1
00:00:00,210 --> 00:00:02,010
Hello everybody and welcome back.

2
00:00:02,010 --> 00:00:09,400
And now let's start off by trying to exploit our first target which would be our always work machine.

3
00:00:09,480 --> 00:00:14,910
So I'll just close this which was from the previous video we do not want to save it.

4
00:00:14,960 --> 00:00:23,700
Let us just go on to our virtual machine and also go to the once again to the vulnerable Web application

5
00:00:23,700 --> 00:00:25,550
which is DV W A.

6
00:00:26,310 --> 00:00:30,440
Once you get there if it asks you for the log in screen just up there.

7
00:00:30,450 --> 00:00:37,960
Admin Admin and it will open up this window from there you just go to the actual injection right here.

8
00:00:38,010 --> 00:00:47,310
So as in the previous command injection tutorials ask you can also be used to query with the get method.

9
00:00:47,310 --> 00:00:53,040
So if you have a source code to the Web site you can easily see if it is vulnerable to the actual injection

10
00:00:53,190 --> 00:00:54,240
but it is more.

11
00:00:54,240 --> 00:00:57,900
In most cases you can have the source code right here.

12
00:00:57,900 --> 00:01:05,390
We do have it as we can see if we click right here on The View Source you will see the source code of

13
00:01:05,390 --> 00:01:14,330
this website and we can see our actual query which is right here so we will get to this a little bit

14
00:01:14,330 --> 00:01:14,990
later on.

15
00:01:15,020 --> 00:01:19,070
For now on let's just see what this website is all about.

16
00:01:19,070 --> 00:01:24,210
So as we can see we get we get prompted with the user I.D..

17
00:01:24,350 --> 00:01:28,420
So you already could possibly be some kind of a number.

18
00:01:28,420 --> 00:01:35,040
So let us just type here one and submit it and we will get the first name and the last name or surname

19
00:01:35,060 --> 00:01:40,390
for the user I.D. under the number one if we type here.

20
00:01:40,430 --> 00:01:46,020
User I.D. 2 we will get the user I.D. under the name under the number two.

21
00:01:46,040 --> 00:01:47,890
So that would be Gordon Brown.

22
00:01:48,380 --> 00:01:58,720
So we can conclude that this website is basically the is basically giving the first and last name based

23
00:01:58,750 --> 00:02:01,370
on the user I.D. that you typed right here.

24
00:02:01,370 --> 00:02:03,580
Now let's try here 32 for example.

25
00:02:03,580 --> 00:02:04,420
There probably isn't.

26
00:02:04,420 --> 00:02:11,680
So as we saw if you typed here 32 it won't give out any awkward since there isn't a user under the I.D.

27
00:02:11,980 --> 00:02:15,630
or of thirty two or three either know what type I forgot.

28
00:02:15,640 --> 00:02:16,690
Doesn't really matter.

29
00:02:16,690 --> 00:02:19,710
So let's continue now.

30
00:02:19,730 --> 00:02:21,460
It all seems good for now.

31
00:02:21,470 --> 00:02:31,580
But what happens if we type here a special character that is used in programming languages for example.

32
00:02:31,670 --> 00:02:39,230
Now we can cheat right here and type and view the source code but the basic check the most basic check

33
00:02:39,230 --> 00:02:45,380
for the actual injection is always the apostrophe a single apostrophe

34
00:02:48,000 --> 00:02:49,150
in most cases.

35
00:02:49,230 --> 00:02:55,760
Once you type this it will if the server is vulnerable to the ask injection it will print out an error

36
00:02:56,190 --> 00:03:02,310
it will say that for there was an error in the ESC will query and let us just check that out if I click

37
00:03:02,310 --> 00:03:08,010
here on submit you will see we get some weird error that says you have an error in your ask you out

38
00:03:08,010 --> 00:03:14,010
syntax check the manual that corresponds to your my actual server version for the right sic the syntax

39
00:03:14,250 --> 00:03:17,850
to use near this at Line 1.

40
00:03:17,880 --> 00:03:23,490
Now if you see this on any website it means it is vulnerable to the actual injection because this error

41
00:03:23,490 --> 00:03:30,910
means that we actually entered something that messed up with the servers code and it even says it right

42
00:03:30,910 --> 00:03:34,810
here that we have an error in askew else index.

43
00:03:34,900 --> 00:03:41,860
Now that error basically is the three apostrophe one next to another.

44
00:03:41,950 --> 00:03:47,220
So in order to explain that a little bit better Let just go here and you source.

45
00:03:47,530 --> 00:03:48,860
Let me enlarge this.

46
00:03:48,910 --> 00:03:57,250
We can see that this is our actual syntax we can see that basically as I explained in the previous video

47
00:03:57,250 --> 00:04:02,470
it selects first name and last name from users where user I.D. equals.

48
00:04:02,500 --> 00:04:07,810
And then here it types the any input that we typed in the user I.D. form.

49
00:04:07,810 --> 00:04:15,100
So for example if we type there too it would print out to the user the information about user under

50
00:04:15,100 --> 00:04:16,470
I.D. too.

51
00:04:16,990 --> 00:04:26,130
And you can see that the idea is it has the apostrophe from the left side an apostrophe from the right

52
00:04:26,130 --> 00:04:33,750
side which means that the user input is anything between these two apostrophes which is good.

53
00:04:33,990 --> 00:04:41,190
But what happened when we typed another apostrophe it happened that this basically let me just show

54
00:04:41,190 --> 00:04:52,840
you let me copy the entire command letters copied and let us open a leave pad so really had it open

55
00:04:52,840 --> 00:04:59,660
so just open once again and paste a comment right here when we typed the user under now under IDEA TO.

56
00:04:59,670 --> 00:05:03,510
IT LOOKED LIKE THIS WHEN THE typed user I.D. one it looked like this.

57
00:05:03,520 --> 00:05:12,640
But once we typed the apostrophe we had these three apostrophes and it counted first two as the part

58
00:05:12,640 --> 00:05:16,450
of the query and the last one was basically

59
00:05:19,730 --> 00:05:20,700
basically SGA.

60
00:05:20,730 --> 00:05:29,890
Didn't know how to interpret the left apostrophe and it gave us an error an error in sic text in obscure

61
00:05:29,900 --> 00:05:35,720
language which means that it actually read our apostrophe as a part of the code and that's how we know

62
00:05:35,720 --> 00:05:37,930
that it is vulnerable to the asshole injection.

63
00:05:39,250 --> 00:05:45,370
So let me just open this now and most of the time you won't have this code but you can actually try

64
00:05:45,370 --> 00:05:50,470
to guess how the code might look like based on the website itself.

65
00:05:50,470 --> 00:05:55,600
So we could actually guess once we type here too we know that it queries for the first name and the

66
00:05:55,600 --> 00:06:01,460
last name from some table with users where I d equals to now.

67
00:06:01,500 --> 00:06:10,650
Now now that we know that it is vulnerable we can actually try as few of other things so let us try

68
00:06:10,650 --> 00:06:20,190
to actually type here too and add the apostrophe which would end the first which would be the correspondent

69
00:06:20,190 --> 00:06:23,160
to the first apostrophe in the source code.

70
00:06:23,160 --> 00:06:25,320
So let us keep the source code right here

71
00:06:28,840 --> 00:06:35,410
so for now on the select first name last name from users where user I.D. equals one apostrophe to then

72
00:06:35,410 --> 00:06:44,830
second the apostrophe and then we can check right here for example and which is escalating text and

73
00:06:45,520 --> 00:06:57,440
one equals one Now let me just delete the last apostrophe since we already have it specified in the

74
00:06:57,440 --> 00:06:58,610
source code.

75
00:06:58,610 --> 00:07:06,740
What this does is basically it will check for a condition if 1 equals 1 which is always true and it

76
00:07:06,860 --> 00:07:14,600
shouldn't give us any error if you just paste this in the R instead of the idea you will see that it

77
00:07:14,600 --> 00:07:21,590
is a good written syntax for the rescue L and it shouldn't give us an error it will print out the idea

78
00:07:21,590 --> 00:07:25,910
of user name 2 and it will not print anything else.

79
00:07:25,940 --> 00:07:33,170
So if we just type you submit you can see that it's just printed the Gordon Brown which is the username

80
00:07:33,280 --> 00:07:34,900
under Ida too.

81
00:07:35,090 --> 00:07:37,700
And it also checked if one equals one.

82
00:07:37,700 --> 00:07:46,940
And since that is true it didn't give us any error but let let's do the same thing and instead of one

83
00:07:47,060 --> 00:07:51,070
equals one we typed here 1 equals 2.

84
00:07:51,200 --> 00:07:58,980
Now since this is not correct one is not equal to it will not print out anything.

85
00:07:58,990 --> 00:08:05,050
So basically it wants to print out the Gordon Brown or anything else.

86
00:08:05,050 --> 00:08:10,660
If you click here submit you will see that it doesn't give us any information since it would only print

87
00:08:10,660 --> 00:08:18,370
out the username under I.D. too if the second condition was also met which it wasn't since one is never

88
00:08:18,370 --> 00:08:22,340
equal to two now you might be asking.

89
00:08:22,800 --> 00:08:24,510
Let me just type here.

90
00:08:24,590 --> 00:08:28,420
Why am I not using the apostrophe at the beginning and at the end.

91
00:08:28,430 --> 00:08:34,370
Well basically I already have those two apostrophes in the source code as you can see right here.

92
00:08:34,520 --> 00:08:36,200
It starts off with the apostrophe.

93
00:08:36,200 --> 00:08:37,550
Then we just type here too.

94
00:08:37,910 --> 00:08:41,890
And then the second apostrophe and one apostrophe.

95
00:08:41,930 --> 00:08:44,330
Then one second apostrophe equals.

96
00:08:44,360 --> 00:08:46,600
And then another opening apostrophe 1.

97
00:08:46,790 --> 00:08:48,970
And we have the closing one right here.

98
00:08:48,980 --> 00:08:50,330
So we do not have to type it.

99
00:08:50,330 --> 00:08:56,750
If we were to type it we would get another syntax error since we have another apostrophe which is not

100
00:08:56,840 --> 00:09:00,140
which shouldn't be there as we can see right here.

101
00:09:00,140 --> 00:09:06,500
We have a few extra apostrophes so we do not type the apostrophe at the end.

102
00:09:07,100 --> 00:09:17,540
Now that we know that we saw how this works let us actually try to find out how many rows and columns

103
00:09:17,540 --> 00:09:24,200
and tables and all that kind of stuff are there in order for us to get to the valuable stuff which would

104
00:09:24,200 --> 00:09:26,780
be positive which would be usernames and passwords.

105
00:09:29,650 --> 00:09:39,240
So in order for us to find out to the existing number of columns we should type here this comment.

106
00:09:39,380 --> 00:09:46,980
So we delete basically anything I'll you just delete also retype your two apostrophe and then we use

107
00:09:46,980 --> 00:09:49,880
the command order by

108
00:09:53,330 --> 00:09:55,180
and then we type you one.

109
00:09:55,250 --> 00:10:00,980
Now what this means is these folks try to find the existing number of columns.

110
00:10:01,100 --> 00:10:07,640
This order by 1 will basically see if there is one column and we will just go one authored by one authored

111
00:10:07,670 --> 00:10:09,420
by two or by three.

112
00:10:09,560 --> 00:10:15,730
And once he doesn't give us anything it means that there is not a column under that number now.

113
00:10:15,750 --> 00:10:19,770
After this what we want to do is type your hash tag.

114
00:10:19,830 --> 00:10:27,270
Now we won't be asking why are we typing the hash tag now or basically hash tag is the comment in the

115
00:10:27,270 --> 00:10:28,260
Eskimo language.

116
00:10:28,260 --> 00:10:35,210
So anything that comes after the hash tag is a interpret it as a comment.

117
00:10:36,010 --> 00:10:46,250
So we type your hash tag and then apostrophe and if we type right here we can see that the column one

118
00:10:46,340 --> 00:10:48,170
exists.

119
00:10:48,170 --> 00:10:51,560
Now let us try to see if there are two columns for example.

120
00:10:51,560 --> 00:10:56,860
So we type here the same command but instead of one we want to check out two.

121
00:10:56,900 --> 00:10:58,530
Does that exist as well.

122
00:10:58,640 --> 00:11:00,140
And it does.

123
00:11:00,140 --> 00:11:08,180
And let us try to find out about the third column does the third column Colin possess exist in the database.

124
00:11:08,180 --> 00:11:15,290
And if we type out here it will say unknown column three in order clause which means our database only

125
00:11:15,290 --> 00:11:20,800
has two columns for now third one doesn't exist.

126
00:11:20,800 --> 00:11:27,250
And that's why we get this error now that we found out how many columns are there.

127
00:11:27,430 --> 00:11:35,360
We can basically try to do what we can basically try to select them both and see what they are.

128
00:11:35,580 --> 00:11:43,380
We want to see for example in which order are these columns and we do that with this as well query which

129
00:11:43,380 --> 00:11:50,380
is two and basically I maybe I didn't mention but this too is the idea for the.

130
00:11:50,430 --> 00:11:51,860
GORDON BROWN I believe.

131
00:11:52,530 --> 00:11:55,980
And we use that so we can specify another command after that.

132
00:11:55,980 --> 00:12:07,260
So it gives us our desired output so we will use union select one and then come up 2 and then hash tag

133
00:12:07,560 --> 00:12:09,640
apostrophe.

134
00:12:09,890 --> 00:12:16,970
Basically this will give us in which order are these columns and these two columns that we found out.

135
00:12:17,000 --> 00:12:23,290
If you for example found out that there were three columns right here we would just type here.

136
00:12:23,450 --> 00:12:25,040
Another comma and then three.

137
00:12:25,040 --> 00:12:33,120
But since we only have two we just type here one comma two and we can see right here that the first

138
00:12:33,120 --> 00:12:41,530
name is the column number one and the surname is column number two.

139
00:12:41,540 --> 00:12:49,220
Now this union command right here that we used basically it is use together results from two queries

140
00:12:49,580 --> 00:12:54,880
as we can see right here so we will continue.

141
00:12:54,880 --> 00:13:00,160
We basically just found out some of the uh basic things right here.

142
00:13:00,190 --> 00:13:03,300
But we will continue to exploit it in the next tutorial.

143
00:13:03,460 --> 00:13:09,390
So I will just cut the tutorial here and we will continue from where we stopped right now.

144
00:13:09,430 --> 00:13:11,800
And I hope I see you there and take care.

145
00:13:11,800 --> 00:13:12,070
But.