1
00:00:01,280 --> 00:00:04,130
Hello, everyone, and welcome to this video.

2
00:00:04,790 --> 00:00:10,650
So in this video, we are going to identify masculinization on to a life target.

3
00:00:11,390 --> 00:00:18,650
So you're the life target is Huttle or need dot com dot piggy and we will see if we are able to identify

4
00:00:18,650 --> 00:00:20,210
Ezekial injection into it.

5
00:00:21,200 --> 00:00:28,130
So, as we know for identification of Escuela based vulnerabilities, we need to identify your injection

6
00:00:28,130 --> 00:00:29,560
point onto a target.

7
00:00:30,200 --> 00:00:36,050
So as you can see, under the you are right now, we do not have any indication point or any parameters

8
00:00:36,680 --> 00:00:43,820
you need that we can see anything on to the application right now where we can input something or write

9
00:00:43,820 --> 00:00:44,330
something.

10
00:00:45,020 --> 00:00:54,140
So let's navigate onto the Web application right now and try to identify if we are able to get any parameter

11
00:00:54,140 --> 00:00:55,670
onto the Web application.

12
00:00:56,210 --> 00:00:59,680
So you can see under the left hand side it has key amenities.

13
00:00:59,960 --> 00:01:09,230
So I'm going to go on one of them to see if I'm able to identify any parameters and test it so that

14
00:01:09,230 --> 00:01:13,630
if it becomes available to Escorial indication so that we can move further.

15
00:01:14,960 --> 00:01:21,110
So I'm going to click on Guestroom and you can see once I click on this into the you are allowed to

16
00:01:21,110 --> 00:01:22,340
parameters appear.

17
00:01:22,880 --> 00:01:29,520
The first parameter is Udy equals to one and the second parameter is Idy equals to one.

18
00:01:30,590 --> 00:01:35,120
Now I do not know out of both of which parameter is one level.

19
00:01:35,750 --> 00:01:39,180
So I'm going to identify the inflection point one by one.

20
00:01:39,950 --> 00:01:47,450
So for the first parameter, I'm going to put a single code just to check if it gives me an error or

21
00:01:47,450 --> 00:01:50,390
the application load successfully as it is.

22
00:01:51,020 --> 00:01:56,450
And Higgins', when I gave a single code, the application did not change its behavior.

23
00:01:56,960 --> 00:01:57,890
So let's try it on.

24
00:01:57,890 --> 00:01:58,930
It equals to one.

25
00:01:59,660 --> 00:02:05,450
Once I give the parameter, you can see the application behaves differently.

26
00:02:05,900 --> 00:02:08,360
The application has changed it state.

27
00:02:09,020 --> 00:02:12,770
The main reason over here is we are not able to see any MySQL based error.

28
00:02:13,250 --> 00:02:15,610
The developer has suppressed the error.

29
00:02:16,310 --> 00:02:24,110
It is one of the most common techniques that developer uses to suppress the errors so the users are

30
00:02:24,110 --> 00:02:26,970
not able to see those errors onto their browsers.

31
00:02:27,410 --> 00:02:27,860
All right.

32
00:02:27,860 --> 00:02:35,840
So now we have identified the variable inflection point and that was idy equals to now we are going

33
00:02:35,840 --> 00:02:44,060
to use a map to explore it further and get sensitive information from its database.

34
00:02:44,960 --> 00:02:46,400
Sort of an ESKIL map.

35
00:02:46,400 --> 00:02:52,220
You need to type Biton Eskil map out by hyphen you and then double code.

36
00:02:52,220 --> 00:02:54,890
You need to give your target of a buttress.

37
00:02:55,430 --> 00:03:02,900
As you can see over here now, how a school map is going to know that a bit of the injection point or

38
00:03:02,900 --> 00:03:04,180
parameter is vulnerable.

39
00:03:04,760 --> 00:03:06,800
So we need to tell that to a scale map.

40
00:03:07,550 --> 00:03:12,200
For that, you need to add a custom induction marker, which is a start.

41
00:03:13,070 --> 00:03:19,790
On any of the parameters that you think is available or you have identified to be vulnerable when the

42
00:03:19,790 --> 00:03:27,950
application is changing its state, as you can see, I have successfully added inflection point, which

43
00:03:27,950 --> 00:03:29,240
is it equals to one.

44
00:03:29,240 --> 00:03:31,100
And I added a start over there.

45
00:03:31,940 --> 00:03:37,820
Now, I will just simply enter and you can see a message that has been given by a school map, which

46
00:03:37,820 --> 00:03:38,840
is custom indication.

47
00:03:38,840 --> 00:03:41,060
Markers are found in the option.

48
00:03:41,060 --> 00:03:43,280
How often you do want to process it?

49
00:03:43,960 --> 00:03:46,760
You can see I have ridden capital, right?

50
00:03:47,450 --> 00:03:48,500
Which means yes.

51
00:03:48,800 --> 00:03:55,340
And it has identified that the resuming back in DBMS is my equal testing connection to the target.

52
00:03:55,340 --> 00:03:57,530
You are and you can see the back end.

53
00:03:57,530 --> 00:04:00,860
DBMS is my Escorial Web application.

54
00:04:00,860 --> 00:04:07,890
Technology is Apache and my school is greater than equal to five point zero point twelve.

55
00:04:08,360 --> 00:04:14,930
So we have identified a lot of information regarding the web application technology and the backend

56
00:04:14,930 --> 00:04:15,690
DBMS.

57
00:04:16,310 --> 00:04:23,930
Now you can also use a flag which is banner to the banner grabbing.

58
00:04:24,260 --> 00:04:31,980
So banner grabbing is one of the technique in which we identify about our target that what it is using.

59
00:04:32,450 --> 00:04:36,410
So when you will do banner grabbing, you will get the same output.

60
00:04:37,610 --> 00:04:43,700
OK, one more thing to notice over here is that whenever you are running a school map onto any target,

61
00:04:44,390 --> 00:04:50,930
all the data that you can see under your command prompt or under your terminal is automatically getting

62
00:04:50,930 --> 00:04:56,990
logged and saved under our head, hidden directly, which is not a school map, as you can see over

63
00:04:56,990 --> 00:05:01,080
here inside the output folder and with the target name.

64
00:05:01,370 --> 00:05:07,030
So for now, the target name is hold on it, dot com, dot picture perfect.

65
00:05:07,580 --> 00:05:13,400
Moving ahead, I'm going to add hyphen hyphen banner to the banner grabbing.

66
00:05:13,700 --> 00:05:21,590
Remember, if you do not add hyphen, hyphen, banner also it is by default going to identify and the

67
00:05:21,590 --> 00:05:22,760
banner grabbing for you.

68
00:05:23,240 --> 00:05:24,200
But you should know this.

69
00:05:24,710 --> 00:05:25,010
Oops.

70
00:05:25,100 --> 00:05:28,520
We wrote three hyphen, hyphen, hyphen or three dashes.

71
00:05:28,520 --> 00:05:31,790
You just need to add two dashes and hit enter.

72
00:05:32,240 --> 00:05:33,140
Now you can see it.

73
00:05:33,140 --> 00:05:34,940
Asked again for customer induction.

74
00:05:34,940 --> 00:05:35,620
Mark of phone.

75
00:05:35,630 --> 00:05:36,850
Do you want to process it.

76
00:05:37,280 --> 00:05:42,410
So you have to add hyphen y capital y which means yes again.

77
00:05:43,430 --> 00:05:45,860
And it has identified the same details for you.

78
00:05:46,850 --> 00:05:55,580
Now guys, I do not want to add this hyphen y every time, whenever I'm scanning, I want scroll map

79
00:05:55,580 --> 00:06:00,080
to process all my request and take the decisions automatically as.

80
00:06:00,080 --> 00:06:00,400
Yes.

81
00:06:01,040 --> 00:06:03,470
So for that you need to add hyphen hyphen.

82
00:06:03,470 --> 00:06:10,970
Bache So hyphenation match means we are telling a scale map to take the decisions automatically and

83
00:06:10,970 --> 00:06:13,850
do not ask the user for any prompt.

84
00:06:15,050 --> 00:06:21,080
And you can see we are able to identify the details about the server, which is exactly the same.

85
00:06:22,370 --> 00:06:29,120
Now, moving ahead, we want to identify now something sensitive from the Web application, right.

86
00:06:29,720 --> 00:06:36,350
Which is the database for that I'm going to add hyphen hyphen DHBs, which means database.

87
00:06:37,490 --> 00:06:40,260
And it ended and it just a few time.

88
00:06:40,280 --> 00:06:48,170
It has identified in total of available to database, as you can see, fetching database names, available

89
00:06:48,170 --> 00:06:54,350
databases to first is the information schema and the second one is ornate on it.

90
00:06:55,700 --> 00:07:03,860
Now out of these boot database, ordinate ordinate looks more interesting because it is likely to be

91
00:07:03,860 --> 00:07:07,060
more related to our target of application.

92
00:07:07,640 --> 00:07:14,630
So for now, we are going to go inside the ornate, ornate database and identify if we get anything

93
00:07:14,630 --> 00:07:15,740
sensitive into it.

94
00:07:16,340 --> 00:07:24,230
Remember, information schema is the schema of the target database and you may not get anything sensitive

95
00:07:24,230 --> 00:07:25,520
into that database.

96
00:07:26,660 --> 00:07:34,730
So going into the on it on a database, we will now try to identify and fetch the tables that exist

97
00:07:34,730 --> 00:07:35,870
in the database.

98
00:07:36,560 --> 00:07:41,830
So for that you need to type hyphen D, which stands for database and the database name.

99
00:07:42,980 --> 00:07:49,130
As we want the tables that exist, we are going to type hyphen, hyphen tables and it enter.

100
00:07:50,510 --> 00:07:55,520
As you can see, we are able to retrieve in total of five tables.

101
00:07:55,940 --> 00:08:02,450
The first one is Galardi to about Lieto, Ed Littlepage and Leito user.

102
00:08:03,050 --> 00:08:06,380
Remember guys, we added hyphen hyphen Bache.

103
00:08:06,710 --> 00:08:12,380
That is the reason it is not asking us to confirm anything or no prompt is a.

104
00:08:13,100 --> 00:08:17,510
It is taking all the decisions automatically perfect.

105
00:08:18,000 --> 00:08:25,400
Now let's go and do one off the table so it looks like this little user table is interesting.

106
00:08:25,610 --> 00:08:33,320
And I would like to go into this table so far that we need to give the table with hyphen P flag, which

107
00:08:33,320 --> 00:08:34,040
is little.

108
00:08:34,040 --> 00:08:35,090
Others could use it.

109
00:08:35,390 --> 00:08:37,720
And as we want all the columns right now.

110
00:08:37,760 --> 00:08:41,830
So we are going to add hyphen, hyphen columns and hit enter.

111
00:08:42,680 --> 00:08:51,800
And you can see we have successfully identified that in the lead to user database or I'm sorry, into

112
00:08:51,800 --> 00:08:54,880
the Arnet only database lieto user table.

113
00:08:55,100 --> 00:09:01,880
We have identified in total five columns, which is email, full name, ID, password and username.

114
00:09:03,050 --> 00:09:08,050
Now I want to see the data which is into this five columns.

115
00:09:08,630 --> 00:09:15,800
So for that I'm going to dump the database by typing the command, which is hyphen, hyphen, dump.

116
00:09:16,310 --> 00:09:22,670
And you can see we are able to get the successful retrieval of data and you can see there is a total

117
00:09:22,670 --> 00:09:23,780
of one entry.

118
00:09:24,110 --> 00:09:28,170
And you can see this is the email address which lies on Hotmail dot com.

119
00:09:28,490 --> 00:09:29,440
This is a user name.

120
00:09:29,450 --> 00:09:34,550
It is admin, full name is administrator, and the password is also admin.

121
00:09:34,940 --> 00:09:35,380
Bingo.

122
00:09:35,690 --> 00:09:41,030
We are able to identify the credentials of the admin, which is username and password admin.

123
00:09:41,420 --> 00:09:49,130
And you can also see that the details have been successfully saved into one of the file, which is little

124
00:09:49,130 --> 00:09:51,230
user, not CSFI automatically.

125
00:09:52,040 --> 00:09:53,980
That is the best thing about this Google map.

126
00:09:54,350 --> 00:09:57,200
That is that it continuously logs everything.

127
00:09:57,500 --> 00:10:03,410
And whenever you want to go back, you can just go to the folders and you are able to identify about

128
00:10:03,410 --> 00:10:04,020
your target.

129
00:10:04,700 --> 00:10:10,700
Now, one more thing that I would like to mention to every one of you is whenever you are testing for

130
00:10:10,700 --> 00:10:19,520
SQL injection in any of applications, you should not dump any sensitive information or database or

131
00:10:19,520 --> 00:10:26,490
tables or columns from that target, because that may be violation of policies against that background

132
00:10:26,510 --> 00:10:27,080
program.

133
00:10:27,080 --> 00:10:33,500
And you may end up in some trouble, although you have identified a very critical vulnerability, it

134
00:10:33,500 --> 00:10:41,090
may end up that you may not get anything for this hard work or identification of a very good one liability

135
00:10:41,090 --> 00:10:41,900
into the target.

136
00:10:42,530 --> 00:10:51,350
So in case you identify that any of the application is one level to Escorial, just identification of

137
00:10:51,350 --> 00:10:58,490
the database name is more than sufficient to prove the criticality and the severity of the vulnerability

138
00:10:58,910 --> 00:11:00,340
to the bug bounty program.

139
00:11:00,560 --> 00:11:07,850
So you should just make a video or a screenshot PEOC showing the database name and they will automatically

140
00:11:07,850 --> 00:11:11,600
understand and triage your vulnerability at a member.

141
00:11:11,840 --> 00:11:17,840
If identified as killed in action based vulnerability, then it is considered to be a critical and a

142
00:11:17,840 --> 00:11:18,830
high vulnerability.

143
00:11:19,100 --> 00:11:26,330
So it should go for a B when or to bug at least on any bug bounty program or any pain testing tool that

144
00:11:26,330 --> 00:11:26,990
you are going to do.

145
00:11:27,950 --> 00:11:36,020
So I hope you guys understood how you can use Eskil Map for exploitation of our applications and how

146
00:11:36,020 --> 00:11:43,920
you can also dump and download the sensitive information from the database for any underlying website.

147
00:11:44,660 --> 00:11:45,910
I hope you guys understood.

148
00:11:45,920 --> 00:11:53,350
In case you have any issues in performing the exact steps, you can always post your questions into

149
00:11:53,360 --> 00:11:56,750
the Q&amp;A section, and I would always help you.

150
00:11:56,990 --> 00:11:57,470
Thank you.