1 00:00:01,820 --> 00:00:08,880 And this lecture I'd like to show you how we can use Eskil injections to read any file in the server. 2 00:00:08,920 --> 00:00:15,640 So even if the file exists outside the WWE route we'll be able to read it exactly like a file disclosure 3 00:00:15,640 --> 00:00:16,850 vulnerability. 4 00:00:17,020 --> 00:00:23,610 And we'll also see how we can use it to write files and upload them to the system just like a file upload 5 00:00:23,620 --> 00:00:24,420 vulnerability. 6 00:00:25,060 --> 00:00:31,770 So the first thing we're going to have a look at is the read in the file and I'm going to set everything 7 00:00:31,770 --> 00:00:32,430 to null here. 8 00:00:32,430 --> 00:00:36,030 So I have my statement here and I'm gonna set select one. 9 00:00:36,030 --> 00:00:42,300 I'm gonna need leave number two cause I'm gonna do stuff on that and we're gonna do another three no's 10 00:00:42,300 --> 00:00:42,530 here. 11 00:00:42,540 --> 00:00:48,480 So no no no. 12 00:00:48,490 --> 00:00:50,650 So we have select now something. 13 00:00:50,650 --> 00:00:51,400 No no no. 14 00:00:51,460 --> 00:00:58,960 So 5 because we have five records when we did the order by and instead of selecting something. 15 00:00:58,960 --> 00:01:06,420 Remember in the third video we did select database for example and it showed us the current database. 16 00:01:06,420 --> 00:01:11,340 What I want to do now is I want to do another function and that function is called Load File 17 00:01:15,240 --> 00:01:21,330 and in here I'm gonna set the file that I want to load and I'm going to use the same file that we had 18 00:01:21,330 --> 00:01:30,170 the lock on and the file inclusion vulnerability and it was HTC password so we're trying to read that 19 00:01:30,170 --> 00:01:35,480 file and our statement is unique and select that file and that's it. 20 00:01:35,690 --> 00:01:42,490 So I'm going to copy this and I'm going to inject it here and I'm going to add my percentage 23 which 21 00:01:42,490 --> 00:01:47,660 is my comment. 22 00:01:47,810 --> 00:01:56,030 And as you can see we managed to read all the information all the content of ATC password even though 23 00:01:56,030 --> 00:02:01,880 it's not in the web root so it's stored in ATC password so we can read anything in the server from other 24 00:02:01,880 --> 00:02:07,460 Web sites from other files anywhere in the server we can read it by specifying the full part of the 25 00:02:07,460 --> 00:02:10,220 file. 26 00:02:10,290 --> 00:02:15,180 The next thing I'd like to show you is writing to the server. 27 00:02:15,400 --> 00:02:20,800 So we're actually going to write stuff to the server and this is very useful because you'd be able to 28 00:02:20,800 --> 00:02:23,110 write any code you want. 29 00:02:23,110 --> 00:02:29,680 So for example you can write the code for a PSP script you can write and write a code for a shell a 30 00:02:29,680 --> 00:02:33,580 virus or appear to be code to get a reverse connection to you. 31 00:02:33,580 --> 00:02:40,300 So it'll basically just act like a file upload vulnerability and to do that I'm going to write the code 32 00:02:40,300 --> 00:02:43,120 that I want to do here and I'm going to call that for example. 33 00:02:43,120 --> 00:02:51,930 Just example example and we're going to use a function called out file. 34 00:02:51,960 --> 00:02:59,650 So we're going to do into out file and then we're going to specify where we want to store that file. 35 00:02:59,650 --> 00:03:03,980 Now in best case scenarios you'd be able to write to your Web root. 36 00:03:04,240 --> 00:03:09,670 And that will mean that you can access the file through the browser and execute it so you can upload 37 00:03:10,300 --> 00:03:14,540 a weekly file and then connect to it and do stuff like that. 38 00:03:14,560 --> 00:03:16,130 So let's try to do that first. 39 00:03:16,150 --> 00:03:23,900 So we're gonna do it in var w w w and that's our web route so we'll be able to access things through 40 00:03:23,900 --> 00:03:24,050 it. 41 00:03:24,050 --> 00:03:29,210 Or you can for it even var w w w and then put Michelle day after it. 42 00:03:30,830 --> 00:03:36,990 To start in their so the commands are very simple again union select. 43 00:03:36,990 --> 00:03:42,420 Make sure you set everything to null so that nothing gets right into the file except what you put in 44 00:03:42,420 --> 00:03:42,710 here. 45 00:03:42,720 --> 00:03:50,070 And I for example example and it's going to be stored into our file and var w w w Mattel day and we'll 46 00:03:50,070 --> 00:04:12,620 call that example the steep let's try to run this and see if it works. 47 00:04:12,660 --> 00:04:14,380 Now this didn't work. 48 00:04:14,430 --> 00:04:23,520 And if you come down here you'll see that Askew L or my Eskil is not allowed to create or write to this 49 00:04:23,520 --> 00:04:24,320 directory. 50 00:04:24,360 --> 00:04:31,440 So the problem is we're not the permissions that we have don't allow us to write to this particular 51 00:04:31,500 --> 00:04:32,790 location. 52 00:04:32,850 --> 00:04:40,170 So just to test this exploit I'm going to change this location to GMP which is the temp and you'll see 53 00:04:40,170 --> 00:04:44,390 that you can actually write to temp so in real life scenarios. 54 00:04:44,390 --> 00:04:48,010 It depends you can try it and see if you're able to write stuff or not. 55 00:04:48,130 --> 00:04:58,640 And this we're trying to write a temp now and if we read in temp if we cleared that and then Ellis and 56 00:05:01,310 --> 00:05:04,730 temp you'll see that we have something called example. 57 00:05:04,760 --> 00:05:13,140 And if we try to read that you'll see that it contains obviously it contains the content of what we 58 00:05:13,140 --> 00:05:18,090 did before which was the normal selection that you'd see. 59 00:05:18,100 --> 00:05:25,270 So what you see for putting this stuff for admin and then it showed us what's in there which is example 60 00:05:25,270 --> 00:05:32,080 example which is what we wanted to write to the file. 61 00:05:32,110 --> 00:05:37,120 Now you can obviously get rid of the admin and the admin pass stuff by just pulling the wrong user name 62 00:05:37,330 --> 00:05:39,430 and nothing is gonna be displayed here. 63 00:05:39,430 --> 00:05:45,260 So the only thing that you'll see is the output which is example example. 64 00:05:45,310 --> 00:05:52,270 Well again this is only useful if you're able to write to your web server so you can access it and then 65 00:05:52,270 --> 00:05:56,790 use your shell or use your payload and further exploit the system.