1 00:00:01,740 --> 00:00:08,880 And this lecture I'd like to show you how we can use a skill injections to read any file on the server. 2 00:00:08,990 --> 00:00:15,050 So even if the file exists outside GWW root we'll be able to read it exactly like a file. 3 00:00:15,050 --> 00:00:16,770 Disclosure vulnerability. 4 00:00:17,060 --> 00:00:23,680 And we'll also see how we can use it to write files and upload them to the system just like a file upload 5 00:00:23,690 --> 00:00:24,760 vulnerability. 6 00:00:25,130 --> 00:00:31,820 So the first thing we're going to have a look at is the reason the file and I'm going to set everything 7 00:00:31,820 --> 00:00:32,470 to know here. 8 00:00:32,480 --> 00:00:37,700 So I have my statement here and I'm going to set select one I'm the Live number two because I'm going 9 00:00:37,700 --> 00:00:39,060 to do stuff in that. 10 00:00:39,470 --> 00:00:48,300 And we're going to do another three here so no no no. 11 00:00:48,540 --> 00:00:50,700 So we have select not something. 12 00:00:50,700 --> 00:00:51,500 No no no. 13 00:00:51,540 --> 00:00:55,970 So five because we have five records when we did the Order By. 14 00:00:56,450 --> 00:00:58,930 And instead of selecting something. 15 00:00:59,010 --> 00:01:06,460 Remember in the third video we did select database for example and it showed us the current database. 16 00:01:06,480 --> 00:01:11,370 What I want to do now is I want to do another function and that function is called Load file 17 00:01:15,320 --> 00:01:21,260 and in here I'm going to set the file that I want to load and I'm going to use the same file that we 18 00:01:21,260 --> 00:01:24,350 have the lock on in the file includes vulnerability. 19 00:01:24,470 --> 00:01:25,160 And it was. 20 00:01:25,160 --> 00:01:35,080 If you see password so we're trying to read that file and our statement is union select that file and 21 00:01:35,080 --> 00:01:35,640 that's it. 22 00:01:35,770 --> 00:01:42,540 So I'm going to copy this and I'm going to inject it here and I'm going to add my percentage 23 which 23 00:01:42,570 --> 00:01:47,720 is my comment. 24 00:01:47,890 --> 00:01:56,080 And as you can see we managed to read all the information all the content of it password even though 25 00:01:56,080 --> 00:02:01,690 it's not in the webroot So it's stored in it is the password so we can read anything in the server from 26 00:02:01,690 --> 00:02:04,650 other websites from other files anywhere in the server. 27 00:02:04,650 --> 00:02:10,360 We can read that by specifying the full path of our file. 28 00:02:10,370 --> 00:02:15,480 The next thing I'd like to show you is writing to the server. 29 00:02:15,480 --> 00:02:18,260 So we're actually going to write stuff to the server. 30 00:02:18,270 --> 00:02:23,190 And this is very useful because you'll be able to write any code you want. 31 00:02:23,190 --> 00:02:30,300 So for example you can write the code for a PH script you can write it write a code for a shell a virus 32 00:02:30,570 --> 00:02:33,630 or a PH We code to get our connection to you. 33 00:02:33,630 --> 00:02:37,530 So it's basically just act like a file upload vulnerability. 34 00:02:37,950 --> 00:02:43,110 And to do that I'm going to write the code that I want to do here and I'm going to call that for example 35 00:02:43,170 --> 00:02:47,360 just example example. 36 00:02:47,590 --> 00:02:51,990 And we're going to use a function called outfight. 37 00:02:52,000 --> 00:02:59,440 So we're going to do into I would fall and then we're going to specify where we want to store that file. 38 00:02:59,700 --> 00:03:06,330 Now in best case scenarios you'd be able to write to your Webroot and that will mean that you can access 39 00:03:06,330 --> 00:03:13,080 the file through the browser and execute it so you can upload a weekly file and then connect to it and 40 00:03:13,080 --> 00:03:14,600 do stuff like that. 41 00:03:14,610 --> 00:03:16,150 So let's try to do that first. 42 00:03:16,200 --> 00:03:21,860 So we're going to do it in our W W W and that's our web route. 43 00:03:21,890 --> 00:03:28,780 So we'll be able to access things through it or you can put it even Varda WW and then put Matel day 44 00:03:28,790 --> 00:03:32,360 after it to store it in there. 45 00:03:34,290 --> 00:03:39,660 So the command is very simple again Union select make sure you set everything and also that nothing 46 00:03:39,660 --> 00:03:42,740 gets written into the file except what you put in here. 47 00:03:42,750 --> 00:03:49,370 And I put the example example and it's going to be stored into our file enviro Debney WW Matel day. 48 00:03:49,620 --> 00:03:52,900 And we call that example. 49 00:03:55,520 --> 00:03:57,450 The. 50 00:03:57,660 --> 00:04:00,040 Let's try to run this and see if it works. 51 00:04:12,740 --> 00:04:14,060 Now this didn't work. 52 00:04:14,480 --> 00:04:23,570 And if you come down here you'll see that you out or my skill is not allowed to create or write to this 53 00:04:23,570 --> 00:04:24,280 directory. 54 00:04:24,410 --> 00:04:31,460 So the problem is we're not the permissions that we have don't allow us to write to this particular 55 00:04:31,460 --> 00:04:32,550 location. 56 00:04:32,930 --> 00:04:40,220 So just to test this exploit I'm going to change this location to GMP which is the time and you'll see 57 00:04:40,230 --> 00:04:42,200 that you can actually write them. 58 00:04:42,210 --> 00:04:44,450 So in real life scenarios. 59 00:04:44,450 --> 00:04:44,960 It depends. 60 00:04:44,960 --> 00:04:47,830 You can try it and see if you're able to write stuff or not. 61 00:04:48,170 --> 00:04:50,860 And this we're trying to write now. 62 00:04:50,870 --> 00:04:58,720 And if we read in term if we hear that and then ls and 63 00:05:01,400 --> 00:05:09,240 10 you'll see that we have something called the example and if we try to read that you'll see that it 64 00:05:09,240 --> 00:05:10,030 contains. 65 00:05:10,140 --> 00:05:18,140 Obviously it contains the content of what we did before which was the normal selection that you'd see. 66 00:05:18,150 --> 00:05:25,320 So what you see for putting the stuff for other men and then it showed us what's in there which is example 67 00:05:25,320 --> 00:05:32,000 example which is what we wanted to write to the file. 68 00:05:32,190 --> 00:05:37,200 Now you can obviously get rid of the admin and the admin pass stuff by just putting a wrong username 69 00:05:37,410 --> 00:05:39,410 and nothing's going to be displayed here. 70 00:05:39,510 --> 00:05:45,030 So the only thing that you'll see is the output which is example example. 71 00:05:45,390 --> 00:05:52,350 But again this is only useful if you're able to write your web server so you can access it and then 72 00:05:52,350 --> 00:05:57,110 use your shell or use your payload and further exploit the system.