1
00:00:02,310 --> 00:00:09,300
OK now let's go ahead and have a look on the medium security level and see if we can exploit this third

2
00:00:09,300 --> 00:00:11,770
cross-site scripting ability.

3
00:00:11,850 --> 00:00:17,100
Now before you do anything because this page will automatically contain code that will run every time

4
00:00:17,100 --> 00:00:18,250
the page works.

5
00:00:18,300 --> 00:00:21,590
You can go to set up and reset the database.

6
00:00:21,600 --> 00:00:24,090
This will basically reset reset everything.

7
00:00:24,210 --> 00:00:31,640
And when you go back to the store it says nothing is going to work because all the records will be deleted.

8
00:00:31,640 --> 00:00:39,260
Now I'm also going to go to the security and I'm going to set the security to medium submitted and go

9
00:00:39,260 --> 00:00:41,490
back to our store.

10
00:00:41,610 --> 00:00:46,610
Now in the medium security level the message text box is not injectable.

11
00:00:46,680 --> 00:00:53,400
And we'll talk about that in the next video for now I'm all I'm going to try to inject in the name.

12
00:00:53,530 --> 00:00:59,440
So first of all we're going to try our code that we always use so it's just not the normal code with

13
00:00:59,440 --> 00:01:02,950
capitalizing some of the letters.

14
00:01:03,180 --> 00:01:08,040
And you can see that we can't really write much in the name because it's limited to 10 characters.

15
00:01:08,070 --> 00:01:15,120
This can be easily by passed by right click inspect element to see the code and then we're going to

16
00:01:15,120 --> 00:01:18,900
change the max length here to 100.

17
00:01:19,150 --> 00:01:22,080
Then we can put 100 characters in here.

18
00:01:22,160 --> 00:01:26,610
So again I'm just going to paste my code and I'm going to put anything here.

19
00:01:26,960 --> 00:01:28,150
Signed the guestbook.

20
00:01:29,650 --> 00:01:34,870
Now as you can see we managed to bypass it just like that.

21
00:01:35,130 --> 00:01:42,160
What I also want to show you is how to run one of these discovery payloads without using a quote.

22
00:01:42,180 --> 00:01:48,360
So some upsides with that use filtering on single quotes or even double quotes and they'd be removing

23
00:01:48,360 --> 00:01:48,820
them.

24
00:01:49,020 --> 00:01:57,920
So what you could do is you can try to use this function strain from charcoal and instead of putting

25
00:01:57,920 --> 00:02:04,290
a string in here exactly the same way that we did with school when we used Hexe and this case we're

26
00:02:04,290 --> 00:02:08,190
going to convert the string or the text to char code.

27
00:02:08,190 --> 00:02:13,530
So you can do that from Google if you just Google charcoals calculator.

28
00:02:18,520 --> 00:02:23,110
And I'm going to put this link in the description we're going to use the first one and I'm just going

29
00:02:23,110 --> 00:02:26,670
to put I'm going to call this one x x x 2.

30
00:02:26,680 --> 00:02:30,990
So we don't get mixed up with the first one and I'm going to get it's code.

31
00:02:30,990 --> 00:02:32,580
So this is code

32
00:02:35,400 --> 00:02:36,720
we're going to copy that.

33
00:02:37,410 --> 00:02:39,990
And we're going to substitute it in here.

34
00:02:41,380 --> 00:02:42,410
And then we'll go on.

35
00:02:42,420 --> 00:02:43,920
So this is going to be normal.

36
00:02:44,080 --> 00:02:49,810
And I'm also just I made one of the piece small in here and I made one of this small just so that we

37
00:02:49,810 --> 00:02:54,850
can bypass any filters if they're checking for a script and then we'll use it instead of putting the

38
00:02:54,850 --> 00:02:57,010
text in here between these two brackets.

39
00:02:57,100 --> 00:02:59,970
We're actually saying a string from Cheraw code.

40
00:02:59,980 --> 00:03:05,400
So basically decode this char code and then run it as a string.

41
00:03:05,400 --> 00:03:08,040
So let's go ahead and run this and see if it works.

42
00:03:08,040 --> 00:03:12,360
Now we're going to add it again we're going to have to change the name to 100 in here.

43
00:03:15,610 --> 00:03:17,200
And then I'm going to inject it.

44
00:03:17,200 --> 00:03:18,570
Put anything in here.

45
00:03:18,580 --> 00:03:19,670
Sign it.

46
00:03:19,690 --> 00:03:25,040
This is the first exercise the first entry and as you can see our second.

47
00:03:25,060 --> 00:03:31,000
And it's been executed and we managed to execute this second entry without putting any quotes in the

48
00:03:31,000 --> 00:03:31,770
payload.