1 00:00:01,240 --> 00:00:05,560 And this lecture we're going to have a look on file upload vulnerabilities. 2 00:00:05,940 --> 00:00:11,840 These are the simplest type of vulnerabilities because they allow us to upload any type of file. 3 00:00:12,180 --> 00:00:18,640 So for example of the tablet computer can understand we then we can upload any ph profile on a page 4 00:00:18,630 --> 00:00:23,880 reshelve and get full control over the target computer. 5 00:00:23,890 --> 00:00:29,770 Now as the target computer or the target server understands Python or any other language then you can 6 00:00:29,770 --> 00:00:36,270 just upload Python code in python shell or Ruby shell you can create the shell use in evasion or meta 7 00:00:36,270 --> 00:00:43,480 exploit or you can use your own Ph.D. or python shell. 8 00:00:43,680 --> 00:00:49,460 What we're going to do today we're going to have a lock on a tool called Wheatly that generates ph Rochelle's 9 00:00:49,470 --> 00:00:56,520 and allow us to gain access and do a number of cool things on the target computer. 10 00:00:56,520 --> 00:01:01,340 So first of all I have my DVD with you here. 11 00:01:01,770 --> 00:01:06,600 And usually when you're trying to paint us a Web site what I recommend is before trying to use any tools 12 00:01:06,600 --> 00:01:12,390 or anything after you do your information gathering is you just go in and try to browse the web sites 13 00:01:12,390 --> 00:01:18,420 you see what you can see just get a feel of the Web site see what's installed on it and all that and 14 00:01:18,420 --> 00:01:21,180 try to exploit any features you see. 15 00:01:21,180 --> 00:01:25,580 So for example let's say you went on everything and then you reach the upload. 16 00:01:25,730 --> 00:01:29,110 We can see that this Web site allows us to upload a file. 17 00:01:29,120 --> 00:01:35,780 Now this sometimes in in your penetration testing tasks it could be a Web site that allow you to upload 18 00:01:35,780 --> 00:01:41,720 a profile picture a picture if it's a classified website maybe it will allow you to upload pictures 19 00:01:42,050 --> 00:01:46,320 of cars or whatever you're trying to add in the web site. 20 00:01:46,340 --> 00:01:51,290 So as you can see here the Web site expects you to choose an image and upload an image. 21 00:01:51,590 --> 00:01:54,000 So let's see if we can upload an image first. 22 00:01:54,020 --> 00:02:00,660 So I'm going to go on my downloads and I have a picture here and the resources just a picture of my 23 00:02:00,660 --> 00:02:01,450 car. 24 00:02:01,740 --> 00:02:04,050 I'm going to upload it and see if it gets uploaded. 25 00:02:05,500 --> 00:02:11,370 And you can see that the upload was successful and it started in this particular location. 26 00:02:11,380 --> 00:02:15,740 So it's dot dot dot dot which is which means two directories back. 27 00:02:15,820 --> 00:02:18,040 And then this filename. 28 00:02:18,160 --> 00:02:21,060 So let's see if we can if the picture has actually been uploaded. 29 00:02:21,110 --> 00:02:25,030 So I'm taking away two directories and taking away the vulnerabilities and upload. 30 00:02:25,300 --> 00:02:27,250 I want to use that. 31 00:02:27,460 --> 00:02:34,570 And then we're going to get this location on the server just to see if the picture was uploaded properly. 32 00:02:38,160 --> 00:02:42,480 And as you can see the picture has been uploaded so that's all good. 33 00:02:42,540 --> 00:02:48,240 Now the next thing I do let's try and upload a PH pre-fall and to do that we're going to use a tool 34 00:02:48,240 --> 00:02:53,500 called we've as I said to create a payload or a shell if you go if you want to call it. 35 00:02:53,970 --> 00:02:57,890 And it's obviously it's going to be a PH reshelve you can use with us voice. 36 00:02:57,900 --> 00:03:00,060 As I said to create a APHC payload. 37 00:03:00,270 --> 00:03:06,240 But we're going to be just having a look on a different tool that's designed for web application penetration 38 00:03:06,240 --> 00:03:09,520 testing so the tool is very easy. 39 00:03:09,550 --> 00:03:12,900 We're going to put the tool name which is we've. 40 00:03:13,220 --> 00:03:20,730 And then we're going to put generate because we want to generate a pay note or a shell file then we 41 00:03:20,730 --> 00:03:27,370 will put a password for that file so that only US can access it and control the website when we upload 42 00:03:27,370 --> 00:03:28,630 it to the website. 43 00:03:28,660 --> 00:03:33,670 So my password is going to be one two three four five six and then I'm going to say what I want to store 44 00:03:33,670 --> 00:03:41,930 it and you want to store it in route and I'm going to call it Shell ph free so very simple really is 45 00:03:41,930 --> 00:03:48,120 the name of the program generators to generate a show the password that the show is going to authenticate 46 00:03:48,120 --> 00:03:54,050 us with and it's going to be stored in road Shelder ph we're going to hit enter and created. 47 00:03:54,050 --> 00:04:01,090 Now if I I'm already in my roots or if I just do LS I should see it and we can see it right here. 48 00:04:01,140 --> 00:04:05,190 So the next thing is we're just going to go back to our website and try to upload that show 49 00:04:11,750 --> 00:04:13,140 and I'm going to look for a show. 50 00:04:13,370 --> 00:04:16,410 And here it is going to upload 51 00:04:19,160 --> 00:04:24,200 and as you can see now tell me the file has been uploaded successfully and it's in the same place that 52 00:04:24,200 --> 00:04:25,180 the picture was. 53 00:04:25,370 --> 00:04:31,880 So all you need to do now is we're going to use the same link and we're going to use really again to 54 00:04:31,880 --> 00:04:34,540 interact with that show that we uploaded. 55 00:04:34,550 --> 00:04:38,570 Now let's first of all see if the shell exists and it's been uploaded properly. 56 00:04:38,570 --> 00:04:44,480 So I'm just going to browse through my browser J-Lo's page. 57 00:04:44,810 --> 00:04:48,980 And you can see that you get a blank page so we're not getting four or four file not found. 58 00:04:49,070 --> 00:04:52,690 Which means that the file has been uploaded and there. 59 00:04:52,760 --> 00:04:56,480 So we're going to try to interact with it from to connect to it. 60 00:04:56,480 --> 00:05:02,050 We're going to type in really and then we're going to put the R L where the shell is. 61 00:05:02,060 --> 00:05:08,000 So this is where our shell has been uploaded and then God put the password or my password was 1 2 3 62 00:05:08,000 --> 00:05:09,100 4 5 6. 63 00:05:09,110 --> 00:05:10,430 Very simple really. 64 00:05:10,550 --> 00:05:13,980 The L Word the file is 1 2 3 4 5 6. 65 00:05:14,000 --> 00:05:14,970 This is very simple. 66 00:05:15,000 --> 00:05:20,190 Is similar to when you use your multi-hundred waiting for connections or connected to your banker. 67 00:05:20,210 --> 00:05:23,790 So we're literally just going to connect to the back there that we uploaded. 68 00:05:24,170 --> 00:05:26,730 And as you can see now we're in the file system. 69 00:05:26,840 --> 00:05:33,410 So from what you've read from this place you can actually just type in any Linux command and you'll 70 00:05:33,410 --> 00:05:37,580 be able it will be executed on the target computer and you'll see the result here. 71 00:05:37,580 --> 00:05:44,960 So if I do OPW the you'll see them that I'm invited w WW hackable uploads. 72 00:05:45,200 --> 00:05:52,030 And if I do an ID I'll see my user at the moment which is the readably data. 73 00:05:52,460 --> 00:05:59,250 And if you do you name a just to confirm that this is the meter's notable machine. 74 00:05:59,250 --> 00:06:02,180 You'll see that this is the Linux with exploitable machine. 75 00:06:02,190 --> 00:06:05,830 Now we can do anything we want we can this the files we can navigate. 76 00:06:05,970 --> 00:06:08,310 You can do any linux command that you want to do. 77 00:06:08,310 --> 00:06:11,990 Now we have change our pace has been changed. 78 00:06:12,130 --> 00:06:16,330 We also offer as much more features than just this. 79 00:06:16,440 --> 00:06:21,270 So it actually allows you to do a number of things if you type in help. 80 00:06:21,660 --> 00:06:24,620 You'll see all the cool stuff that you can do with. 81 00:06:24,720 --> 00:06:33,590 So you can try to escalate your privileges as execute as queries and a lot of cool stuff that is just 82 00:06:33,590 --> 00:06:36,730 designed for web application penetration testing. 83 00:06:36,740 --> 00:06:43,660 For now I'm going to leave it at this and this just shows you how to use a file upload variabilities.