1 00:00:01,610 --> 00:00:04,540 And all of the lectures so far we were exploiting. 2 00:00:04,550 --> 00:00:06,420 Eskil injections manually. 3 00:00:06,510 --> 00:00:13,650 So we were injecting the code into the L or into the text boxes and this video I'm going to show you 4 00:00:13,650 --> 00:00:19,950 a tool called askew mob which allows you to do everything we learned so far and even more stuff. 5 00:00:21,270 --> 00:00:24,140 This tool can be used against my school databases. 6 00:00:24,150 --> 00:00:25,740 Which one was that we were having. 7 00:00:25,740 --> 00:00:29,340 The example on it can also be used against Microsoft. 8 00:00:29,340 --> 00:00:36,750 SAGAL Oracle and other database types the tool is very useful and is very handy in many cases. 9 00:00:36,750 --> 00:00:42,900 Sometimes the injections aren't as nice as the one we see sometimes you only get one output for each 10 00:00:42,900 --> 00:00:48,540 record and you have to look through all the outputs so the tool can automate that and just do everything 11 00:00:48,540 --> 00:00:48,930 for you. 12 00:00:48,930 --> 00:00:56,700 Much easier and much simpler so let's first of all get the URL that we were using for the injection. 13 00:00:56,700 --> 00:01:02,040 So I have that text file here that we were using and I have the URL that we were using before. 14 00:01:02,040 --> 00:01:08,110 So as the user ID for the HP user name is admin password admin pass you don't really need to know what 15 00:01:08,110 --> 00:01:09,150 the username and password. 16 00:01:09,150 --> 00:01:12,420 So I'm actually just going to put anything here. 17 00:01:12,420 --> 00:01:17,300 So just to assume that we don't know the password so we're only injecting injecting Eskil injections 18 00:01:17,310 --> 00:01:19,250 we don't really need to know any of this stuff. 19 00:01:20,160 --> 00:01:24,510 All I'm gonna do is copy this and then I'm gonna run a school map. 20 00:01:26,760 --> 00:01:37,610 And I'm gonna do you specify the URL and I'll put my target and I'm gonna make sure that I have it between 21 00:01:37,610 --> 00:01:44,030 two quotation marks so that it doesn't ignore anything and any signs in the middle so we have some signs 22 00:01:44,030 --> 00:01:48,500 and characters in the middle that I wanted to all be treated as one year out. 23 00:01:48,500 --> 00:01:55,430 So all I did is ask your mob you my target and I'm gonna hit enter and the will automatically look through 24 00:01:55,430 --> 00:01:56,380 all the parameters. 25 00:01:56,390 --> 00:02:01,550 So it's going to look through the user info through the username and password to see if any of them 26 00:02:01,550 --> 00:02:02,960 is injectable. 27 00:02:02,960 --> 00:02:08,180 And then once it does that it's going to store it in its memory so it's going to know that this is injectable 28 00:02:08,360 --> 00:02:11,990 and then we'll be able to further exploit the target. 29 00:02:11,990 --> 00:02:17,660 So as you can see now it's thinking that our target could be my school or POS dressed as girl. 30 00:02:18,800 --> 00:02:24,260 That's asking me if I if it should skip other tests and I'm gonna say yes because I know it's my Eskil 31 00:02:25,850 --> 00:02:31,750 and now it's asking me if it should do all the tests for both databases and I'm gonna say yes assuming 32 00:02:31,760 --> 00:02:33,580 that I'm not sure which one it is. 33 00:02:33,650 --> 00:02:38,480 I know it's my skill but I'm just gonna let it do its thing and we'll see if it can do it properly or 34 00:02:38,480 --> 00:02:38,750 not. 35 00:02:40,900 --> 00:02:48,230 So at the moment it's chicken if it's progress que el and I'm assuming it's gonna know that it's not 36 00:02:48,260 --> 00:02:51,280 and then we're going to it's gonna know that it's my escape. 37 00:02:53,090 --> 00:03:00,580 It just found out that the user name seems to be injectable and sure enough it's still in us here that 38 00:03:00,580 --> 00:03:04,560 the parameter username is vulnerable and we can inject it. 39 00:03:04,570 --> 00:03:08,700 So it's asking me do I want to check the other parameters such as the password and all of them. 40 00:03:08,830 --> 00:03:10,270 I can say yes and that'd do it. 41 00:03:10,270 --> 00:03:16,620 I'm gonna say no because I don't mind if it just uses the user name for the injections so it's all good. 42 00:03:16,690 --> 00:03:22,510 Now I ask you Mark knows that the target is injectable and it knows that it's going to use the user 43 00:03:22,510 --> 00:03:29,050 name parameter to inject stuff and I can see that it's figured out that it's running Linux you want 44 00:03:29,050 --> 00:03:36,460 to and it's figured out that it's using view with a patch two point 2.8 and it's used in my ask crowd 45 00:03:36,460 --> 00:03:42,150 server as the database server so let's run a scale map help and see what we can do now. 46 00:03:43,770 --> 00:03:47,130 Now this tool is really big and it allows you to do a lot of things. 47 00:03:47,160 --> 00:03:53,570 So in this video I'm actually just going to show you a quick look on the video and I recommend you spend 48 00:03:53,570 --> 00:03:57,590 more time with it and try to see what else you can do with it. 49 00:03:59,500 --> 00:04:07,240 OK so let's try to get the current user and we're going to try to get the current database so we're 50 00:04:07,240 --> 00:04:09,430 going to use the same command that we used before. 51 00:04:09,520 --> 00:04:11,190 And I'm just going to add to it. 52 00:04:12,780 --> 00:04:15,750 D.B. I'm asked to get the current databases 53 00:04:20,190 --> 00:04:26,090 or DB is sorry as you can see we got all the database that we have. 54 00:04:26,140 --> 00:04:31,190 So we have the v w a we have information schema which exploit my as well. 55 00:04:31,200 --> 00:04:36,360 I was 10 which was the one that we were exploiting before antique weeki. 56 00:04:36,440 --> 00:04:39,530 Now if we do current user 57 00:04:45,230 --> 00:04:49,340 you can see that we are rude and if I do current database 58 00:04:52,280 --> 00:04:55,880 will see that I was 10 is our current database. 59 00:04:55,880 --> 00:04:58,790 So now let's try to get the tables for Rs 10. 60 00:04:58,820 --> 00:05:05,870 So remember when we did select table name from information schema the tables where table name were a 61 00:05:05,870 --> 00:05:11,640 table schema is equal to ours then we're gonna do we're gonna let ask you a map do all of that for us. 62 00:05:11,690 --> 00:05:18,660 And so the command is going to be we're going to ask it to get all the tables for us and we're going 63 00:05:18,660 --> 00:05:26,180 to use the D option to specify the database and our database is going to be called I was 10 64 00:05:29,730 --> 00:05:32,270 and as you can see it got us all the tables that exist. 65 00:05:32,280 --> 00:05:38,690 And remember it's the same we've got accounts logs table and the credit cards as well. 66 00:05:38,790 --> 00:05:44,580 And now if we want to get the columns then we can use the same command again and we're gonna say Get 67 00:05:44,580 --> 00:05:46,350 me the columns 68 00:05:49,480 --> 00:06:02,000 where the table is called accounts and the database is I was 10 and right here we can see that we got 69 00:06:02,000 --> 00:06:10,770 the columns so we have these admin password and username and we can get the data using the dump option 70 00:06:11,910 --> 00:06:18,180 so it's the same command that we used before so we'll get in the from the table that's called accounts 71 00:06:18,600 --> 00:06:26,250 and the database that is called I was 10 I want you to get me all the data and here we go we got all 72 00:06:26,250 --> 00:06:32,670 the data we have the admin it's password admin pass and we have Adrian and his password is some password 73 00:06:32,970 --> 00:06:35,940 and we got all the data right here. 74 00:06:36,190 --> 00:06:36,870 So I is it. 75 00:06:36,930 --> 00:06:42,690 As I said the tool is very useful it can be used to make our life much easier and it does everything 76 00:06:42,720 --> 00:06:46,740 automatically and it can do everything we did and it can even do more stuff.