1 00:00:01,700 --> 00:00:02,110 OK. 2 00:00:02,120 --> 00:00:08,360 Now I'd like to show you an Eskimo injection and then a different file and different page and I'll show 3 00:00:08,360 --> 00:00:13,820 you a few different things that you can do to exploit that vulnerability. 4 00:00:13,850 --> 00:00:20,180 So the first thing I'm going to go to the log in page which is here. 5 00:00:20,600 --> 00:00:21,230 User info. 6 00:00:21,260 --> 00:00:24,440 So the first time I went to the log and page from there. 7 00:00:24,440 --> 00:00:26,780 This time we went to the user info page. 8 00:00:26,960 --> 00:00:32,360 So this for this page will show you the information about the user provided you give the username and 9 00:00:32,360 --> 00:00:32,940 password. 10 00:00:32,960 --> 00:00:35,680 So I'm going to Zaid and I'm going to put my password. 11 00:00:35,690 --> 00:00:37,610 One two three four five six. 12 00:00:37,790 --> 00:00:45,750 And it'll show my details username and password and my signature is a so the statement that's been executed 13 00:00:45,750 --> 00:00:48,110 here is similar to what was being executed. 14 00:00:48,120 --> 00:00:54,000 When you log in so it's selecting star from accounts where user name is what you put in the user field 15 00:00:54,390 --> 00:00:57,650 and password is what you put in the password field. 16 00:00:57,690 --> 00:01:04,530 So what we're going to do now is we're going to see a different way of exploiting this kind of vulnerability 17 00:01:04,560 --> 00:01:10,260 in the previous video we were doing it using a post text text box. 18 00:01:10,260 --> 00:01:17,030 So whatever you put in the text box was being posted using a post method to the web application. 19 00:01:17,040 --> 00:01:23,430 Now these vulnerabilities can exist in to get and what I mean by get is when you do a get when something 20 00:01:23,460 --> 00:01:26,430 is sent as get you will see it here in the URL. 21 00:01:27,060 --> 00:01:33,030 So if you look at the URL here you see it's being sent as the user name Zaid and password 1 2 3 FOUR 22 00:01:33,030 --> 00:01:33,720 FIVE SIX. 23 00:01:35,160 --> 00:01:41,880 So let me just copy this your e-mail here and we'll start playing with it from the URL and instead of 24 00:01:41,880 --> 00:01:49,230 doing it on the web page I just want to show you a different example because in many places there might 25 00:01:49,230 --> 00:01:55,310 not even be text boxes for example it could be something like in use and use that BHP. 26 00:01:55,380 --> 00:02:01,020 So we can see here for example in this example it's indexed BHP and in your pan testing you might see 27 00:02:01,020 --> 00:02:08,070 something like in use that BHP and for example I.D. equal to two and then you can try to inject stuff 28 00:02:08,070 --> 00:02:09,040 in there. 29 00:02:09,090 --> 00:02:14,760 So we're having an example here where we're going to be injecting things into the user name field which 30 00:02:14,760 --> 00:02:22,600 is this field and we're going to be injecting stuff in here so anytime when you're doing your pen test 31 00:02:22,630 --> 00:02:28,590 anytime you see parameters like this you should try to inject them anytime you see something that BHP 32 00:02:28,600 --> 00:02:33,910 and then you have a parameter equals something that always try to inject stuff in there and see if it 33 00:02:33,910 --> 00:02:34,550 works for you. 34 00:02:35,650 --> 00:02:43,180 So we also seen a way of discovering the injection and that was using the quotation mark and using the 35 00:02:43,180 --> 00:02:49,630 and so we do are false and and a true and and one is equal to one and then and one is equal to two and 36 00:02:49,630 --> 00:02:56,290 if the server is executing what we want then we're going to know that there is an Eskil injection I'm 37 00:02:56,290 --> 00:03:02,590 going to show you another way of discovering these exploits and it's using the order by as the name 38 00:03:02,590 --> 00:03:10,870 suggests the order by statement is used to order the results that we get on the screen based on a specific 39 00:03:10,930 --> 00:03:12,030 column. 40 00:03:12,070 --> 00:03:14,850 So our injection is going to be like this. 41 00:03:14,860 --> 00:03:21,240 So I'm going to do or there by 1. 42 00:03:21,420 --> 00:03:29,910 So this if if the injection exists this should work because in each select statement there should be 43 00:03:29,910 --> 00:03:32,460 at least one column is being selected. 44 00:03:32,460 --> 00:03:38,420 Therefore when we say order by one we're saying I want to order the results based on the first column. 45 00:03:38,490 --> 00:03:45,810 Therefore this should always be acceptable by the database and return true or something that we expect 46 00:03:47,280 --> 00:03:51,960 we also need to add the comment in here and execute this code. 47 00:03:51,960 --> 00:03:53,580 So it's exactly like before. 48 00:03:53,580 --> 00:04:01,290 So when we're doing this basically this is our U.R.L. URL and what's going to happen on the database 49 00:04:01,290 --> 00:04:06,140 so this is the code that's been executed on the database it's going to look like this 50 00:04:13,400 --> 00:04:19,570 so it's gonna be select star from accounts who user are usernames equal to Z and note how this is close 51 00:04:19,570 --> 00:04:27,630 in the quote and we're gonna do an order by one and there should be this code here for the end. 52 00:04:27,630 --> 00:04:33,660 And this this comment comment will tell the school interpreter that to ignore anything that comes in 53 00:04:33,660 --> 00:04:34,290 after it. 54 00:04:34,290 --> 00:04:36,030 So all of this is going to be ignored. 55 00:04:39,790 --> 00:04:41,160 So I'm copying this 56 00:04:45,990 --> 00:04:52,500 so you can actually paste this injection for Z order by one into the name right here and that's gonna 57 00:04:52,530 --> 00:04:53,100 work. 58 00:04:53,310 --> 00:04:58,420 But I again I just want to show you a different way of doing it by injecting it through the browser. 59 00:04:58,420 --> 00:05:04,530 Another thing that I want you to note is when you inject himself into the browser the browser the code 60 00:05:04,800 --> 00:05:06,470 should be encoded. 61 00:05:06,480 --> 00:05:14,730 So for example this sign usually when you put it on your URL it should be written as percentage 23 spaces 62 00:05:14,730 --> 00:05:22,080 for example get converted to percentage 20 and percentage 23 is the comment that we're using. 63 00:05:22,110 --> 00:05:27,730 So I'm going to copy that and replace my common sign with. 64 00:05:27,800 --> 00:05:32,670 Now we can google Hey CTP encoder and you'll see online there is online tools that'll just confirm this 65 00:05:32,670 --> 00:05:34,170 for you for me. 66 00:05:34,170 --> 00:05:39,170 Now I know that the hash tag can be converted to percentage 23. 67 00:05:39,240 --> 00:05:46,430 So that's why I'm using it there and I'm going to hit enter and as you can see now we're seeing something 68 00:05:46,430 --> 00:05:47,440 that's acceptable 69 00:05:50,240 --> 00:05:53,700 nothin wrong and then it's shown me the information about Z. 70 00:05:53,710 --> 00:05:56,370 One two three four five six and seven with the signature. 71 00:05:56,390 --> 00:05:58,010 So it is ignoring the password. 72 00:05:58,040 --> 00:06:03,110 So the injection worked and it's ordering by 1 so it's not shown me anything wrong. 73 00:06:03,620 --> 00:06:09,650 Let's try to make this number one a very large number so put in 10000 or 100000 now. 74 00:06:10,040 --> 00:06:15,590 So what we're seeing right now is I want you to order the results that will be returned by the current 75 00:06:15,590 --> 00:06:19,490 select statement based on column one hundred thousand. 76 00:06:19,490 --> 00:06:25,970 Now chances are there aren't 100000 columns used in this select statement and therefore this should 77 00:06:25,970 --> 00:06:27,670 return an error. 78 00:06:27,680 --> 00:06:35,250 So when I execute this you'll see that there is an error and the error is in the order close and still 79 00:06:35,350 --> 00:06:38,960 that there is an unknown column for 100000. 80 00:06:39,140 --> 00:06:43,580 And this is great because now we know that the database is executing what we want. 81 00:06:43,580 --> 00:06:48,500 So when we told it to order the results based on the first column it showed us results. 82 00:06:48,500 --> 00:06:50,540 So it followed what we told it. 83 00:06:50,780 --> 00:06:57,860 And then when we told it to order the results based on a column that does not exist it gave us an error. 84 00:06:57,890 --> 00:07:01,040 So it's obviously vulnerable to a scale injections.