1
00:00:01,240 --> 00:00:05,560
And this lecture we're going to have a look on file upload vulnerabilities.

2
00:00:05,940 --> 00:00:11,840
These are the simplest type of vulnerabilities because they allow us to upload any type of file.

3
00:00:12,180 --> 00:00:18,640
So for example of the tablet computer can understand we then we can upload any ph profile on a page

4
00:00:18,630 --> 00:00:23,880
reshelve and get full control over the target computer.

5
00:00:23,890 --> 00:00:29,770
Now as the target computer or the target server understands Python or any other language then you can

6
00:00:29,770 --> 00:00:36,270
just upload Python code in python shell or Ruby shell you can create the shell use in evasion or meta

7
00:00:36,270 --> 00:00:43,480
exploit or you can use your own Ph.D. or python shell.

8
00:00:43,680 --> 00:00:49,460
What we're going to do today we're going to have a lock on a tool called Wheatly that generates ph Rochelle's

9
00:00:49,470 --> 00:00:56,520
and allow us to gain access and do a number of cool things on the target computer.

10
00:00:56,520 --> 00:01:01,340
So first of all I have my DVD with you here.

11
00:01:01,770 --> 00:01:06,600
And usually when you're trying to paint us a Web site what I recommend is before trying to use any tools

12
00:01:06,600 --> 00:01:12,390
or anything after you do your information gathering is you just go in and try to browse the web sites

13
00:01:12,390 --> 00:01:18,420
you see what you can see just get a feel of the Web site see what's installed on it and all that and

14
00:01:18,420 --> 00:01:21,180
try to exploit any features you see.

15
00:01:21,180 --> 00:01:25,580
So for example let's say you went on everything and then you reach the upload.

16
00:01:25,730 --> 00:01:29,110
We can see that this Web site allows us to upload a file.

17
00:01:29,120 --> 00:01:35,780
Now this sometimes in in your penetration testing tasks it could be a Web site that allow you to upload

18
00:01:35,780 --> 00:01:41,720
a profile picture a picture if it's a classified website maybe it will allow you to upload pictures

19
00:01:42,050 --> 00:01:46,320
of cars or whatever you're trying to add in the web site.

20
00:01:46,340 --> 00:01:51,290
So as you can see here the Web site expects you to choose an image and upload an image.

21
00:01:51,590 --> 00:01:54,000
So let's see if we can upload an image first.

22
00:01:54,020 --> 00:02:00,660
So I'm going to go on my downloads and I have a picture here and the resources just a picture of my

23
00:02:00,660 --> 00:02:01,450
car.

24
00:02:01,740 --> 00:02:04,050
I'm going to upload it and see if it gets uploaded.

25
00:02:05,500 --> 00:02:11,370
And you can see that the upload was successful and it started in this particular location.

26
00:02:11,380 --> 00:02:15,740
So it's dot dot dot dot which is which means two directories back.

27
00:02:15,820 --> 00:02:18,040
And then this filename.

28
00:02:18,160 --> 00:02:21,060
So let's see if we can if the picture has actually been uploaded.

29
00:02:21,110 --> 00:02:25,030
So I'm taking away two directories and taking away the vulnerabilities and upload.

30
00:02:25,300 --> 00:02:27,250
I want to use that.

31
00:02:27,460 --> 00:02:34,570
And then we're going to get this location on the server just to see if the picture was uploaded properly.

32
00:02:38,160 --> 00:02:42,480
And as you can see the picture has been uploaded so that's all good.

33
00:02:42,540 --> 00:02:48,240
Now the next thing I do let's try and upload a PH pre-fall and to do that we're going to use a tool

34
00:02:48,240 --> 00:02:53,500
called we've as I said to create a payload or a shell if you go if you want to call it.

35
00:02:53,970 --> 00:02:57,890
And it's obviously it's going to be a PH reshelve you can use with us voice.

36
00:02:57,900 --> 00:03:00,060
As I said to create a APHC payload.

37
00:03:00,270 --> 00:03:06,240
But we're going to be just having a look on a different tool that's designed for web application penetration

38
00:03:06,240 --> 00:03:09,520
testing so the tool is very easy.

39
00:03:09,550 --> 00:03:12,900
We're going to put the tool name which is we've.

40
00:03:13,220 --> 00:03:20,730
And then we're going to put generate because we want to generate a pay note or a shell file then we

41
00:03:20,730 --> 00:03:27,370
will put a password for that file so that only US can access it and control the website when we upload

42
00:03:27,370 --> 00:03:28,630
it to the website.

43
00:03:28,660 --> 00:03:33,670
So my password is going to be one two three four five six and then I'm going to say what I want to store

44
00:03:33,670 --> 00:03:41,930
it and you want to store it in route and I'm going to call it Shell ph free so very simple really is

45
00:03:41,930 --> 00:03:48,120
the name of the program generators to generate a show the password that the show is going to authenticate

46
00:03:48,120 --> 00:03:54,050
us with and it's going to be stored in road Shelder ph we're going to hit enter and created.

47
00:03:54,050 --> 00:04:01,090
Now if I I'm already in my roots or if I just do LS I should see it and we can see it right here.

48
00:04:01,140 --> 00:04:05,190
So the next thing is we're just going to go back to our website and try to upload that show

49
00:04:11,750 --> 00:04:13,140
and I'm going to look for a show.

50
00:04:13,370 --> 00:04:16,410
And here it is going to upload

51
00:04:19,160 --> 00:04:24,200
and as you can see now tell me the file has been uploaded successfully and it's in the same place that

52
00:04:24,200 --> 00:04:25,180
the picture was.

53
00:04:25,370 --> 00:04:31,880
So all you need to do now is we're going to use the same link and we're going to use really again to

54
00:04:31,880 --> 00:04:34,540
interact with that show that we uploaded.

55
00:04:34,550 --> 00:04:38,570
Now let's first of all see if the shell exists and it's been uploaded properly.

56
00:04:38,570 --> 00:04:44,480
So I'm just going to browse through my browser J-Lo's page.

57
00:04:44,810 --> 00:04:48,980
And you can see that you get a blank page so we're not getting four or four file not found.

58
00:04:49,070 --> 00:04:52,690
Which means that the file has been uploaded and there.

59
00:04:52,760 --> 00:04:56,480
So we're going to try to interact with it from to connect to it.

60
00:04:56,480 --> 00:05:02,050
We're going to type in really and then we're going to put the R L where the shell is.

61
00:05:02,060 --> 00:05:08,000
So this is where our shell has been uploaded and then God put the password or my password was 1 2 3

62
00:05:08,000 --> 00:05:09,100
4 5 6.

63
00:05:09,110 --> 00:05:10,430
Very simple really.

64
00:05:10,550 --> 00:05:13,980
The L Word the file is 1 2 3 4 5 6.

65
00:05:14,000 --> 00:05:14,970
This is very simple.

66
00:05:15,000 --> 00:05:20,190
Is similar to when you use your multi-hundred waiting for connections or connected to your banker.

67
00:05:20,210 --> 00:05:23,790
So we're literally just going to connect to the back there that we uploaded.

68
00:05:24,170 --> 00:05:26,730
And as you can see now we're in the file system.

69
00:05:26,840 --> 00:05:33,410
So from what you've read from this place you can actually just type in any Linux command and you'll

70
00:05:33,410 --> 00:05:37,580
be able it will be executed on the target computer and you'll see the result here.

71
00:05:37,580 --> 00:05:44,960
So if I do OPW the you'll see them that I'm invited w WW hackable uploads.

72
00:05:45,200 --> 00:05:52,030
And if I do an ID I'll see my user at the moment which is the readably data.

73
00:05:52,460 --> 00:05:59,250
And if you do you name a just to confirm that this is the meter's notable machine.

74
00:05:59,250 --> 00:06:02,180
You'll see that this is the Linux with exploitable machine.

75
00:06:02,190 --> 00:06:05,830
Now we can do anything we want we can this the files we can navigate.

76
00:06:05,970 --> 00:06:08,310
You can do any linux command that you want to do.

77
00:06:08,310 --> 00:06:11,990
Now we have change our pace has been changed.

78
00:06:12,130 --> 00:06:16,330
We also offer as much more features than just this.

79
00:06:16,440 --> 00:06:21,270
So it actually allows you to do a number of things if you type in help.

80
00:06:21,660 --> 00:06:24,620
You'll see all the cool stuff that you can do with.

81
00:06:24,720 --> 00:06:33,590
So you can try to escalate your privileges as execute as queries and a lot of cool stuff that is just

82
00:06:33,590 --> 00:06:36,730
designed for web application penetration testing.

83
00:06:36,740 --> 00:06:43,660
For now I'm going to leave it at this and this just shows you how to use a file upload variabilities.