1
00:00:01,740 --> 00:00:08,880
And this lecture I'd like to show you how we can use a skill injections to read any file on the server.

2
00:00:08,990 --> 00:00:15,050
So even if the file exists outside GWW root we'll be able to read it exactly like a file.

3
00:00:15,050 --> 00:00:16,770
Disclosure vulnerability.

4
00:00:17,060 --> 00:00:23,680
And we'll also see how we can use it to write files and upload them to the system just like a file upload

5
00:00:23,690 --> 00:00:24,760
vulnerability.

6
00:00:25,130 --> 00:00:31,820
So the first thing we're going to have a look at is the reason the file and I'm going to set everything

7
00:00:31,820 --> 00:00:32,470
to know here.

8
00:00:32,480 --> 00:00:37,700
So I have my statement here and I'm going to set select one I'm the Live number two because I'm going

9
00:00:37,700 --> 00:00:39,060
to do stuff in that.

10
00:00:39,470 --> 00:00:48,300
And we're going to do another three here so no no no.

11
00:00:48,540 --> 00:00:50,700
So we have select not something.

12
00:00:50,700 --> 00:00:51,500
No no no.

13
00:00:51,540 --> 00:00:55,970
So five because we have five records when we did the Order By.

14
00:00:56,450 --> 00:00:58,930
And instead of selecting something.

15
00:00:59,010 --> 00:01:06,460
Remember in the third video we did select database for example and it showed us the current database.

16
00:01:06,480 --> 00:01:11,370
What I want to do now is I want to do another function and that function is called Load file

17
00:01:15,320 --> 00:01:21,260
and in here I'm going to set the file that I want to load and I'm going to use the same file that we

18
00:01:21,260 --> 00:01:24,350
have the lock on in the file includes vulnerability.

19
00:01:24,470 --> 00:01:25,160
And it was.

20
00:01:25,160 --> 00:01:35,080
If you see password so we're trying to read that file and our statement is union select that file and

21
00:01:35,080 --> 00:01:35,640
that's it.

22
00:01:35,770 --> 00:01:42,540
So I'm going to copy this and I'm going to inject it here and I'm going to add my percentage 23 which

23
00:01:42,570 --> 00:01:47,720
is my comment.

24
00:01:47,890 --> 00:01:56,080
And as you can see we managed to read all the information all the content of it password even though

25
00:01:56,080 --> 00:02:01,690
it's not in the webroot So it's stored in it is the password so we can read anything in the server from

26
00:02:01,690 --> 00:02:04,650
other websites from other files anywhere in the server.

27
00:02:04,650 --> 00:02:10,360
We can read that by specifying the full path of our file.

28
00:02:10,370 --> 00:02:15,480
The next thing I'd like to show you is writing to the server.

29
00:02:15,480 --> 00:02:18,260
So we're actually going to write stuff to the server.

30
00:02:18,270 --> 00:02:23,190
And this is very useful because you'll be able to write any code you want.

31
00:02:23,190 --> 00:02:30,300
So for example you can write the code for a PH script you can write it write a code for a shell a virus

32
00:02:30,570 --> 00:02:33,630
or a PH We code to get our connection to you.

33
00:02:33,630 --> 00:02:37,530
So it's basically just act like a file upload vulnerability.

34
00:02:37,950 --> 00:02:43,110
And to do that I'm going to write the code that I want to do here and I'm going to call that for example

35
00:02:43,170 --> 00:02:47,360
just example example.

36
00:02:47,590 --> 00:02:51,990
And we're going to use a function called outfight.

37
00:02:52,000 --> 00:02:59,440
So we're going to do into I would fall and then we're going to specify where we want to store that file.

38
00:02:59,700 --> 00:03:06,330
Now in best case scenarios you'd be able to write to your Webroot and that will mean that you can access

39
00:03:06,330 --> 00:03:13,080
the file through the browser and execute it so you can upload a weekly file and then connect to it and

40
00:03:13,080 --> 00:03:14,600
do stuff like that.

41
00:03:14,610 --> 00:03:16,150
So let's try to do that first.

42
00:03:16,200 --> 00:03:21,860
So we're going to do it in our W W W and that's our web route.

43
00:03:21,890 --> 00:03:28,780
So we'll be able to access things through it or you can put it even Varda WW and then put Matel day

44
00:03:28,790 --> 00:03:32,360
after it to store it in there.

45
00:03:34,290 --> 00:03:39,660
So the command is very simple again Union select make sure you set everything and also that nothing

46
00:03:39,660 --> 00:03:42,740
gets written into the file except what you put in here.

47
00:03:42,750 --> 00:03:49,370
And I put the example example and it's going to be stored into our file enviro Debney WW Matel day.

48
00:03:49,620 --> 00:03:52,900
And we call that example.

49
00:03:55,520 --> 00:03:57,450
The.

50
00:03:57,660 --> 00:04:00,040
Let's try to run this and see if it works.

51
00:04:12,740 --> 00:04:14,060
Now this didn't work.

52
00:04:14,480 --> 00:04:23,570
And if you come down here you'll see that you out or my skill is not allowed to create or write to this

53
00:04:23,570 --> 00:04:24,280
directory.

54
00:04:24,410 --> 00:04:31,460
So the problem is we're not the permissions that we have don't allow us to write to this particular

55
00:04:31,460 --> 00:04:32,550
location.

56
00:04:32,930 --> 00:04:40,220
So just to test this exploit I'm going to change this location to GMP which is the time and you'll see

57
00:04:40,230 --> 00:04:42,200
that you can actually write them.

58
00:04:42,210 --> 00:04:44,450
So in real life scenarios.

59
00:04:44,450 --> 00:04:44,960
It depends.

60
00:04:44,960 --> 00:04:47,830
You can try it and see if you're able to write stuff or not.

61
00:04:48,170 --> 00:04:50,860
And this we're trying to write now.

62
00:04:50,870 --> 00:04:58,720
And if we read in term if we hear that and then ls and

63
00:05:01,400 --> 00:05:09,240
10 you'll see that we have something called the example and if we try to read that you'll see that it

64
00:05:09,240 --> 00:05:10,030
contains.

65
00:05:10,140 --> 00:05:18,140
Obviously it contains the content of what we did before which was the normal selection that you'd see.

66
00:05:18,150 --> 00:05:25,320
So what you see for putting the stuff for other men and then it showed us what's in there which is example

67
00:05:25,320 --> 00:05:32,000
example which is what we wanted to write to the file.

68
00:05:32,190 --> 00:05:37,200
Now you can obviously get rid of the admin and the admin pass stuff by just putting a wrong username

69
00:05:37,410 --> 00:05:39,410
and nothing's going to be displayed here.

70
00:05:39,510 --> 00:05:45,030
So the only thing that you'll see is the output which is example example.

71
00:05:45,390 --> 00:05:52,350
But again this is only useful if you're able to write your web server so you can access it and then

72
00:05:52,350 --> 00:05:57,110
use your shell or use your payload and further exploit the system.