1
00:00:00,940 --> 00:00:07,620
So in a normal scenario, when you get an actual error, then you can shave Enescu all injection attack

2
00:00:08,530 --> 00:00:12,190
and when you don't get an error, you can try Boolean technique's.

3
00:00:13,490 --> 00:00:17,350
But there were other times that sometimes even this doesn't work.

4
00:00:18,980 --> 00:00:26,600
So in this lesson, we're going to examine another school injection, OK, open school injection, blind

5
00:00:26,840 --> 00:00:27,980
time-based.

6
00:00:29,500 --> 00:00:35,770
So as in the previous lesson, you will see a simple search field, so let's try something to search.

7
00:00:38,260 --> 00:00:43,090
And maybe a single quote could leak something, hmm, nothing.

8
00:00:44,940 --> 00:00:48,970
So it seems that we always display the same page, same response.

9
00:00:48,990 --> 00:00:56,820
Yeah, and we have nothing to determine whether our searches or payloads reach the database and execute.

10
00:00:58,500 --> 00:01:03,200
OK, folks, open your terminals before going any further.

11
00:01:04,230 --> 00:01:09,320
Them as Kuli underscore 15 dot BHP.

12
00:01:11,100 --> 00:01:12,570
So online, 26.

13
00:01:13,480 --> 00:01:15,550
Air reporting is turned off.

14
00:01:16,810 --> 00:01:19,120
That explains why we don't get the errors.

15
00:01:20,400 --> 00:01:24,240
And rigorous security checks, here they come.

16
00:01:25,380 --> 00:01:32,430
So this part is important to us here, the actual query is just like this.

17
00:01:33,480 --> 00:01:38,790
It's not any different to the previous query that we see in boolean based escarole injection.

18
00:01:40,020 --> 00:01:41,820
Then this query execute.

19
00:01:43,150 --> 00:01:47,560
And if there's no error and the ResultSet is not empty, then it does something.

20
00:01:48,740 --> 00:01:52,520
Actually, it sends an email to the user's address.

21
00:01:54,060 --> 00:01:55,440
So scroll down a little bit.

22
00:01:56,910 --> 00:01:58,350
Now, this is a search box.

23
00:02:00,170 --> 00:02:03,560
There is no code that can affect the page here.

24
00:02:04,780 --> 00:02:05,890
So go back.

25
00:02:10,140 --> 00:02:12,360
OK, I forgot to try boolean values.

26
00:02:14,330 --> 00:02:17,630
So type or one equals one.

27
00:02:19,190 --> 00:02:20,150
Nothing happens.

28
00:02:21,250 --> 00:02:22,390
At a harsh character.

29
00:02:24,350 --> 00:02:25,100
No, nothing.

30
00:02:26,170 --> 00:02:27,940
All right, change one to two and try.

31
00:02:29,370 --> 00:02:36,990
Nothing happens yet, I'm I'm the one who's supposed to know what he's doing right now, what I'm showing

32
00:02:36,990 --> 00:02:45,530
you here is you can tell the comparing with boolean operators doesn't necessarily work all the time.

33
00:02:46,980 --> 00:02:53,850
So that means that we need to use time based escarole payloads, which is what I guess I began telling

34
00:02:53,850 --> 00:02:54,030
you.

35
00:02:55,050 --> 00:02:58,350
But I want you to see when you need to use.

36
00:03:01,850 --> 00:03:03,620
So now let's have a look at this payload.

37
00:03:04,720 --> 00:03:07,270
Now, focus on the end statement.

38
00:03:08,450 --> 00:03:16,340
So if the whole query is legitimate, the left side of the and will execute very quickly and the right

39
00:03:16,340 --> 00:03:20,060
side of the end will sleep for two seconds and then execute.

40
00:03:22,030 --> 00:03:25,210
So we're going to observe the page for the response.

41
00:03:26,300 --> 00:03:33,830
If the page loads approximately after two seconds, then it means we get an actual injection, so quick

42
00:03:33,830 --> 00:03:34,370
search.

43
00:03:35,280 --> 00:03:39,810
And look at the left lower corner browsers waiting for the page.

44
00:03:41,680 --> 00:03:44,890
Now, I forgot to count for two seconds, but you can see it works.

45
00:03:46,440 --> 00:03:49,470
And then you can shape the payload to pull data.

46
00:03:50,940 --> 00:03:55,810
But I'm going to show you some other types of payloads as well, so let's have a look at this one.

47
00:03:56,310 --> 00:03:57,430
Oh, no, no, wait, wait, wait.

48
00:03:58,440 --> 00:04:01,800
You can also use this, the benchmark function.

49
00:04:03,300 --> 00:04:06,390
So there's several payloads with Benchmark's.

50
00:04:07,960 --> 00:04:10,810
And now we can perform the version detection.

51
00:04:12,480 --> 00:04:13,800
So use this payload.

52
00:04:14,750 --> 00:04:21,710
And if the first character of the version is five, it will sleep for two seconds.

53
00:04:22,710 --> 00:04:28,050
Yes, so it waits so you can get all one by one.

54
00:04:30,260 --> 00:04:33,800
And then right this payload to get the first character of the current database.

55
00:04:34,820 --> 00:04:37,010
The page will load after two seconds of its B.

56
00:04:38,280 --> 00:04:40,050
And yes, it is B.

57
00:04:42,410 --> 00:04:48,770
OK, so try this one to get the length of the current database up, no, wait, wait, then change it

58
00:04:48,770 --> 00:04:50,690
here to five and search.

59
00:04:52,360 --> 00:05:00,100
And yes, it has five characters, so to learn the length, you can also use the like operator with

60
00:05:00,100 --> 00:05:01,120
placeholders.

61
00:05:02,480 --> 00:05:04,370
So let's add one more placeholder.

62
00:05:08,430 --> 00:05:09,260
Yeah, it works.

63
00:05:11,140 --> 00:05:14,810
OK, so I think I think you get the point now.

64
00:05:14,830 --> 00:05:15,190
Yeah.

65
00:05:16,370 --> 00:05:21,350
Now, I, of course, have several other payloads, but they do pretty much the same things.

66
00:05:22,800 --> 00:05:28,470
So I'm going to share all that with you in a separate file, and I'm going to stop at this point and

67
00:05:28,470 --> 00:05:32,820
you can try some of the other payloads on your own, go for broke, see what you can do.