1
00:00:00,180 --> 00:00:02,220
Hello everybody and welcome back.

2
00:00:02,220 --> 00:00:10,490
And right now we finish the kill injection part which could have been for you a little bit hard to understand.

3
00:00:10,530 --> 00:00:13,970
And I always encourage you to read more about it.

4
00:00:13,980 --> 00:00:21,900
That will make you understand it a little bit better and also you can watch other tutorials online on

5
00:00:21,900 --> 00:00:28,170
how to perform the actual injection with as your map or manually the more tutorials the watch the better

6
00:00:28,170 --> 00:00:28,930
you will get.

7
00:00:28,950 --> 00:00:36,390
And so on but right now we want to cover another attack which is the X injection.

8
00:00:37,200 --> 00:00:39,390
So let's first talk about it.

9
00:00:39,420 --> 00:00:47,380
Well some applications may do their searches in X amount of X amount database which is which basically

10
00:00:47,380 --> 00:00:49,620
allows us to perform the X AML injection.

11
00:00:49,690 --> 00:00:58,280
And when user sends the X e-mail format information that application should read so users basically

12
00:00:58,400 --> 00:01:04,220
as an input send the X amount format information and the application of the web server basically reads

13
00:01:04,220 --> 00:01:04,550
that.

14
00:01:04,580 --> 00:01:12,110
And if we type it as a code or Yeah well as a code it might interpret it as part of the code if it is

15
00:01:12,110 --> 00:01:18,100
not filter correctly it is the same principle as in the previous two attacks which is the command injection

16
00:01:18,110 --> 00:01:19,380
and ACL injection.

17
00:01:19,430 --> 00:01:24,040
So basically all of these attacks are just badly written.

18
00:01:24,040 --> 00:01:27,620
Website code or badly filter user input

19
00:01:31,000 --> 00:01:37,180
so in order for you to understand it better you need to know the basic external structure.

20
00:01:37,180 --> 00:01:45,520
It basically looks similar to the HDMI now it has no root no child node element and I believe it also

21
00:01:45,520 --> 00:01:50,400
has those two those two arrows that are at the beginning and at the end of every comment.

22
00:01:50,410 --> 00:01:57,060
So it is very uh it looks a lot like the it's the amount code.

23
00:01:57,940 --> 00:02:01,980
So let us actually play.

24
00:02:02,010 --> 00:02:06,090
Let us see the practical use of this attack.

25
00:02:06,690 --> 00:02:08,040
So what we want to do.

26
00:02:08,040 --> 00:02:15,330
Go once again on to the little machine always planned once again on to the IP address.

27
00:02:15,360 --> 00:02:21,370
So let me just go back one or two or three times.

28
00:02:21,480 --> 00:02:28,020
So once you are here you want to go to the b w AP which is right here.

29
00:02:28,050 --> 00:02:33,750
I don't believe we meant here in the previous videos but this is the first time so just click right

30
00:02:33,750 --> 00:02:38,130
here and it will open up something that looks like this.

31
00:02:41,010 --> 00:02:47,450
So now what we want to do now we want to first of all we want to log in as it says right here enter

32
00:02:47,470 --> 00:02:52,320
your credentials and be back so you can just log in right here or if you want to.

33
00:02:52,320 --> 00:02:56,340
You can also train your brute forcing attack.

34
00:02:56,520 --> 00:03:02,850
Just add to some user name list or pastoralist these two words and run your brute force attack in Hydra

35
00:03:02,880 --> 00:03:08,370
or in purpose suit in order to practice a little bit but we won't be doing that right now since we did

36
00:03:08,370 --> 00:03:10,010
it twice in previous videos.

37
00:03:10,010 --> 00:03:16,830
So let me just log in right here with the specified user name and specify password set the security

38
00:03:16,830 --> 00:03:25,890
level for now on mobile leave it on low since this is the uh tutorial video we want to show you from

39
00:03:25,890 --> 00:03:32,040
the beginning how it looks like and once you log in don't save password once you log in right here you

40
00:03:32,040 --> 00:03:35,640
want to search for the X path injection search.

41
00:03:35,640 --> 00:03:43,110
So as we can see right here we have a bunch of the methods right here that we can use to practice our

42
00:03:43,110 --> 00:03:46,800
attacks and what we want to search for is.

43
00:03:46,800 --> 00:03:50,280
Let me just find it a one direction.

44
00:03:50,320 --> 00:03:52,150
Suicide this kill injection.

45
00:03:52,170 --> 00:03:57,510
We covered death loops skew our expert.

46
00:03:57,540 --> 00:03:58,140
Here it is.

47
00:03:58,230 --> 00:04:00,800
So x amount X path injection search.

48
00:04:01,260 --> 00:04:09,550
Once you find that just click on it right here and click on Ask and you will see that we load a simple

49
00:04:09,550 --> 00:04:13,460
page which basically searches movies by their gender.

50
00:04:13,510 --> 00:04:19,600
So as we can see the action movies if you click here search it will print out six of these movies.

51
00:04:19,600 --> 00:04:25,330
You can have some of the other options for example horror movies you click your search and we get two

52
00:04:25,330 --> 00:04:30,250
mommies which is Resident Evil and the underworld and you can also check the science fiction and click

53
00:04:30,250 --> 00:04:37,360
here on search and you basically get the same same output as the action movies.

54
00:04:39,040 --> 00:04:48,400
So what we want to do you first thing you might notice is there isn't any user input right here.

55
00:04:48,400 --> 00:04:53,970
There isn't any Spanish specific field right here that allows us to type something.

56
00:04:54,310 --> 00:04:56,430
Well we don't really need it.

57
00:04:56,440 --> 00:05:03,160
This search box right here which chooses between two or three types is actually our user input.

58
00:05:03,160 --> 00:05:07,960
You do not type it but you do send your choice to the server.

59
00:05:07,960 --> 00:05:11,240
So let us just intercept this packet real quick.

60
00:05:11,260 --> 00:05:21,750
So we go onto our burps and we turn the intercept on and now what we want to do is go on to our page

61
00:05:21,810 --> 00:05:24,450
and search for the action movies for example.

62
00:05:24,450 --> 00:05:30,900
So just click here on search our page reloads since we are intercepting it and if we go right here to

63
00:05:30,900 --> 00:05:39,960
the to the a packet that we received in the intercept we can see that the interlink there is a specified

64
00:05:40,020 --> 00:05:44,590
gender which says action and the action which says search.

65
00:05:46,080 --> 00:05:51,680
So this to our correspondent to the uh to this right here and this right here.

66
00:05:51,960 --> 00:05:58,860
And let's see what happens if we for example change this packet before we forwarded to the server.

67
00:05:59,370 --> 00:06:07,370
So let's try to inject EC action and then once again inject apostrophe after that.

68
00:06:07,380 --> 00:06:10,590
Let's see how the server will handle this packet.

69
00:06:10,590 --> 00:06:17,370
So we have basically sending action and then the apostrophe so we form this and let's see what server

70
00:06:17,370 --> 00:06:19,150
basically gave us.

71
00:06:19,320 --> 00:06:27,600
And sure enough it gave us the invalid expression which means we successfully found the vulnerability

72
00:06:29,450 --> 00:06:36,470
morning simple example Element X path involving the expression in this file right here on line one hundred

73
00:06:36,530 --> 00:06:43,930
and fifty eight morning simple and another morning evaluation failed in the same file online one hundred

74
00:06:43,930 --> 00:06:53,040
fifty eight no more ways more found so we can see that we that had this summer actually read this as

75
00:06:53,100 --> 00:06:55,410
a part of quote.

76
00:06:55,510 --> 00:07:01,890
Now let's check something else as well so let me just search for the action.

77
00:07:02,810 --> 00:07:09,560
Wait till we have the intercept on once again let's turn it off.

78
00:07:10,630 --> 00:07:12,250
Let's go to the page itself.

79
00:07:12,580 --> 00:07:14,860
So we are back to the same thing now.

80
00:07:14,950 --> 00:07:19,860
What we want to do is exploit and possibly find some usernames and passwords.

81
00:07:19,990 --> 00:07:28,210
If there are any what we want to check next is whether this application will interpret the part of this

82
00:07:28,420 --> 00:07:31,470
important right here as well as the whole world.

83
00:07:31,480 --> 00:07:42,220
So once we send action it prints out the action movies but let's try that again by sending only a part

84
00:07:42,220 --> 00:07:42,790
of that word.

85
00:07:42,820 --> 00:07:47,830
So let us just turn our intercept on and search once again.

86
00:07:47,860 --> 00:07:56,330
So now that it is stuck we go to our brb suit and why is it so slow.

87
00:07:56,330 --> 00:08:00,950
Here it is and let us delete a part of this world the world.

88
00:08:00,980 --> 00:08:07,830
Pardon me word so delete I own and leave act.

89
00:08:08,180 --> 00:08:12,800
And let's see if the server will recognize this as a part of the port action.

90
00:08:12,800 --> 00:08:20,270
So if we turn off the intercept we can see that we got the same output as if we search for the action

91
00:08:22,290 --> 00:08:28,950
now with anyone with a little bit knowledge of the X and Mel will know basically that since it gives

92
00:08:28,950 --> 00:08:37,920
the same result as the action world we know that it uses a function which is called contains now contains

93
00:08:37,950 --> 00:08:41,350
basically does the same thing as it says.

94
00:08:41,670 --> 00:08:50,400
For example it searches for all of the results that contain even a part of the port.

95
00:08:50,490 --> 00:08:55,230
So for example act is contained in action.

96
00:08:55,320 --> 00:09:03,440
That's why it gave us the same output now that we know that it uses that function which is contained.

97
00:09:03,440 --> 00:09:12,220
Once again we can do something very very funny as you will see right here it is.

98
00:09:12,270 --> 00:09:22,760
It could be a little bit hard to understand but basically we will try to select once again to something

99
00:09:22,760 --> 00:09:27,840
similar as the previous we do in the astral injection when we said 1 equals 1.

100
00:09:27,920 --> 00:09:34,010
We will try to type here something like contains one one which will print out all of the results in

101
00:09:34,010 --> 00:09:36,920
the main the database.

102
00:09:36,920 --> 00:09:38,290
Let me just show you also.

103
00:09:38,480 --> 00:09:44,450
We turned on our intercept and if we search right here what we want to go to is Birchwood.

104
00:09:44,600 --> 00:09:55,360
So let me just go back to it will not other applications we want to click right here and let us delete

105
00:09:55,450 --> 00:09:57,090
action first.

106
00:09:57,460 --> 00:10:06,090
So we delete action and what we want to tap right here is the apostrophe.

107
00:10:06,090 --> 00:10:15,510
Then the closed right parentheses then the closed bigger right parentheses then slash is find it slash

108
00:10:15,930 --> 00:10:20,510
star and then two slashes and then once again star.

109
00:10:21,240 --> 00:10:31,260
Then we type the left open bigger parentheses and then with a peer contains and then open left smaller

110
00:10:31,260 --> 00:10:34,210
parentheses apostrophe one.

111
00:10:34,300 --> 00:10:42,530
The possibly comma open apostrophe Artemis so comma open apostrophe 1.

112
00:10:43,230 --> 00:10:53,370
So you will see that if we form this packet so I'm not really sure why it doesn't give us the formal

113
00:10:53,370 --> 00:10:57,080
option here it is is just a little bit slow.

114
00:10:57,120 --> 00:10:57,900
What is this.

115
00:10:57,900 --> 00:10:58,770
We do not want this.

116
00:10:58,770 --> 00:11:06,120
So let us forward this packet and let's see what output we got from this server.

117
00:11:06,630 --> 00:11:08,150
No movies were found.

118
00:11:08,550 --> 00:11:11,930
Well oh wait wait a second.

119
00:11:11,930 --> 00:11:15,760
Let me just try this once again.

120
00:11:17,660 --> 00:11:19,580
I think I know what's the problem.

121
00:11:19,580 --> 00:11:22,760
The problem could be that I deleted the

122
00:11:25,400 --> 00:11:26,740
deleted the action.

123
00:11:26,750 --> 00:11:28,460
So let's just do that once again.

124
00:11:28,460 --> 00:11:31,850
So search we go to the perps and

125
00:11:34,940 --> 00:11:39,230
uh my state is a little bit slow so we type the same thing once again.

126
00:11:39,230 --> 00:11:42,800
So just type something that you typed previously.

127
00:11:42,800 --> 00:11:45,360
So let us just do the.

128
00:11:45,380 --> 00:11:52,700
It starts with apostrophe then the open right parentheses open bigger right parenthesis than what we

129
00:11:52,700 --> 00:12:03,650
do is slash start to slashes and we just move my mouse two slices start and then we want to open the

130
00:12:03,650 --> 00:12:12,470
left parentheses open contains contains open small smaller light left parentheses uh apostrophe one

131
00:12:12,530 --> 00:12:18,140
apostrophe Carmack open one open apostrophe one and that's about it.

132
00:12:18,140 --> 00:12:27,580
So let me just see if this will work if we send that no more reserve were found not really sure why

133
00:12:27,590 --> 00:12:32,050
it says this let's just try something else.

134
00:12:32,450 --> 00:12:40,730
I think I know what the problem is.

135
00:12:42,100 --> 00:12:49,720
OK I realize the problem was that I was missing a character so let us do that once again.

136
00:12:49,720 --> 00:12:54,400
So intercept on search it is stuck.

137
00:12:54,420 --> 00:13:03,490
So we go to the perps it and we type the in diGenova we type the same thing but follow up with me right

138
00:13:03,520 --> 00:13:04,000
now.

139
00:13:04,000 --> 00:13:12,680
We need to add a little bit of something else so let us just start off with the uh apostrophe then open

140
00:13:12,800 --> 00:13:14,420
left parentheses.

141
00:13:14,450 --> 00:13:14,930
Pardon me.

142
00:13:14,930 --> 00:13:16,090
Open right parentheses.

143
00:13:16,640 --> 00:13:19,740
OK open right.

144
00:13:19,780 --> 00:13:21,750
Bigger parentheses.

145
00:13:22,320 --> 00:13:24,040
Uh Slash.

146
00:13:25,120 --> 00:13:28,160
And then the star sign.

147
00:13:28,690 --> 00:13:33,060
And then we want to use the pipeline which is the upper line.

148
00:13:33,520 --> 00:13:39,400
And then we continue with the same so two slashes and then the star sides again.

149
00:13:40,030 --> 00:13:49,120
And then we open the left the beaker parentheses contains which is the function and then we open apostrophe

150
00:13:49,200 --> 00:13:51,010
or open left parentheses.

151
00:13:51,010 --> 00:13:57,020
Smaller ones apostrophe one apostrophe comma open apostrophe 1.

152
00:13:57,190 --> 00:14:01,650
So let me just copy this so I can show you how it looks.

153
00:14:01,680 --> 00:14:02,970
If you can't see it.

154
00:14:03,000 --> 00:14:07,580
So I will just copy it open leaf pad

155
00:14:11,850 --> 00:14:15,650
and let me pasted right here you should see it a little bit better.

156
00:14:15,930 --> 00:14:19,690
See if I can count and launch this.

157
00:14:19,710 --> 00:14:23,580
So this is the command that we are using right here.

158
00:14:23,580 --> 00:14:27,570
So what we did in the previously we basically forgot this Piper command.

159
00:14:27,570 --> 00:14:29,830
This Piper sign right here.

160
00:14:30,000 --> 00:14:33,330
So let us just follow this packet and see what happens.

161
00:14:33,360 --> 00:14:39,750
So I know this pops up forward and let's go to the page right now.

162
00:14:39,890 --> 00:14:49,350
And as you can see we got a bunch of the options that are in three movies as we can see.

163
00:14:49,370 --> 00:14:53,520
Neo Trinity and then randomly there.

164
00:14:53,750 --> 00:14:57,110
There is a movie and then we have some of the numbers right here.

165
00:14:57,110 --> 00:14:58,940
Basically what these are.

166
00:14:58,970 --> 00:15:00,340
This is the the.

167
00:15:00,350 --> 00:15:01,810
This is the user name.

168
00:15:01,820 --> 00:15:05,750
This is the password for that for this user name as well as this.

169
00:15:05,780 --> 00:15:11,360
Alice love zombies as well as these poor and Asgard.

170
00:15:11,600 --> 00:15:20,120
So we basically successfully exploited the X amount database with that one command and we can see the

171
00:15:20,120 --> 00:15:23,380
usernames and passwords of different people right here.

172
00:15:23,510 --> 00:15:29,070
And it gave us in the list as if these f as if these were movies.

173
00:15:29,120 --> 00:15:34,370
So that's how you manually exploit the example with the X-Men injection.

174
00:15:34,370 --> 00:15:37,090
Now let's do the same now.

175
00:15:37,160 --> 00:15:37,990
I will not do.

176
00:15:38,000 --> 00:15:44,770
Let me show you how you can automate this process with a tool but I will should show you this in the

177
00:15:44,770 --> 00:15:45,950
next lecture.

178
00:15:46,210 --> 00:15:50,860
And then after that we will start the cross site scripting attacks.

179
00:15:50,860 --> 00:15:54,160
So I hope I see you in the next lecture and taker by.