1
00:00:01,870 --> 00:00:09,160
Hello, everyone, and welcome to this video and this video we are going to see how can you identify

2
00:00:09,190 --> 00:00:12,060
LFR vulnerability into a Web website?

3
00:00:12,760 --> 00:00:15,610
So let's quickly see the practical.

4
00:00:18,670 --> 00:00:27,770
All you can see, we are on to one of the website which is ravaged by dot com on this website that exist,

5
00:00:27,790 --> 00:00:31,150
a particular specific vulnerability, which is LFA.

6
00:00:31,480 --> 00:00:35,180
And I'm going to show you how you can identify that vulnerability.

7
00:00:36,040 --> 00:00:42,930
So let me first quickly start by pursuit and capture the request in my book.

8
00:00:43,780 --> 00:00:49,090
As you can see, I have captured the request in my pursuit and I'm going to send this to repeater in

9
00:00:49,090 --> 00:00:51,330
case I want to use the request later on.

10
00:00:52,300 --> 00:01:00,100
Now, I will also send this request to spidered because I want to call as many as as endpoints I can.

11
00:01:00,760 --> 00:01:09,820
Why I'm calling those endpoints because that will increase the scope and I will be able to identify

12
00:01:10,060 --> 00:01:14,780
some of the certain parameters that can be vulnerable to this one reality.

13
00:01:15,790 --> 00:01:16,250
All right.

14
00:01:16,420 --> 00:01:22,420
So once you send anything to Spider, it is going to ask you to confirm that.

15
00:01:22,420 --> 00:01:27,430
Would you like to add this specific target to the current spidering scope?

16
00:01:27,940 --> 00:01:30,760
And you have to press a yes when you will press.

17
00:01:30,820 --> 00:01:34,330
Yes, it will automatically get added to the scope.

18
00:01:34,750 --> 00:01:42,660
And you can see the spider has successfully started now into the target site map button.

19
00:01:42,910 --> 00:01:45,790
You have to choose your target.

20
00:01:46,060 --> 00:01:48,130
As you can see over here, this is my target.

21
00:01:48,310 --> 00:01:50,410
So I'm going to, again, add to school.

22
00:01:50,770 --> 00:01:53,500
And if I want, I can also spider the host.

23
00:01:54,280 --> 00:02:02,620
Now, when I have my target over here on the right hand side, you can see these are all the particular

24
00:02:02,620 --> 00:02:10,650
you are URLs that have been identified or the endpoints that have been identified for the target application.

25
00:02:11,290 --> 00:02:18,100
Now, I can't use any of the particular request from here to play with and identify if it is vulnerable

26
00:02:18,100 --> 00:02:19,930
to any of the certain attack.

27
00:02:20,680 --> 00:02:28,810
Now, you can see I have took a particular target request, which is going to indicate that BHP slash

28
00:02:29,050 --> 00:02:32,250
page equals to contact DOT BHP.

29
00:02:33,520 --> 00:02:38,980
This particular page represents a contact page onto the particular Target website.

30
00:02:39,670 --> 00:02:45,420
Now, what if I replace the contact dot Page Pate with something else?

31
00:02:45,880 --> 00:02:53,860
Let's say I want to include something else from the target server, which is slash ADC, slash past

32
00:02:53,860 --> 00:02:57,580
W.T. instead of the contact dot BHP file.

33
00:02:58,360 --> 00:03:02,770
And let's see if we are able to see the path to bloody content.

34
00:03:03,640 --> 00:03:11,230
If I scroll down, then you can see over here I'm going to search based on a route called X because

35
00:03:11,230 --> 00:03:14,710
this is how a bloody fi is represented.

36
00:03:14,710 --> 00:03:16,750
But there is always a to use it.

37
00:03:17,230 --> 00:03:19,360
And you can see over here there are two users.

38
00:03:19,690 --> 00:03:26,050
First is route and second is ravaged by dot com user, which has been created under that particular

39
00:03:26,230 --> 00:03:27,400
Linux server.

40
00:03:28,060 --> 00:03:28,540
All right.

41
00:03:28,720 --> 00:03:35,440
So you've you have successfully identified that the variable parameter page is one level to.

42
00:03:36,640 --> 00:03:43,750
LFA based attack, when we are able to read the sensitive content from the server now, you can see

43
00:03:44,020 --> 00:03:50,800
I have changed the payload to ATC slash shadow and I'm trying to read the shadow file.

44
00:03:52,310 --> 00:03:59,510
For those who do not know what shadow file represent, it contains the passwords of all the users into

45
00:03:59,510 --> 00:04:00,670
the system.

46
00:04:01,220 --> 00:04:06,050
And you can see I have the password, but obviously they are not in the plaintext.

47
00:04:06,290 --> 00:04:07,610
They are encrypted.

48
00:04:09,400 --> 00:04:17,590
But they can be decrypted using some of the techniques and we can get hold of the original password

49
00:04:17,590 --> 00:04:18,290
of the user.

50
00:04:19,630 --> 00:04:29,140
Now you're this demonstration shows the venerable barometer page wherein we are able to inject any arbitrary

51
00:04:29,140 --> 00:04:37,280
file and we are able to read that from the target web server, which portrays the LFG vulnerability.

52
00:04:37,990 --> 00:04:40,780
So I hope you guys understood how to perform this attack.

53
00:04:41,560 --> 00:04:42,130
Thank you.