1
00:00:01,580 --> 00:00:02,370
Hello, everyone.

2
00:00:03,320 --> 00:00:11,300
So in this video, we are going to see how can we identify elephant vulnerability onto a given particular

3
00:00:11,300 --> 00:00:15,380
Web application, so it is the practical time.

4
00:00:15,560 --> 00:00:22,530
And let's quickly jump onto the practical to see how can we actually identify and exploit this vulnerability.

5
00:00:24,050 --> 00:00:30,820
So as you can see over here, I'm onto a target application, which is test BHB, dot dot com.

6
00:00:31,640 --> 00:00:37,910
And once I'm onto this particular website, what I'm going to do is I'm going to set up box with this

7
00:00:37,940 --> 00:00:38,510
website.

8
00:00:39,110 --> 00:00:44,420
As you can see, I'm running on to the latest version of Boxwood, which is twenty twenty point nine

9
00:00:44,420 --> 00:00:44,990
point one.

10
00:00:46,710 --> 00:00:53,410
Now, I have also been running when pope pursued instance of one point seven point three four.

11
00:00:53,640 --> 00:01:01,350
So basically I'm running two instances of pursuit just to differentiate between both the Boxwood versions

12
00:01:01,350 --> 00:01:07,790
and how they work and how we can utilize them for identifying elephant based on liabilities.

13
00:01:08,430 --> 00:01:18,890
So because of limited options into Pope 2.0 that we cannot crawl or use Spider onto the target web application.

14
00:01:19,170 --> 00:01:26,310
I'm going to demonstrate this attack with the help of one point exclusion, which can be freely downloaded

15
00:01:26,310 --> 00:01:27,970
from the sports website.

16
00:01:28,590 --> 00:01:29,040
All right.

17
00:01:29,220 --> 00:01:35,610
So once I have set it up, the biopsy at one point there in vision with my target browser, that is

18
00:01:35,610 --> 00:01:41,790
Mozilla Firefox, I'm going to intercept this particular application and I'm going to bring the particular

19
00:01:41,790 --> 00:01:42,390
request in.

20
00:01:42,390 --> 00:01:50,130
Bob, as you can see on the screen now, I will just reload this and you can see I have got the successful

21
00:01:50,130 --> 00:01:51,130
request over here.

22
00:01:51,390 --> 00:01:53,280
Now I will simply right.

23
00:01:53,280 --> 00:01:57,750
Click and click on Repeater because I want to use this request later on.

24
00:01:59,070 --> 00:02:00,420
Also, I will again.

25
00:02:00,420 --> 00:02:00,630
Right.

26
00:02:00,630 --> 00:02:02,340
Click and send this to spidered.

27
00:02:02,910 --> 00:02:09,000
I'm sending this to Spider because I want as many as endpoints for this specific target.

28
00:02:09,510 --> 00:02:16,710
Remember, if I'm increasing the scope for my target, that means I may get a lot of parameters that

29
00:02:16,710 --> 00:02:22,240
may turn out to be one level and I can identify a valid LFR based vulnerability.

30
00:02:22,830 --> 00:02:26,110
That's why putting this to Spider is very important.

31
00:02:26,970 --> 00:02:35,040
Now it sometimes may ask you to submit the forms it come across onto any target web application if you

32
00:02:35,040 --> 00:02:35,640
want to submit.

33
00:02:35,880 --> 00:02:40,380
Again, some met with some random or junk data or you can simply ignore it.

34
00:02:40,860 --> 00:02:42,720
For now, I'm going to ignore this form.

35
00:02:44,120 --> 00:02:49,970
All right, now let's go back to Target, and you can see this is my target web application on which

36
00:02:50,210 --> 00:02:55,340
I'm performing a test and trying to identify a valid elfy based vulnerability.

37
00:02:56,000 --> 00:03:01,280
Now, I will just right back over here and click on Add to Scope.

38
00:03:01,290 --> 00:03:04,820
I have already done this before and this has added to my scope.

39
00:03:05,330 --> 00:03:11,870
Remember, whenever you're sending any target application for spidering, it will ask you to add to

40
00:03:11,870 --> 00:03:13,850
scope as I've already done this.

41
00:03:14,120 --> 00:03:17,820
You can see now it is showing option which is removed from school.

42
00:03:18,650 --> 00:03:19,030
All right.

43
00:03:19,040 --> 00:03:25,100
So once we have done this, I'm going to again send this to Spider just to crawl more end point so that

44
00:03:25,100 --> 00:03:27,080
we get more parameters.

45
00:03:27,080 --> 00:03:30,020
And it was group and it was group gets increased.

46
00:03:31,430 --> 00:03:36,210
Now, you can see over here there are all the particular Yuans which have been called.

47
00:03:36,620 --> 00:03:42,950
Now I'm going to filter them based on parameters or you can see I'm going to sort them based on parameters

48
00:03:43,490 --> 00:03:50,060
so you can see where your are, all the parameters that can be seen or all the endpoints that can be

49
00:03:50,060 --> 00:03:51,920
seen for a target application.

50
00:03:52,550 --> 00:04:00,230
Now, if you're testing on an application which has multiple endpoints or has a very big scope, there

51
00:04:00,260 --> 00:04:03,680
would be thousands of you are told that will be crossed by boxwood.

52
00:04:04,040 --> 00:04:08,960
And in those circumstances, it may get difficult for you to choose each.

53
00:04:08,960 --> 00:04:11,860
You are one by one to identify which one to test.

54
00:04:12,050 --> 00:04:18,050
Now, for that, what you can do is you can simply use the search feature.

55
00:04:18,740 --> 00:04:19,550
How to do that?

56
00:04:19,700 --> 00:04:22,070
Just go pop and click on search.

57
00:04:22,370 --> 00:04:32,120
Now, as we know, there are some of the specific set of injection points or one parameters for elfy

58
00:04:32,120 --> 00:04:36,940
based vulnerability, and you can simply search those one labeled parameters.

59
00:04:37,340 --> 00:04:43,880
I'm going to attach the list of parameters in to the description and then you can download it and you

60
00:04:43,880 --> 00:04:46,510
can identify those parameters as well.

61
00:04:47,510 --> 00:04:56,150
Now, one of the is file equals to this parameter means that my target application is going to show

62
00:04:56,150 --> 00:04:58,570
a file that can be any file.

63
00:04:58,880 --> 00:05:03,930
Let's say it is a PDF file, a PDF file, a PNC or audio file.

64
00:05:04,430 --> 00:05:12,140
So the file is stored on the target server and it is going to give that file to any user when the user

65
00:05:12,290 --> 00:05:14,510
want wants that particular file.

66
00:05:15,500 --> 00:05:22,870
So what if instead of that particular file, we request for something else to the target server?

67
00:05:23,480 --> 00:05:30,810
Maybe if there is one liability, we may get that intended file by the attacker.

68
00:05:31,730 --> 00:05:36,630
So let's quickly identify these parameters if they do exist or not.

69
00:05:37,730 --> 00:05:46,430
Over here, you can see I'm using the option, which is case sensitive and the locations is only request

70
00:05:46,430 --> 00:05:53,320
headers because I want this parameter in my request headers and request body, not in the response.

71
00:05:53,570 --> 00:05:53,910
Why?

72
00:05:54,170 --> 00:06:02,450
Because in the request itself, I'm going to request for another file, which is W.T. It is zero or

73
00:06:02,450 --> 00:06:06,890
something which is sensitive and Ataca can take advantage of.

74
00:06:08,680 --> 00:06:15,520
Now, you can see over here, you can check or uncheck based on from where you want to scan it, so

75
00:06:15,520 --> 00:06:17,090
let's target proxy repeater.

76
00:06:17,140 --> 00:06:19,560
So I'm going to keep these settings that default.

77
00:06:19,900 --> 00:06:22,180
You also don't need to change anything over here.

78
00:06:22,480 --> 00:06:24,310
Now, just hit on Google.

79
00:06:24,700 --> 00:06:31,870
Once you hit on Google, you can see you are able to get all the end points of the target, which was

80
00:06:32,170 --> 00:06:37,710
just BHP dot will involve dot com and these all your orders are coming from the target.

81
00:06:37,710 --> 00:06:44,270
Deb, as you can see over here, they are under the site map, which we have already called and saved.

82
00:06:44,530 --> 00:06:51,160
Now you can identify yes, it matches a particular parameter.

83
00:06:51,470 --> 00:06:53,440
I just equals to over here.

84
00:06:53,950 --> 00:07:04,180
Now I'm going to choose one of these and send it to repeater because I want to try Elfy on these particular

85
00:07:04,300 --> 00:07:07,030
requests or these particular parameters.

86
00:07:07,720 --> 00:07:15,550
So you can see this is an image which is getting loaded from the server because the request looks something

87
00:07:15,550 --> 00:07:20,710
like get show image, dot, BHB and file equals to the image name.

88
00:07:21,130 --> 00:07:23,890
You're the image, this one, not GBG.

89
00:07:23,920 --> 00:07:30,490
And on the right hand side you can see the rendered response of one dot and it looks something like

90
00:07:30,490 --> 00:07:30,770
this.

91
00:07:31,510 --> 00:07:40,690
Now what if instead of this one dot file, I want to include something else, let's say something sensitive

92
00:07:40,690 --> 00:07:42,110
from that specific server.

93
00:07:42,400 --> 00:07:46,290
So what I'm going to include is ETEK past W.T. file.

94
00:07:46,810 --> 00:07:54,430
Remember, this past WTU file is considered sensitive for any server because it contains the name of

95
00:07:54,430 --> 00:08:01,240
the users and the attacker is able to enumerate the names of the users onto that particular server which

96
00:08:01,240 --> 00:08:01,750
is running.

97
00:08:02,380 --> 00:08:06,230
So you can see where I'm going to send the request and you can see we got an error.

98
00:08:06,620 --> 00:08:13,390
Now I'm going to add dot, dot, slash and you're able to see successfully.

99
00:08:13,390 --> 00:08:15,820
I'm able to see the past W.T. file.

100
00:08:16,390 --> 00:08:19,420
Now, why did I add the dot dot slash?

101
00:08:19,750 --> 00:08:27,670
That is only because to get one step out of that particular directory or go one step back of that particular

102
00:08:27,670 --> 00:08:35,110
directory and you can see over here, I'm successfully able to see the past uploaded file into my response.

103
00:08:38,590 --> 00:08:45,700
Now, this is considered as sensitive because now I can read any of the files I want from the Target

104
00:08:45,700 --> 00:08:46,390
Web server.

105
00:08:49,200 --> 00:08:57,060
I hope you guys understood how you can also identify LFA based on liabilities from any target application,

106
00:08:57,180 --> 00:09:04,530
if the input is not sanitized and anyone is allowed to read any sensitive files from rebel parameters

107
00:09:04,530 --> 00:09:08,190
like file equals to onto any target application.

108
00:09:08,460 --> 00:09:09,000
Thank you.