 In the example I'm just going to put one out to see a valid page. 23 00:01:40,580 --> 00:01:46,430 So literally I'm just put in a normal user ID and we can see that it's given us a valid page so it's 24 00:01:46,430 --> 00:01:48,490 given us the first name and the surname. 25 00:01:48,650 --> 00:01:53,810 And this is what the default what a valid page looks like in this web application. 26 00:01:55,080 --> 00:02:00,070 So the first thing I'm going to try to do is try to give it a true statement a statement that returns 27 00:02:00,210 --> 00:02:02,640 true and this is going to be 28 00:02:06,670 --> 00:02:08,150 ones equal to 1. 29 00:02:08,230 --> 00:02:09,860 So this is obviously true. 30 00:02:10,000 --> 00:02:19,090 And when I inject this if the page is vulnerable it should still show me the valid page song and I'm 31 00:02:19,090 --> 00:02:26,130 going to inject it here and one is equal to one. 32 00:02:26,240 --> 00:02:27,840 I forgot to put my comment here. 33 00:02:27,840 --> 00:02:31,820 I'm just going to put the comment percentage 20:3 34 00:02:35,240 --> 00:02:40,250 Now as you can see the page is showing me a valid page again showing the first name and the surname 35 00:02:41,490 --> 00:02:46,110 so it's executed while I'm still in it at all that one is equal to on one is equal to and is a true 36 00:02:46,110 --> 00:02:46,620 statement. 37 00:02:46,620 --> 00:02:49,600 It's not going to affect the execution of the page. 38 00:02:49,650 --> 00:02:54,030 Now I'm going to do is I'm going to try to inject a false statement so I'm going to try to break the 39 00:02:54,030 --> 00:02:57,260 page even though I'm given one which is a valid ID. 40 00:02:57,540 --> 00:03:01,360 So my false statement is going to be and one is equal to zero. 41 00:03:01,860 --> 00:03:12,700 So that's going to be false and I'm going to go away and injected now and as you can see the page doesn't 42 00:03:12,700 --> 00:03:18,520 show the default varlets page even though I'm given number one so you don't see any errors like we've 43 00:03:18,520 --> 00:03:20,820 seen with the normal Asgill injections. 44 00:03:20,830 --> 00:03:22,720 But you can see that the page isn't valid. 45 00:03:22,720 --> 00:03:25,020 It's not just plain what it should display. 46 00:03:25,030 --> 00:03:27,380 Even that will give in the ID equals one. 47 00:03:27,640 --> 00:03:32,270 So when we give a true statement it's given a valid page when we give a false statement. 48 00:03:32,290 --> 00:03:34,630 It's given an invalid page. 49 00:03:34,800 --> 00:03:37,650 We can also verify this using the Order By. 50 00:03:37,710 --> 00:03:44,800 So I'm going to put one and then I'm going to ask it to order by one show order by only one column which 51 00:03:44,800 --> 00:03:46,620 basically is a true statement. 52 00:03:46,630 --> 00:03:47,970 It's always true. 53 00:03:48,320 --> 00:03:55,190 So this is going to be my true statement and I'm going to execute it here. 54 00:04:01,590 --> 00:04:07,710 And as you can see now it's displaying the valid page that we've seen with the and one is equal to one. 55 00:04:07,860 --> 00:04:13,110 So we can also change this to a false statement to give us an invalid page and we're going to ask it 56 00:04:13,110 --> 00:04:15,600 to order by a very large number. 57 00:04:15,810 --> 00:04:19,380 So I'm just going to put 1 000 zero. 58 00:04:19,470 --> 00:04:22,070 So this is going to be my fourth statement. 59 00:04:22,200 --> 00:04:32,130 And if the page is injectable then it should show me an invalid page or a page that I don't really expect. 60 00:04:32,170 --> 00:04:38,380 And again we see a page that we don't expect which means that this website is vulnerable even though 61 00:04:38,380 --> 00:04:41,860 it doesn't actually show us any error pages about the rescue effort. 62 00:04:43,910 --> 00:04:49,340 Now that we're sure that this page is vulnerable we can actually exploit this vulnerability exactly 63 00:04:49,340 --> 00:04:52,630 the same way that we exploit normal as kill injections. 64 00:04:52,730 --> 00:05:01,640 So I can just do a union select one to as you can see I can display stuff in one and two and I'm going 65 00:05:01,640 --> 00:05:03,320 to sit next table name 66 00:05:06,390 --> 00:05:11,390 from informations Kiama tables 67 00:05:14,500 --> 00:05:16,780 and I've actually misspelled schema here. 68 00:05:18,810 --> 00:05:24,970 So the exploitation part is exactly the same whether it's a blind or a normal Asgill injection. 69 00:05:24,990 --> 00:05:30,360 The only difference is the way you discover it and I recommend that you always approach your websites 70 00:05:30,600 --> 00:05:33,330 and try to discover like this kill injections. 71 00:05:33,330 --> 00:05:35,560 So I never rely on only use in a quote. 72 00:05:35,560 --> 00:05:39,560 Always try to use the and one is equal to one one is equal to zero. 73 00:05:39,690 --> 00:05:45,780 And also use the order by to try and discover this dipole vulnerabilities because if you rely on the 74 00:05:45,780 --> 00:05:49,130 quotes you'll be missing a lot of mind scale injections. 75 00:05:49,200 --> 00:05:52,290 There are just as useful as normal Asgill injections.