1
00:00:07,740 --> 00:00:12,790
All right, so let's get into webapp penetration testing now and we're going to start with injections.

2
00:00:13,230 --> 00:00:17,010
This doesn't just include single injection, it includes all kinds of injections.

3
00:00:17,010 --> 00:00:20,010
So command injections, ximo parsers.

4
00:00:20,010 --> 00:00:23,120
You can see that here in the security weaknesses sections.

5
00:00:23,580 --> 00:00:27,350
But, you know, this is a major threat vectors.

6
00:00:27,450 --> 00:00:28,970
We're going to look at a single injection.

7
00:00:28,980 --> 00:00:33,720
It allows an attacker to interfere with queries that the application makes to the database.

8
00:00:34,140 --> 00:00:40,380
So depending on how the query is written and the type of application that you're targeting, this might

9
00:00:40,380 --> 00:00:44,850
allow an attacker to subvert the applications logic and completely bypass authentication.

10
00:00:45,630 --> 00:00:51,150
Maybe they could access sensitive data, destroy tables and in some cases even grant them a reversal

11
00:00:51,150 --> 00:00:52,050
on the victim host.

12
00:00:52,470 --> 00:00:54,990
So, you know, this is pretty bad.

13
00:00:54,990 --> 00:01:00,720
And some of the other things that could happen is if the results of the query are returned in the applications

14
00:01:00,720 --> 00:01:07,560
response, then a threat actor can actually use lethal injection to fetch data from other tables using

15
00:01:07,860 --> 00:01:10,800
a union that's a skill specific keyword.

16
00:01:10,980 --> 00:01:15,010
And the only catches you just need to make sure you have the number of columns and data types.

17
00:01:15,330 --> 00:01:19,470
So if you're going to union two tables together, they need to have the same columns, the number of

18
00:01:19,470 --> 00:01:20,760
columns in the same data types.

19
00:01:21,300 --> 00:01:24,520
But what I want to do now is I just want to kind of show you what this is.

20
00:01:24,960 --> 00:01:31,320
So when you get into this, it tells you right in the hospital says, you know, you just supply data

21
00:01:31,320 --> 00:01:33,630
is not validated, filtered or sanitized.

22
00:01:34,510 --> 00:01:34,740
Right.

23
00:01:34,740 --> 00:01:35,990
So there's no validation done.

24
00:01:36,780 --> 00:01:42,690
Then this can result in single injection if the data isn't filtered, meaning, you know, certain characters

25
00:01:42,690 --> 00:01:45,300
are left intact or not filtered or stripped or escaped.

26
00:01:45,630 --> 00:01:46,530
And that can lead to issues.

27
00:01:46,530 --> 00:01:52,620
And if the data isn't sanitized or it's not rewritten or encoded in some way so that the data is not

28
00:01:52,620 --> 00:01:55,050
treated as code, then you can run into issues.

29
00:01:55,440 --> 00:01:59,450
And this is actually a pretty good example here where they show you in this attack example.

30
00:01:59,730 --> 00:02:01,830
So you can see the string.

31
00:02:02,640 --> 00:02:05,820
And what's going to happen here is this webapp example.

32
00:02:05,820 --> 00:02:12,060
Dotcom has a route for app and I can't view there's I'd value that.

33
00:02:12,060 --> 00:02:17,670
You can see that this idea value is coming from the git request and the skip parameter value.

34
00:02:17,670 --> 00:02:17,850
Right.

35
00:02:17,850 --> 00:02:20,190
So there's no sanitisation, there's no validation.

36
00:02:20,190 --> 00:02:26,640
It's just the raw attacker, controllable values being concatenated into SQL code.

37
00:02:27,270 --> 00:02:30,020
Therefore, that value becomes code and it's executable.

38
00:02:30,270 --> 00:02:36,660
If the attacker puts in a single tick, what they can do is, well, you can see where hit right here.

39
00:02:36,660 --> 00:02:37,120
What's happening?

40
00:02:37,120 --> 00:02:38,040
There's a single tick here.

41
00:02:39,160 --> 00:02:46,330
Is another single take here, so if I put in a single tick for ID, then I will close the query here

42
00:02:46,330 --> 00:02:47,860
and then I put or.

43
00:02:49,080 --> 00:02:54,750
Single tick one, tick equals tick one, something close the query out.

44
00:02:56,180 --> 00:03:01,300
Right, so this we're close now, it's closed out, so it's OK, the customer, it can be whatever value

45
00:03:01,720 --> 00:03:06,490
it said equal to or it could be equal to this one is equal to one.

46
00:03:06,910 --> 00:03:08,200
There should be another single take here.

47
00:03:08,230 --> 00:03:09,280
Looks like they forgot that value.

48
00:03:09,610 --> 00:03:11,680
And since one is equal to one, that's true.

49
00:03:12,490 --> 00:03:14,980
This entire work clause basically disappears.

50
00:03:14,980 --> 00:03:15,910
There's no we're condition.

51
00:03:16,180 --> 00:03:21,760
And so it will then therefore select all columns from a table called accounts.

52
00:03:22,330 --> 00:03:23,500
And the date has just been dumped.

53
00:03:24,160 --> 00:03:24,270
Right.

54
00:03:24,340 --> 00:03:25,930
So that's pretty much how that works at a high level.

55
00:03:26,270 --> 00:03:32,080
Let's get into how we can actually run this attack so we get into a gift shop and let's see what we

56
00:03:32,080 --> 00:03:32,650
can do here.

57
00:03:34,070 --> 00:03:38,600
So one of the places to check for this is the login form, right?

58
00:03:38,620 --> 00:03:39,920
That's the first place I would like to check.

59
00:03:41,150 --> 00:03:45,140
And because, you know, we might be able to log in by simply commenting out the where clause, kind

60
00:03:45,140 --> 00:03:48,020
of like we saw earlier, where there's some password check.

61
00:03:48,800 --> 00:03:51,590
So let's go ahead and bring up the network tools.

62
00:03:52,620 --> 00:03:55,380
So we can see what's happening behind the scenes.

63
00:03:57,640 --> 00:04:01,000
All right, so we've got the network there for the email, I'm just going to put in a single tick,

64
00:04:01,510 --> 00:04:03,820
another single tick, and I'm actually going to filter this through berp.

65
00:04:06,710 --> 00:04:09,750
And it was going to take a peek at what Polisar to see what technologies are being run here.

66
00:04:10,490 --> 00:04:14,290
So, Jake, query something called Osorno Watpac.

67
00:04:14,690 --> 00:04:19,910
So, you know, that's just some light sort of Rickon using Mobilizer, which is a browser plug in.

68
00:04:20,250 --> 00:04:24,860
If we go into berp, we can make sure the intercept is off the back here.

69
00:04:25,260 --> 00:04:25,970
Let's click login.

70
00:04:27,780 --> 00:04:30,060
And we get this verbose objects.

71
00:04:30,090 --> 00:04:32,430
This is this is a finding right here, right?

72
00:04:32,610 --> 00:04:34,980
Although it doesn't say anything, it does say something.

73
00:04:35,190 --> 00:04:39,120
It doesn't tell me as an attacker, you know, what the specific error was, but it tells me that this

74
00:04:39,120 --> 00:04:43,200
particular website has poor security hygiene, which means there are probably other problems with it.

75
00:04:43,710 --> 00:04:45,090
And if you look at the post request.

76
00:04:46,510 --> 00:04:48,720
You can see there was an internal server error, right?

77
00:04:50,000 --> 00:04:54,130
You can see what we sent in the request of McCain back in the response if we click over to the response.

78
00:04:55,770 --> 00:04:57,690
You'll see this verbose error.

79
00:04:58,690 --> 00:04:59,830
I mean, this is not good, right?

80
00:04:59,850 --> 00:05:04,960
We don't want to see this as a web developer, but it's giving us the full security.

81
00:05:05,900 --> 00:05:06,170
Right.

82
00:05:06,570 --> 00:05:07,240
I can copy that.

83
00:05:08,360 --> 00:05:11,450
Let's see if we can make sense of it so we know the sequel injection here.

84
00:05:12,690 --> 00:05:18,270
And what we could do is we can try to figure this out, so a select all columns from a table called

85
00:05:18,270 --> 00:05:25,260
Users where the email address is, we put in a single tick and the password is some hash.

86
00:05:25,860 --> 00:05:30,810
You know, it's looking for the password and then it's looking for this value deleted and it's hard

87
00:05:30,810 --> 00:05:31,200
to know.

88
00:05:31,710 --> 00:05:35,670
So if we could just comment out the password and delete that section, we might be able to log in.

89
00:05:37,140 --> 00:05:42,630
Right, because then it's just going to say select staff from users where email equals whatever email

90
00:05:42,630 --> 00:05:46,350
just happens to exist, maybe the administrator, then maybe we can just log in that way.

91
00:05:47,070 --> 00:05:47,760
Let's take a look at this.

92
00:05:47,760 --> 00:05:48,990
Hashes We can Google it.

93
00:05:50,260 --> 00:05:54,330
You can actually see that hash is just the hash of a single tick.

94
00:05:54,780 --> 00:05:55,050
Right.

95
00:05:55,230 --> 00:05:58,880
That's all it is, is indicative of a single tick.

96
00:05:59,550 --> 00:06:02,100
What we're going to do is going to look at the post request.

97
00:06:02,860 --> 00:06:05,460
You can see the single tick here and you can see it selected.

98
00:06:05,640 --> 00:06:06,840
This is the code in Hex.

99
00:06:07,560 --> 00:06:09,680
And here's the verbose message.

100
00:06:10,290 --> 00:06:17,580
So what we can do is send this to SQL map so we could say copy to file.

101
00:06:19,120 --> 00:06:26,260
Well, just name it, you start school, just name it, injection that school.

102
00:06:31,330 --> 00:06:32,050
There it is.

103
00:06:33,460 --> 00:06:36,580
All right, so what we can do in the meantime is one scrap.

104
00:06:39,790 --> 00:06:46,150
What we want to do is run 06 map grap request.

105
00:06:48,710 --> 00:06:57,260
Yeah, tech, our request, wow, so we can say pseudo sequel, map tech are injection and then we'll

106
00:06:57,260 --> 00:06:59,360
do Bache because.

107
00:07:00,500 --> 00:07:03,000
Never ask for your input, use the default behavior, right?

108
00:07:03,990 --> 00:07:11,010
And then we want the detections to be set to the maximum for the level and the risk closer to five and

109
00:07:11,010 --> 00:07:12,300
three accordingly.

110
00:07:16,800 --> 00:07:17,490
With that run.

111
00:07:19,790 --> 00:07:22,200
And in the meantime, what they do.

112
00:07:22,670 --> 00:07:27,260
So here it's funny, this is a good example of why running tools might not always solve your problem,

113
00:07:28,190 --> 00:07:30,710
because you can see this is the post parameter.

114
00:07:30,710 --> 00:07:32,630
Jason, email does not appear to be dynamic.

115
00:07:33,230 --> 00:07:34,340
It might not be injectable.

116
00:07:34,580 --> 00:07:34,910
Right.

117
00:07:35,240 --> 00:07:38,750
We know it's injectable because we're getting this verbose error, saying this parameter right here

118
00:07:38,780 --> 00:07:39,770
might not be injectable.

119
00:07:40,020 --> 00:07:40,310
All right.

120
00:07:40,310 --> 00:07:40,840
But we know it is.

121
00:07:40,860 --> 00:07:41,640
So what are we going to do?

122
00:07:41,690 --> 00:07:42,560
How are we going to play with this?

123
00:07:42,600 --> 00:07:48,290
Let's send it to repeater control our shift, control our control space to resend.

124
00:07:48,370 --> 00:07:49,700
Let's build out this query.

125
00:07:50,080 --> 00:07:54,650
Let's see if we can just say like or one equals one Tuktoyaktuk.

126
00:07:54,890 --> 00:07:56,180
And that looks like it did something.

127
00:07:56,720 --> 00:07:59,600
I'm now seeing an admin username here.

128
00:08:00,120 --> 00:08:01,390
I mean, something definitely happened.

129
00:08:02,030 --> 00:08:02,990
We got this email.

130
00:08:03,910 --> 00:08:09,050
And we even have a security token now, we just need to basically follow through with this, Sasha.

131
00:08:11,740 --> 00:08:14,290
Let's try this again.

132
00:08:16,770 --> 00:08:19,110
But the intercept on Wassa Log-in.

133
00:08:20,500 --> 00:08:24,490
This is the request, we don't want that, we want the post forward.

134
00:08:24,870 --> 00:08:25,580
Here's the Post.

135
00:08:26,900 --> 00:08:35,140
Tech or one equals one tech tech tech to come about the password portion board.

136
00:08:36,970 --> 00:08:38,350
That's the that's the request.

137
00:08:39,750 --> 00:08:43,050
For what everything else through and now you can see we are here.

138
00:08:45,120 --> 00:08:49,710
And you log in as admin, so we just got in through sequel injection, we just bypass authentication,

139
00:08:49,710 --> 00:08:50,880
you can actually see why.

140
00:08:51,740 --> 00:08:57,830
Because this query down here, we basically commented out and password in this hash, so it's not even

141
00:08:57,830 --> 00:09:03,380
bothering to check for the password is just seeing it's just selecting all columns from users where

142
00:09:03,380 --> 00:09:04,670
the email address is a single tick.

143
00:09:06,550 --> 00:09:10,390
Or one is equal to one now, by the way, it didn't have to be one equal, the one I could have said

144
00:09:10,390 --> 00:09:15,970
it to any true condition, it could have been born equal to Vye, but one equals one is usually what

145
00:09:15,970 --> 00:09:20,590
most people use, you know, for the same reason that people use alert and cross-eyed scripting in the

146
00:09:20,590 --> 00:09:24,880
way to defend against this is to use parameterization.

147
00:09:25,390 --> 00:09:25,720
Right.

148
00:09:26,750 --> 00:09:31,250
And you can see this is best prevented, SQL injection is best prevented through the use of parameterize

149
00:09:31,250 --> 00:09:37,130
queries, and basically what you're doing is you're preparing the query ahead of time so that SQL knows

150
00:09:37,130 --> 00:09:39,920
that what follows is not executable code.

151
00:09:39,920 --> 00:09:41,240
It's just data.

152
00:09:42,560 --> 00:09:47,600
And this is the appropriate way of protecting an application and actually shows you how to do this in

153
00:09:47,600 --> 00:09:48,650
a bunch of different frameworks.

154
00:09:49,240 --> 00:09:49,600
All right.

155
00:09:49,630 --> 00:09:54,320
I encourage you guys to explore a sequel injection more wherever there's a place where you can insert

156
00:09:54,320 --> 00:09:54,680
data.

157
00:09:55,580 --> 00:10:01,010
That's a place to test, so, for example, this search box might be injectable, you know, searched

158
00:10:01,010 --> 00:10:02,570
the network tab inside of your browser.

159
00:10:02,930 --> 00:10:10,400
Look at the responses filtering through berp and see if you can get something that looks like it's an

160
00:10:10,400 --> 00:10:13,060
injection and pay attention to verbose output.

161
00:10:13,430 --> 00:10:16,360
You know, this Web application didn't just barf up all these details.

162
00:10:16,370 --> 00:10:18,530
This should never have been exposed.

163
00:10:19,220 --> 00:10:19,430
Right.

164
00:10:19,470 --> 00:10:21,350
You're going to have a single injection vulnerability.

165
00:10:21,350 --> 00:10:24,290
Don't need the attacker with verbose error messages like this.

166
00:10:24,980 --> 00:10:25,240
Right.

167
00:10:25,250 --> 00:10:28,780
So in the next lecture, we are going to get into broken authentication.

168
00:10:29,450 --> 00:10:31,600
So I will see you in the next lecture.