WEBVTT

00:00.730 --> 00:07.200
Electoral map automates the process of detecting and exploiting a skill injection flaws in Web sites

00:07.680 --> 00:11.540
and it will allow you to take over the database server.

00:11.610 --> 00:17.550
It comes with a very powerful detection engine with a broad range of switches that can be from database

00:17.550 --> 00:24.710
fingerprinting accessing the underlying file system and executing a lot of comments.

00:24.720 --> 00:32.790
If you open the web browser here and go to Google just take BHP question mark equal.

00:32.830 --> 00:36.360
This is known as the BHP idea vulnerability.

00:36.460 --> 00:41.240
It will mean the last set of Web sites that use this vulnerability here.

00:41.500 --> 00:49.300
They might possibly be vulnerable and possibly not so I'll take the first Web site here which is contemporary

00:49.690 --> 00:51.840
Romanian writers.

00:51.870 --> 00:55.700
Click on that as you can see it uses the identical one.

00:55.840 --> 01:03.810
If you want to know if the website is vulnerable just go to the URL here and add this apostrophe after

01:03.810 --> 01:09.400
the one just press enter it will pop up this at or message.

01:09.590 --> 01:13.970
You can just copy that without the apostrophe Of course.

01:13.970 --> 01:24.260
Just copy that link and go to your console and issue the SPL map comment you can use the hyphen H to

01:24.260 --> 01:30.130
get the list of switches that you can use but it will go directly into executing the command so ask

01:30.140 --> 01:37.910
you a map you can use hyphen you for the URL just based that your l here and then space hyphen hyphen

01:38.300 --> 01:38.990
DV s.

01:39.020 --> 01:45.160
This command will try to get the list of databases that lie behind this website.

01:45.170 --> 01:54.080
Just press enter and wait for the magic as you can see here the database available are to information

01:54.080 --> 02:00.990
schema and Romanian as we see so we're interested in this Romanian SBC here.

02:01.280 --> 02:05.340
The other comment we should issue is remove this yes.

02:05.420 --> 02:10.290
Just use hyphen D and specify the database.

02:10.430 --> 02:14.150
Romanian underscored as V.S..

02:14.430 --> 02:23.520
And then use hyphen hyphen tables so the hyphen hyphen tables will fetch all the tables that are in

02:23.520 --> 02:31.160
the Romanian underscore as we see database press enter as you can see here.

02:31.190 --> 02:34.970
This is the list of tables in this database.

02:34.970 --> 02:41.900
So we're interested in getting the content or the columns of the table name.

02:41.900 --> 02:47.170
For example are a underscore authority.

02:47.420 --> 02:56.330
So add that and then hyphen hyphen columns into display all the columns in the table are a story under

02:56.330 --> 02:59.350
the database Romanian as V.S..

02:59.390 --> 03:00.170
And here we go.

03:00.170 --> 03:04.810
This is the schema design of this table here.

03:04.850 --> 03:11.060
It has like couple of columns that we can dump to our local computer.

03:11.480 --> 03:17.230
So just get back the previous command and remove these columns.

03:17.240 --> 03:28.380
Use hyphen C uppercase and then you can select the column names like and you and E then and you and

03:28.410 --> 03:31.160
e the score and the comma.

03:31.160 --> 03:39.520
Those are pre new etc. and then use space hyphen hyphen dump

03:42.230 --> 03:49.400
it's retrieving the list of the content of this table as you can see on the screen with all the relevant

03:49.460 --> 03:50.470
information in it.

03:51.990 --> 03:53.040
Pretty impressive right.

03:53.370 --> 03:56.400
This is the table the content of the table.

03:57.650 --> 04:04.840
As you can see here and the dump actually is now on our b c.

04:04.880 --> 04:08.530
The dump was downloaded to our computer under this path here.

04:08.630 --> 04:18.800
So if you want to see it just copy this link and let's try to open a new window here just use leaf pads

04:19.180 --> 04:30.310
and paste press enter and you know you go This table doesn't contain like confidential information.

04:30.310 --> 04:37.780
It's just for tutorial reasons and some of the websites might be vulnerable and you might be interested

04:37.780 --> 04:42.420
in targeting tables that have usernames and passwords.

04:42.490 --> 04:52.780
Some of the vulnerable websites have their passwords hashed so ASCII map can decrypt these hashes for

04:52.780 --> 04:54.070
you automatically.

04:54.070 --> 04:59.690
Sometimes a squirrel in my poem would be able to crack the password so you can use other application

04:59.770 --> 05:02.510
tools like John the Ripper to do that.

05:02.530 --> 05:06.500
Let's take another example here clothes again.

05:07.770 --> 05:11.970
Open that here and let's go to this website here.

05:11.990 --> 05:15.130
It's test BHP not on the web.

05:15.140 --> 05:19.140
Dot com it's intention and vulnerable upside by kinetics.

05:19.170 --> 05:22.460
Just you might go here browse categories posters cetera.

05:22.480 --> 05:27.130
You'll be able to see vulnerable your Ls as well.

05:27.140 --> 05:28.090
Just copy that.

05:29.570 --> 05:32.660
Open your terminal again.

05:32.660 --> 05:34.110
Ask you a map.

05:34.370 --> 05:41.980
I find you based VB s and the same thing will apply.

05:41.980 --> 05:44.400
This is the acquired database.

05:44.740 --> 05:47.300
You can do the same as we did before.

05:47.470 --> 05:55.420
That was actually the get vulnerability type of ESC fuel injection of the website is using post method.

05:55.420 --> 05:58.510
You can do some kind of walk around to do the same.

05:58.540 --> 06:04.110
Just make sure to launch the application called Bridge sheet that comes with Kelly.

06:04.120 --> 06:05.040
Once you click on that.

06:05.950 --> 06:06.960
That's the boob suite.

06:06.960 --> 06:11.320
Select a temporary project then start brb.

06:11.350 --> 06:12.910
And this is the application.

06:12.910 --> 06:19.260
Now we want to rout our traffic from the browser to hit the proxy.

06:19.330 --> 06:29.630
Go to your preferences on just any browser and type network or proxy you go to the proxy settings and

06:29.630 --> 06:31.340
configure a manual proxy.

06:31.340 --> 06:34.610
In this case it's the local host listing on the port.

06:35.750 --> 06:41.920
Just press okay now all the traffic will go to the proxy server before it hits the Internet.

06:41.990 --> 06:49.640
Now I'll open just open any website that can be vulnerable or uses the post method.

06:49.940 --> 06:53.180
So just go to the smiley var remember Web site.

06:53.180 --> 06:59.100
Just put any username any password and press log in.

06:59.480 --> 07:07.610
Now just go again to the burbs suite the proxy HDTV history and chicken log in page.

07:07.610 --> 07:11.710
Just see this is the post command.

07:11.740 --> 07:17.980
This is the host the agent etc. And these are the parameters that they were passed and you have the

07:18.220 --> 07:21.220
username and password.

07:21.220 --> 07:31.200
Just select this all and right click and press copy to file and named this as well.

07:31.220 --> 07:37.380
I got the and say that.

07:37.530 --> 07:45.180
Now go to the terminal as we did before with the get the vulnerability of the S kill injection and type

07:45.200 --> 07:53.350
SCA map and then minus or hyphen are the name of the file which is askew.

07:53.350 --> 08:06.840
L I thought d d then press enter it you'll do the same steps and the same techniques it did with v get

08:06.840 --> 08:12.090
since now we have the parameters that might be vulnerable.

08:12.090 --> 08:18.450
It will take some time and if the website is vulnerable it will give out the name of the database and

08:18.900 --> 08:24.350
you can do the same hacking techniques we did earlier with the get method.