1 00:00:00,150 --> 00:00:02,430 So hi, guys, welcome back to the lecture. 2 00:00:02,430 --> 00:00:07,340 In this lecture, we are going to see how to exploit exquisite condition, how to find its clinician 3 00:00:07,380 --> 00:00:10,290 present on any parameter, OK? 4 00:00:10,320 --> 00:00:17,050 It's not a barometer on any, we can say such form or a feel or password. 5 00:00:17,760 --> 00:00:18,670 So for finding it. 6 00:00:18,690 --> 00:00:20,580 First, we need to set up our lab. 7 00:00:21,810 --> 00:00:23,210 So as we did it before. 8 00:00:23,580 --> 00:00:28,950 So for that, first of all, you need to log into your always bwl, as you can see here. 9 00:00:28,980 --> 00:00:30,190 So I'm going to log into it. 10 00:00:30,210 --> 00:00:35,800 Using my username and password will be always be W8 and now hit enter. 11 00:00:36,060 --> 00:00:41,280 So after hitting enter, it will simply load it up and then simply type if config. 12 00:00:41,880 --> 00:00:45,650 So when you hit enter, you will find this as the IP address just in it. 13 00:00:45,660 --> 00:00:49,000 Address of one 10 zero zero seven. 14 00:00:49,020 --> 00:00:50,160 So this is the IP address. 15 00:00:50,430 --> 00:00:55,200 So now the next thing that that I have to do here is simply open the Web browser here. 16 00:00:57,880 --> 00:01:00,590 So this is a Web browser that I have here. 17 00:01:01,060 --> 00:01:01,300 OK. 18 00:01:03,220 --> 00:01:04,930 So it will take some time, actually. 19 00:01:06,130 --> 00:01:13,840 This this is up on your arm, how much you have allotted, so guys, let's enter the IP address of Always 20 00:01:13,840 --> 00:01:16,590 with the machine in the here and the search bar. 21 00:01:16,600 --> 00:01:18,440 Okay, that addresses it all. 22 00:01:18,610 --> 00:01:21,370 That is why it is not working. 23 00:01:21,640 --> 00:01:22,690 Let me fix it. 24 00:01:24,320 --> 00:01:30,140 So this is like we're just not how to enter so of dating and as you can see, that we are having this 25 00:01:30,150 --> 00:01:35,540 Muzzin, which is always a broken application project and we are interested in ESKIL injections. 26 00:01:35,540 --> 00:01:41,350 First conviction, the best way to practice is Madalena to so simply hit and run this. 27 00:01:41,900 --> 00:01:45,310 So when you hit enter, you will see this kind of interface, as you can see here. 28 00:01:45,320 --> 00:01:49,580 Let me zoom zoom out this so that. 29 00:01:50,520 --> 00:01:54,470 It will be easy to see each and every page. 30 00:01:54,840 --> 00:02:01,500 So when you see in the left left corner, you will find all 2013. 31 00:02:01,860 --> 00:02:02,210 OK. 32 00:02:02,460 --> 00:02:07,650 So when you move your cursor above this, you will find these many vulnerabilities here. 33 00:02:08,010 --> 00:02:13,170 So we're interested in this, which is a square injection, extract data and user info. 34 00:02:14,220 --> 00:02:16,950 OK, so this is the field that I have here. 35 00:02:18,420 --> 00:02:23,530 OK, let me first put it, is it so that I can teach you what it is? 36 00:02:23,880 --> 00:02:29,580 So this is the page this is a page in which we are going to test our SQL queries here. 37 00:02:29,790 --> 00:02:34,290 OK, so first of all, let's see let's see what it is asking for. 38 00:02:34,320 --> 00:02:36,640 So this is asking for a name and the password. 39 00:02:36,960 --> 00:02:40,030 OK, so please enter your username in the password to the account details. 40 00:02:40,410 --> 00:02:40,690 OK. 41 00:02:40,710 --> 00:02:43,160 So as we all know that I do not have accounts in it. 42 00:02:43,500 --> 00:02:48,180 So what I'm going to do here is I'm going to simply register using that. 43 00:02:48,180 --> 00:02:51,030 I'm going to give as like the I w. 44 00:02:52,460 --> 00:02:54,450 And the possibility to see the A.W.. 45 00:02:59,220 --> 00:03:06,450 I w so this is the password that it can form signature is d I now create account. 46 00:03:07,910 --> 00:03:10,350 So account created for the and and. 47 00:03:10,880 --> 00:03:17,030 OK, so now let's whereas is top 2nd has been created. 48 00:03:17,900 --> 00:03:19,910 So usernames or guys. 49 00:03:23,740 --> 00:03:24,970 Let's get back. 50 00:03:34,280 --> 00:03:37,370 So now, guys, we are having this field is this. 51 00:03:41,580 --> 00:03:48,720 So we are having this film, so first first on our agenda is to test the page to see if the possibility 52 00:03:48,720 --> 00:03:50,930 exists for an indication or not. 53 00:03:51,240 --> 00:03:53,820 So to do this simply let's use the tick. 54 00:03:53,970 --> 00:04:00,570 Tick means this is the character of can quotation character to see what we can learn from this. 55 00:04:00,840 --> 00:04:06,830 So what we need to do here is simply you need to move closer here and simply use the stick and hit enter. 56 00:04:07,710 --> 00:04:12,000 So after hitting enter, let me I think you can see this. 57 00:04:12,420 --> 00:04:14,900 Let me zoom it a little bit. 58 00:04:15,390 --> 00:04:18,730 And so this is the area that we are getting. 59 00:04:19,170 --> 00:04:20,370 So what does this mean? 60 00:04:20,380 --> 00:04:28,350 Simply using big we were able to learn a reasonable amount information about the database which supports 61 00:04:28,350 --> 00:04:29,320 this application. 62 00:04:29,640 --> 00:04:32,360 So what are the some things that we have learned from this? 63 00:04:32,370 --> 00:04:34,450 So we have taken two things from here. 64 00:04:34,800 --> 00:04:41,790 So the first thing that is, let's see, fight here, fight so we can see that the entire part of the 65 00:04:41,790 --> 00:04:43,470 file which is handling this area. 66 00:04:43,800 --> 00:04:50,520 So for looking at it, there is additional information which can be inferred, such as this is more 67 00:04:50,520 --> 00:04:54,680 than likely a Microsoft Windows device on such which the server is running on. 68 00:04:55,020 --> 00:04:56,510 OK, so as you can see here. 69 00:04:57,330 --> 00:05:01,640 So then the second thing that is message, which you can see here matters. 70 00:05:01,830 --> 00:05:06,070 So from message, we can see that this is my school database. 71 00:05:06,750 --> 00:05:09,510 This is also had a ring at my school. 72 00:05:09,810 --> 00:05:13,910 And from this you can also see this is the minuscule database. 73 00:05:13,960 --> 00:05:17,610 OK, so this is the first thing that we get from the message. 74 00:05:17,850 --> 00:05:20,360 And the next thing is why this is important. 75 00:05:20,370 --> 00:05:27,350 So the database in the back end will determine the type of interaction we can do with a wider application. 76 00:05:27,930 --> 00:05:33,900 So now, guys, let's expand on a big and let's see what it's going to do. 77 00:05:34,410 --> 00:05:35,550 So, guys, let's see. 78 00:05:36,300 --> 00:05:39,990 First of all, actually, this is quite irritating. 79 00:05:40,860 --> 00:05:43,050 Every time it's just become admin admin. 80 00:05:43,260 --> 00:05:44,310 That is quite irritating. 81 00:05:44,340 --> 00:05:51,870 So this is the thing that we did earlier or is the common one is equal to one will always be true and 82 00:05:51,870 --> 00:05:52,830 give some space. 83 00:05:53,260 --> 00:05:59,250 OK, so these are space of the two hyphens and this is needed for MySQL commands also recommends. 84 00:06:00,150 --> 00:06:02,340 OK, so now let's hit enter. 85 00:06:03,780 --> 00:06:04,560 Sorbets. 86 00:06:06,570 --> 00:06:08,040 When you scroll it down. 87 00:06:08,920 --> 00:06:09,110 OK. 88 00:06:09,600 --> 00:06:15,120 So when you scroll it down so often simply entering this particular. 89 00:06:15,390 --> 00:06:15,840 Hmm. 90 00:06:17,160 --> 00:06:19,470 Let me see this. 91 00:06:19,780 --> 00:06:21,960 OK, where's the area? 92 00:06:25,690 --> 00:06:28,760 OK, guys, this is not working. 93 00:06:30,390 --> 00:06:32,310 These parameters are just. 94 00:06:33,180 --> 00:06:34,190 Irritating me. 95 00:06:34,210 --> 00:06:36,210 So let's try with. 96 00:06:37,220 --> 00:06:39,260 This again, this is the. 97 00:06:40,250 --> 00:06:42,080 I take and then all. 98 00:06:43,150 --> 00:06:50,920 One is equal to one hyphen, double double hyphen, and now please simply hit enter. 99 00:06:51,890 --> 00:06:54,560 So when you hit, enter what you can see here. 100 00:06:56,620 --> 00:06:57,890 This is giving us nothing. 101 00:06:58,570 --> 00:07:00,680 So there is some failure. 102 00:07:01,570 --> 00:07:05,840 OK, guys, so there is some failure as to why it is not giving us died. 103 00:07:06,220 --> 00:07:08,370 Let's try with something else. 104 00:07:13,900 --> 00:07:14,520 OK. 105 00:07:16,400 --> 00:07:23,090 OK, let me do one thing here that is let me try with this. 106 00:07:23,600 --> 00:07:27,470 This is not working, guys, so we have to try some other. 107 00:07:27,470 --> 00:07:32,060 Come on, this is not like I have run from somewhere and I'm applying here. 108 00:07:32,450 --> 00:07:33,920 This is not like that. 109 00:07:35,190 --> 00:07:41,820 So now, guys, we have successfully entered our come on, so what was the difference in the last and 110 00:07:41,830 --> 00:07:49,920 this so different was that, as I have told you, that you have to you have to know that the basis of 111 00:07:49,920 --> 00:07:57,840 the two hyphen, this is the space to this thing should be keeping your mind because this is important 112 00:07:57,840 --> 00:07:58,850 and needed for MySQL. 113 00:07:59,190 --> 00:07:59,410 OK. 114 00:07:59,940 --> 00:08:03,420 So as you can see, it looks like we've done the entire table. 115 00:08:03,420 --> 00:08:06,470 As you can see, these are the these are the things. 116 00:08:07,950 --> 00:08:08,350 OK. 117 00:08:08,400 --> 00:08:10,350 These are the accounts that we have here. 118 00:08:11,250 --> 00:08:16,320 OK, so this is the account that we have created, as you can see, we are having the username and password. 119 00:08:16,350 --> 00:08:22,740 OK, so this simply looks like we are making progress and let's see what else we can do. 120 00:08:23,250 --> 00:08:27,130 So how about we are trying to determine a database wasn't OK. 121 00:08:27,150 --> 00:08:32,970 So for this, let's try to as the admin account to reduce the number of rules which will be written. 122 00:08:33,120 --> 00:08:35,760 So our query will now look like. 123 00:08:36,330 --> 00:08:37,020 Let me. 124 00:08:38,810 --> 00:08:39,640 Do it here. 125 00:08:42,020 --> 00:08:48,980 So let me raise it, let me remove it so that I can easily walk here. 126 00:08:49,010 --> 00:08:50,480 This is just irritating me. 127 00:08:50,750 --> 00:08:54,800 OK, so now let's change our query like Edwin. 128 00:08:55,990 --> 00:09:05,860 Edwin, so this is the very simply take a look and now these are the two and just give it do not try 129 00:09:05,860 --> 00:09:06,880 to hit enter. 130 00:09:07,970 --> 00:09:17,360 So guys of building enter, let's scroll it down, you can see here after center of this going down. 131 00:09:17,660 --> 00:09:24,020 This was over command and this is simply we are trying to get the data as well. 132 00:09:24,060 --> 00:09:25,880 And so now let's try with some other. 133 00:09:25,880 --> 00:09:26,310 Come on. 134 00:09:26,600 --> 00:09:28,240 So this is we are inside admin. 135 00:09:28,400 --> 00:09:33,590 So now let's try to run some other command actors, admin and simple tech. 136 00:09:34,400 --> 00:09:37,880 OK, unión, select. 137 00:09:39,620 --> 00:09:44,780 Ateret, okay, now type I wasn't here, so this has the come on. 138 00:09:46,830 --> 00:09:47,580 Hit enter. 139 00:09:49,220 --> 00:09:50,910 So that is when you hit enter. 140 00:09:51,230 --> 00:09:54,910 So, guys, when you hit enter, so we got an error. 141 00:09:55,610 --> 00:10:01,970 So when you see the error, so what it is saying it is seeing that the you select statement have different 142 00:10:01,970 --> 00:10:02,900 number of columns. 143 00:10:03,270 --> 00:10:05,730 OK, Seulement says this. 144 00:10:06,350 --> 00:10:07,310 So now what? 145 00:10:07,310 --> 00:10:10,860 We need to ensure that the number of columns are balanced. 146 00:10:11,120 --> 00:10:14,570 So now let's try to learn a number of columns in the table. 147 00:10:15,020 --> 00:10:17,310 So now let's use admin. 148 00:10:17,990 --> 00:10:19,330 Let me try here. 149 00:10:19,610 --> 00:10:24,710 Let me use Edman this as admin and select this one. 150 00:10:24,740 --> 00:10:26,900 And just to first of all, it is it. 151 00:10:28,530 --> 00:10:31,890 I mean, a union select and used null. 152 00:10:34,260 --> 00:10:35,400 And hit enter now. 153 00:10:36,990 --> 00:10:39,940 So when we run this command, we got the same error. 154 00:10:39,960 --> 00:10:42,270 Let me call it down, as you can see. 155 00:10:42,350 --> 00:10:46,050 We got the same error again, but the number of columns. 156 00:10:46,170 --> 00:10:51,970 So let's build up on this to find out the correct number of no's we need to use here. 157 00:10:52,230 --> 00:10:56,400 So the thing that we need to do here is simply increase the number of notes. 158 00:10:56,700 --> 00:11:00,460 So it will take some time to have to take care of this. 159 00:11:00,480 --> 00:11:05,920 So this was the null and let's simply separated by a comma. 160 00:11:05,940 --> 00:11:10,680 Let's try a double double null. 161 00:11:14,320 --> 00:11:15,150 No, I don't. 162 00:11:15,850 --> 00:11:21,100 And let me see it again, this is giving a seminar, so the next thing. 163 00:11:22,110 --> 00:11:26,460 What I can do here we have now is try with the. 164 00:11:28,570 --> 00:11:34,180 Pordenone, OK, guys, one oh, one, two. 165 00:11:34,300 --> 00:11:38,540 OK, now head into another can see that we are getting the same error. 166 00:11:38,570 --> 00:11:44,530 So now let's try it like seven nil six, not seven. 167 00:11:45,680 --> 00:11:47,900 Now, let's try with the seven one. 168 00:11:48,820 --> 00:11:50,460 We have one to. 169 00:11:51,360 --> 00:11:52,140 Now. 170 00:11:54,400 --> 00:11:54,880 Three. 171 00:11:57,380 --> 00:12:00,350 For five. 172 00:12:06,620 --> 00:12:12,940 Six, so we have now used six no space and hit Tantanoola to that working order. 173 00:12:12,990 --> 00:12:16,140 So this is again not working again. 174 00:12:16,310 --> 00:12:17,720 Let me do it. 175 00:12:20,750 --> 00:12:25,350 Uh, regionalist containing Homerton, letters containing one, I think. 176 00:12:25,530 --> 00:12:26,840 Now let's try with one more. 177 00:12:26,870 --> 00:12:32,930 No, no, let's try with this and see what it is. 178 00:12:34,060 --> 00:12:42,910 One, two, one, two, and it and so as you can see here, guys, as you can see here, so we see that 179 00:12:42,910 --> 00:12:51,850 rather than ever we have now, as you can see here in this and well, what we have here now, we have 180 00:12:51,850 --> 00:12:58,910 reported two columns now that we have of number of columns to try to get the database frozen again. 181 00:12:59,350 --> 00:13:07,660 So how you can do this simply we are going to use without final actually 6:00 a.m. with the wasn't. 182 00:13:07,660 --> 00:13:09,190 Come on, let's try. 183 00:13:11,230 --> 00:13:13,130 We are always OK. 184 00:13:13,170 --> 00:13:22,420 I mean, do I think how much it contains we, uh, because we are having seven, so that is why I'm 185 00:13:22,870 --> 00:13:31,600 using six nil, because one for that wasn't one, two, three, four, five. 186 00:13:32,540 --> 00:13:35,620 Sixth, sixth, we are having six here. 187 00:13:36,630 --> 00:13:41,670 So after this, let's try to find out who wasn't. 188 00:13:42,520 --> 00:13:47,190 OK, so now let's see how it is going to be looked like. 189 00:13:49,080 --> 00:13:58,890 Wasn't so this is what was done and now we have supported it, so one, two, three, four, five, 190 00:13:59,550 --> 00:14:00,140 six. 191 00:14:00,150 --> 00:14:02,910 No, no, let's it is this one. 192 00:14:06,750 --> 00:14:07,410 One to. 193 00:14:08,980 --> 00:14:10,420 Want to another hit enter? 194 00:14:12,040 --> 00:14:19,200 Let's see what it is giving, as you can see, that we have successfully extracted the version of a 195 00:14:19,230 --> 00:14:20,020 DBMS. 196 00:14:20,290 --> 00:14:23,130 Okay, guys, so now guys nesting. 197 00:14:23,320 --> 00:14:29,830 So now let's look at each one, determine which one will accept our strength or at least which one produced 198 00:14:29,830 --> 00:14:31,930 the username, password and signature. 199 00:14:32,230 --> 00:14:36,760 To figure out this, let's put some string in each nail file. 200 00:14:37,030 --> 00:14:38,340 So how you can do that? 201 00:14:38,620 --> 00:14:41,440 So earlier how we know we have use. 202 00:14:41,770 --> 00:14:43,030 So we have you, Sarandos. 203 00:14:43,030 --> 00:14:49,020 So in case of 7:00 in the place of 7:00, we are going to use some springlike column one. 204 00:14:49,180 --> 00:14:49,490 OK. 205 00:14:50,640 --> 00:15:01,470 So let me start it from starting admin take, OK, union select. 206 00:15:03,010 --> 00:15:08,440 It's growing inside the, uh, we can see let me make it. 207 00:15:10,690 --> 00:15:14,950 This one, I think this is correct way. 208 00:15:15,310 --> 00:15:18,370 OK, let me close this string again for another one. 209 00:15:19,810 --> 00:15:21,190 Go long. 210 00:15:23,340 --> 00:15:31,570 To close it again, Coolen three Cycloset, OK. 211 00:15:31,590 --> 00:15:33,810 OK, ok, ok, ok. 212 00:15:38,100 --> 00:15:41,910 Again, Coulomb three. 213 00:15:50,020 --> 00:15:53,630 Coolen for five days time. 214 00:15:53,880 --> 00:15:56,920 That's for you and again, disclose it. 215 00:15:58,500 --> 00:16:07,560 Coolen six is now the next one that we have here, Skogland seven. 216 00:16:09,010 --> 00:16:12,340 Just close it, uh, open it. 217 00:16:13,180 --> 00:16:19,110 So this is what we have and make it to pieces and this is how. 218 00:16:19,170 --> 00:16:20,530 So now let's try to end this. 219 00:16:20,530 --> 00:16:20,860 Come on. 220 00:16:21,890 --> 00:16:29,060 OK, guys, so let me scroll down so you can see that, as you can see, that we have used this particular 221 00:16:29,060 --> 00:16:29,630 command. 222 00:16:29,640 --> 00:16:35,750 So column two, column three and four are the ones which we can use with our strength. 223 00:16:36,050 --> 00:16:40,340 So now let's revisit that attempt to get the database, Wazzan. 224 00:16:40,970 --> 00:16:45,740 We will also replace the column X, OK, NHLBI column. 225 00:16:46,070 --> 00:16:52,190 So now let's try to see again for the database wasn't so how you can do that. 226 00:16:54,970 --> 00:16:56,570 Let me scroll down. 227 00:16:57,020 --> 00:16:58,100 This was this. 228 00:16:59,210 --> 00:17:03,230 Now, let's try to hit enter, let's use it, working with us, giving us Edda. 229 00:17:06,490 --> 00:17:08,170 I gained select. 230 00:17:10,620 --> 00:17:11,160 I think. 231 00:17:13,080 --> 00:17:14,160 We have to. 232 00:17:16,410 --> 00:17:24,750 Okay, guys, this is the thing now, and we need to add some spaces there, so this is the version 233 00:17:24,750 --> 00:17:26,950 that, as you can see, it's a good progress so far. 234 00:17:26,970 --> 00:17:28,260 Actually, I can see that. 235 00:17:28,380 --> 00:17:30,920 And we have now managed to obtain the database wasn't. 236 00:17:31,140 --> 00:17:32,280 So now let's continue. 237 00:17:32,310 --> 00:17:38,760 How about we dump the database schema so we can see a list of tables with the associated names? 238 00:17:39,450 --> 00:17:42,030 OK, so now let's see how we can do that. 239 00:17:42,900 --> 00:17:53,210 So we need to again enter a long string, so long query so that we can simply dump the database schema. 240 00:17:53,250 --> 00:17:54,180 So how we can do that. 241 00:17:54,540 --> 00:18:03,130 OK, so for that simply type admin as usual, just close it using the tick and then union union. 242 00:18:03,290 --> 00:18:05,560 OK then simply as always select. 243 00:18:05,780 --> 00:18:06,220 OK. 244 00:18:06,780 --> 00:18:14,640 Now if the select use null we need to add seven different things inside this because we as we all know 245 00:18:14,790 --> 00:18:18,120 on seven it gives us result and then debelin. 246 00:18:19,350 --> 00:18:25,410 So okay this is not hyphen, this is our Nisko table name. 247 00:18:25,410 --> 00:18:29,670 And then let's see, it's that column. 248 00:18:30,300 --> 00:18:32,880 OK then we are having column name. 249 00:18:33,030 --> 00:18:43,470 Let me do it like this and then null do null and let's see that three null phone. 250 00:18:43,830 --> 00:18:50,130 OK, so faunas you know now from information. 251 00:18:52,010 --> 00:19:02,090 A schema a schema of information is correct, Golan's oggi of the colon's that need to add two spaces 252 00:19:02,090 --> 00:19:04,100 hyphen to spaces now hit enter. 253 00:19:06,080 --> 00:19:08,120 Let's see, is it working or not? 254 00:19:08,130 --> 00:19:10,940 So I think it is not working. 255 00:19:11,750 --> 00:19:12,380 Let's see. 256 00:19:12,380 --> 00:19:12,830 Let's see. 257 00:19:12,830 --> 00:19:15,010 Let's see what it is doing here. 258 00:19:15,530 --> 00:19:21,750 So, guys, now that we have got in dome database structure, let me do it like this. 259 00:19:21,770 --> 00:19:25,550 As you can see that we have done that database structure. 260 00:19:25,610 --> 00:19:32,930 OK, guys, so we can now look at the other tables so we can see where we may be able to extract the 261 00:19:32,930 --> 00:19:34,040 data of relevance. 262 00:19:34,070 --> 00:19:39,590 So going through the list, as you can see, like on tables, tables are accountable. 263 00:19:39,600 --> 00:19:45,560 So the list contains the user information which we are able to obtain in the beginning test. 264 00:19:45,690 --> 00:19:46,430 Okay. 265 00:19:46,790 --> 00:19:49,640 Which is like we can see. 266 00:19:51,990 --> 00:19:58,440 Accounts now let's try to simply, um, let's see for the accounts. 267 00:19:59,910 --> 00:20:02,910 OK, let's do it again. 268 00:20:04,440 --> 00:20:10,380 So we have to write again what we did earlier like. 269 00:20:11,230 --> 00:20:15,240 Unión, let me see, is it president or not? 270 00:20:16,850 --> 00:20:25,730 OK, this was the command that we have entered earlier, so after the schoolin columns, let me use 271 00:20:26,390 --> 00:20:26,990 their. 272 00:20:28,000 --> 00:20:38,050 Let me use their people names, they will name is equal to, uh, and simply give it as. 273 00:20:40,030 --> 00:20:40,720 Account. 274 00:20:43,710 --> 00:20:48,510 Accounts just what the next inclosed as a string and just two. 275 00:20:50,740 --> 00:20:51,490 No, I don't. 276 00:20:52,380 --> 00:20:53,250 Let's see. 277 00:20:55,160 --> 00:21:01,950 So, guys, what we have found here, so so we see the addition of you, such as it is here. 278 00:21:02,210 --> 00:21:06,910 So like this said, is that mean first name and the last name. 279 00:21:06,920 --> 00:21:13,340 So as you can see all of these things here, this is the first name, last name and all of the things 280 00:21:13,340 --> 00:21:13,580 here. 281 00:21:14,280 --> 00:21:16,430 OK, so this is the way. 282 00:21:16,760 --> 00:21:19,460 So now let's see what we can learn from is Edman. 283 00:21:19,880 --> 00:21:22,460 So what we can learn from is admen. 284 00:21:22,460 --> 00:21:25,980 As you can see, we are having here is Edmondson's admin password. 285 00:21:26,300 --> 00:21:29,570 So now let's see how we can what we can learn from this. 286 00:21:29,870 --> 00:21:36,020 OK, so now let's see, let's create one more query for this. 287 00:21:36,020 --> 00:21:39,470 Simply take Espace Union. 288 00:21:40,630 --> 00:21:43,930 Select Simplist, you select a null. 289 00:21:45,130 --> 00:21:54,280 Now said, OK, user name is their domain, is admin null? 290 00:21:55,300 --> 00:22:00,130 OK, again, we have to use two more now to complete the string of seven. 291 00:22:00,430 --> 00:22:06,220 Now we have you three know from accounts. 292 00:22:09,130 --> 00:22:10,140 And now tenter. 293 00:22:11,510 --> 00:22:18,650 So after hitting it off by hitting enter, it looks like value for value for where it was. 294 00:22:21,040 --> 00:22:22,900 Let me scroll down. 295 00:22:24,470 --> 00:22:28,750 As you can see, the value for is admin's either true or false. 296 00:22:28,780 --> 00:22:32,610 So for this, we have no we have a list of Edman users in this database. 297 00:22:32,690 --> 00:22:40,860 Now, let's take a look to see which user of the application is simply accessing that database. 298 00:22:40,880 --> 00:22:42,110 So now let's see how. 299 00:22:43,170 --> 00:22:52,440 OK, guys, so simply use the come on again that I'm going to tell you, like admin admin, let me do 300 00:22:52,440 --> 00:22:55,650 it like this admin space union. 301 00:22:57,800 --> 00:23:00,440 Select nul. 302 00:23:02,040 --> 00:23:02,820 Go around. 303 00:23:03,930 --> 00:23:04,550 User. 304 00:23:05,610 --> 00:23:12,270 Guarantee and assess function and then use the remaining nodes like five nodes, because we have used 305 00:23:12,270 --> 00:23:16,170 to places, so we need to use, uh, at five Nosseir. 306 00:23:16,550 --> 00:23:20,430 One, two, three, four. 307 00:23:21,670 --> 00:23:23,560 Five, OK, is this correct? 308 00:23:23,590 --> 00:23:27,770 OK, let me do it, let me correct it like this, OK? 309 00:23:27,880 --> 00:23:28,780 Is everything correct? 310 00:23:29,430 --> 00:23:33,130 Let me run this. 311 00:23:33,130 --> 00:23:34,810 Come on, let me run this. 312 00:23:34,810 --> 00:23:35,220 Come on. 313 00:23:35,740 --> 00:23:36,870 So let's use working. 314 00:23:36,940 --> 00:23:41,330 Not so as you can see, that guy is so very interesting thing is here. 315 00:23:41,530 --> 00:23:44,970 So this application is running as a model, as you can see at root. 316 00:23:45,340 --> 00:23:48,620 So now what database are we connected to? 317 00:23:48,880 --> 00:23:50,400 So let's see of what it is. 318 00:23:50,410 --> 00:23:55,300 Are we to do so far that again, run one more query admin. 319 00:23:56,580 --> 00:24:01,070 A space union select. 320 00:24:03,070 --> 00:24:07,580 I know for database we are going to use data base. 321 00:24:08,290 --> 00:24:08,780 OK? 322 00:24:09,250 --> 00:24:15,620 And now, again, are remaining null, which is OK. 323 00:24:15,850 --> 00:24:18,290 This is just quite dated. 324 00:24:20,800 --> 00:24:27,910 Two, three, four, five, OK, is this correct? 325 00:24:29,140 --> 00:24:30,070 No hit enter. 326 00:24:31,460 --> 00:24:35,950 Let us call it down, as you can see, that case we have gotten here, we have got something. 327 00:24:36,230 --> 00:24:40,610 So now let's try to read this is the database, actually, this is the name of the Jewish senators. 328 00:24:40,610 --> 00:24:44,480 Try to read a file from the server systems of how you can do that. 329 00:24:44,510 --> 00:24:46,660 So this is some very interesting thing. 330 00:24:46,880 --> 00:24:47,940 So how you can do that. 331 00:24:48,170 --> 00:24:55,850 So this command that I'm going to give here is going to be very difficult because it looks like very 332 00:24:56,150 --> 00:24:56,540 small. 333 00:24:56,590 --> 00:24:59,150 You can see uninteresting, actually. 334 00:24:59,210 --> 00:25:01,190 OK, so now let's see how we can do that. 335 00:25:01,200 --> 00:25:08,420 So the command that I'm going to give is Edman single take and then simply union select. 336 00:25:08,630 --> 00:25:15,260 This is for select and nul this as one nil and then load flight load. 337 00:25:17,110 --> 00:25:20,470 Lord, file inside this. 338 00:25:22,180 --> 00:25:28,660 Let me do it like this, and the part that I'm going to give here is this. 339 00:25:30,220 --> 00:25:30,780 Mm. 340 00:25:30,850 --> 00:25:31,340 Okay. 341 00:25:31,360 --> 00:25:33,070 How many bars I should add. 342 00:25:33,070 --> 00:25:36,700 Here, let me do it with four. 343 00:25:38,040 --> 00:25:42,940 OK, so this is for now Windows. 344 00:25:42,960 --> 00:25:43,920 This is the part. 345 00:25:46,080 --> 00:25:53,860 Let's see, is it working because currently I'm using Linux, let's see, is it working or not? 346 00:25:54,360 --> 00:25:55,710 This is how. 347 00:25:58,950 --> 00:26:00,900 Drivers, ADC. 348 00:26:03,370 --> 00:26:08,710 And then will host Wookey host now disclose this. 349 00:26:09,250 --> 00:26:11,300 Everything is fine, looking fine. 350 00:26:11,680 --> 00:26:16,720 So now add the remaining Nosseir, which is around five. 351 00:26:17,260 --> 00:26:18,040 One, two. 352 00:26:19,200 --> 00:26:19,680 Three. 353 00:26:21,380 --> 00:26:21,950 For. 354 00:26:23,180 --> 00:26:23,960 Five. 355 00:26:27,430 --> 00:26:28,140 No, I don't. 356 00:26:28,630 --> 00:26:34,960 Let's see, is it working or not, records, as you can see, that record is not fine because currently 357 00:26:34,960 --> 00:26:38,860 we are using Linux systems. 358 00:26:38,860 --> 00:26:43,640 So that is why it is not working in our case so that we are not able to get this. 359 00:26:43,840 --> 00:26:50,650 So what you can do here in case of this, you can simply use your Linux pod, so then you can simply 360 00:26:50,830 --> 00:26:52,160 get the right part of it. 361 00:26:52,380 --> 00:26:56,120 OK, so as you can see that we are using Linux, so that is why it is not working here. 362 00:26:56,380 --> 00:26:59,310 OK, so guys, the question arises here. 363 00:26:59,320 --> 00:27:06,070 All is we did we were able to manage to get the database was on database named Password's inside parts 364 00:27:06,070 --> 00:27:08,040 of what is contained inside the table. 365 00:27:08,530 --> 00:27:10,200 What we have the column name. 366 00:27:10,220 --> 00:27:16,450 So a number of columns, table names, username passwords and the signatures we all managed to get. 367 00:27:16,450 --> 00:27:18,390 We managed to get all the information. 368 00:27:18,670 --> 00:27:20,620 So the question arises here that. 369 00:27:21,740 --> 00:27:23,000 How you can simply 370 00:27:25,790 --> 00:27:31,790 simply protect yourself to how to secure your organization from single injection, so as you can see 371 00:27:31,790 --> 00:27:37,430 that we did a lot of lot in terms of demonstrating the effects of fiscal injections. 372 00:27:37,430 --> 00:27:40,120 So I'm understanding how we protect ourselves from this. 373 00:27:40,130 --> 00:27:41,970 It's just a very important thing. 374 00:27:42,290 --> 00:27:46,960 So the guideline is like at the time, based on this particular understanding. 375 00:27:47,330 --> 00:27:53,060 So the only proven way to protect our website from a single injection attack is to use ESKIL parameters. 376 00:27:53,330 --> 00:27:59,510 Statistical barometers are the values that are added to the ESKIL queries to the simple execution time 377 00:27:59,840 --> 00:28:01,490 in a more controlled manner. 378 00:28:01,670 --> 00:28:05,240 So this is the way you can protect yourself. 379 00:28:06,110 --> 00:28:08,810 So, guys, I think you hope I hope you understand this. 380 00:28:09,050 --> 00:28:12,710 So if you if you're not getting anything, you can simply message me. 381 00:28:12,710 --> 00:28:20,030 I will simply make a separate lecture on this as a clinician, by the way, I know you all have got 382 00:28:20,030 --> 00:28:25,940 this very well, but if in case you are having any kind of doubt, you can ask me, I will answer your 383 00:28:25,940 --> 00:28:27,760 questions within 24 hours. 384 00:28:27,770 --> 00:28:28,310 Don't worry. 385 00:28:28,310 --> 00:28:34,460 I will make a separate video and I will show you one by one how you can automate the process of masculinization 386 00:28:34,460 --> 00:28:39,230 without doing all this, because I'm not adding that particular feature in this particular election, 387 00:28:39,230 --> 00:28:44,660 because I don't want to just do anything on an automatic mode. 388 00:28:44,660 --> 00:28:50,210 If you are if you are doing it on manual mode so you can understand it, you can put your hard work, 389 00:28:50,210 --> 00:28:51,140 your brain on it. 390 00:28:51,380 --> 00:28:56,570 But in case of automation, what you need to do, it is simply copied and copied this particular copy, 391 00:28:56,570 --> 00:28:58,520 which will let me do it for you. 392 00:29:01,440 --> 00:29:02,040 OK. 393 00:29:07,050 --> 00:29:08,430 OK, why does not? 394 00:29:10,190 --> 00:29:15,980 OK, so in case of automation, you need to simply copy this email and put the button there on the tool 395 00:29:15,980 --> 00:29:22,320 and it will simply tell you what kind of environment it is it has and you need to exploit it. 396 00:29:22,390 --> 00:29:26,730 And so that is not the best way to learn ethical hacking on a website hacking. 397 00:29:27,020 --> 00:29:28,770 So the best way to do it manually. 398 00:29:29,090 --> 00:29:34,060 But there are some cases where we need automation, so there you can use it. 399 00:29:34,070 --> 00:29:39,200 But in case of a conviction, if you are able to get all of these things so there is nothing like you 400 00:29:39,200 --> 00:29:40,850 will go with automation. 401 00:29:40,930 --> 00:29:42,870 OK, so this is all about this lecture. 402 00:29:42,870 --> 00:29:44,230 I understand it. 403 00:29:44,240 --> 00:29:45,830 And thank you for watching this lecture.