1
00:00:10,120 --> 00:00:14,530
So let us continue with command execution on that vulnerable Web application.

2
00:00:15,760 --> 00:00:24,610
In the last lecture, we saw how to explode the command execution on Low-Level security, but not every

3
00:00:24,610 --> 00:00:27,910
application has deployed that level of security.

4
00:00:28,310 --> 00:00:33,040
Generally, the applications are not secure or slightly medium security level.

5
00:00:33,670 --> 00:00:40,240
So in this lecture, we will see how to exploit the command execution when the reality on down, when

6
00:00:40,240 --> 00:00:43,890
the level of application, but with a medium security level.

7
00:00:44,470 --> 00:00:51,890
So there are two things start to occur Linux machine login and then also start your demo level with

8
00:00:51,910 --> 00:00:52,560
application.

9
00:00:52,930 --> 00:00:54,680
So let us get started.

10
00:00:55,540 --> 00:00:58,480
So now you can see that I have logged into my account.

11
00:00:58,870 --> 00:01:03,460
You have to go to applications and then go to Firefox.

12
00:01:06,470 --> 00:01:13,040
They're in the other you have to take the IP address of your machine, in my case, the IP address is

13
00:01:13,040 --> 00:01:15,920
ten point two point one point six.

14
00:01:16,580 --> 00:01:23,000
And you can see I have logged into my DV w e with the default username and password.

15
00:01:26,630 --> 00:01:33,020
In this lecture, we're going to explore the combined injection at a medium security, so set the security

16
00:01:33,020 --> 00:01:36,320
level to medium and then go to commercial execution.

17
00:01:36,920 --> 00:01:38,370
Let us see if it is working.

18
00:01:38,600 --> 00:01:41,870
So just typing and the IP address.

19
00:01:46,560 --> 00:01:47,400
So just submit.

20
00:01:50,250 --> 00:01:51,530
And yes, it is working.

21
00:01:52,110 --> 00:01:57,180
Now, let us try to exploit this when the reality with the method that we are seen in the previous lecture.

22
00:01:58,880 --> 00:02:00,290
Let's to see if that works.

23
00:02:03,170 --> 00:02:05,970
We didn't get the last word.

24
00:02:06,410 --> 00:02:11,660
We didn't execute the Alaska command, so which means that this application is secure.

25
00:02:12,380 --> 00:02:17,150
So now what to do, how to execute the command and how to exploit this vulnerability?

26
00:02:17,540 --> 00:02:20,750
Well, that is one way in which you can.

27
00:02:21,730 --> 00:02:25,060
It's about this one little it's just head on to terminal.

28
00:02:26,700 --> 00:02:32,040
And there I will show you how you can exploit the vulnerability, just type less.

29
00:02:34,420 --> 00:02:40,770
And you can see these are the applications after typing the list, come on now, you want to go to seed.

30
00:02:41,200 --> 00:02:43,630
So just just type ellis'.

31
00:02:45,600 --> 00:02:53,610
Alice and space height type bond, so this is a bar and then type city next up.

32
00:02:58,080 --> 00:03:01,590
Before hitting enter now let us guess the result.

33
00:03:02,070 --> 00:03:05,600
I think it will first again show the application.

34
00:03:05,640 --> 00:03:11,610
It is it will force execute the command and then after it will go to the store, let us see what we

35
00:03:11,610 --> 00:03:12,330
get hit.

36
00:03:12,330 --> 00:03:12,720
Enter.

37
00:03:13,710 --> 00:03:14,350
Oh, my God.

38
00:03:14,370 --> 00:03:15,960
We didn't get anything before.

39
00:03:16,860 --> 00:03:25,700
Now let us see or else, so let us check where we are hit BWV.

40
00:03:28,010 --> 00:03:29,060
And then hit enter.

41
00:03:30,730 --> 00:03:39,840
So you are again in the home, that is Karlee, which means that the alleged gunman didn't get executed.

42
00:03:40,210 --> 00:03:40,610
Right.

43
00:03:40,660 --> 00:03:45,310
So whatever comes after the bar, we can execute that command.

44
00:03:45,940 --> 00:03:47,830
Right now, it has got execute executed.

45
00:03:48,370 --> 00:03:52,630
So what if we apply this same trick in that input?

46
00:03:52,630 --> 00:03:53,990
Will let us check.

47
00:03:56,710 --> 00:04:01,210
So the IP address just by the IP address.

48
00:04:06,930 --> 00:04:09,540
So just take the IP address here.

49
00:04:11,260 --> 00:04:12,640
Space bar.

50
00:04:13,620 --> 00:04:16,430
And then take the command BWV.

51
00:04:17,840 --> 00:04:19,480
Let us see if this works.

52
00:04:22,350 --> 00:04:27,930
Vola, we have successfully exploited this one repeatedly, and you can see that the first command,

53
00:04:27,930 --> 00:04:34,920
which was before the bar, did not get executed here there is another command, Ellis.

54
00:04:36,000 --> 00:04:44,020
Again, it got executed, so this was one trick of exploiting come online injection, command execution.

55
00:04:44,370 --> 00:04:50,850
Now, again, there are many websites which asks for input, but, you know, they are more secure now.

56
00:04:50,880 --> 00:04:56,420
That is a command which we have seen in Al-Khalili command to total, which is used to create a file.

57
00:04:56,790 --> 00:04:58,670
So let's see if this gets executed.

58
00:04:58,680 --> 00:05:01,310
And right now, we didn't get any input.

59
00:05:01,320 --> 00:05:08,290
So just enter and let's see, let's command to check the input and we should see our text file created.

60
00:05:08,700 --> 00:05:09,360
There we go.

61
00:05:09,390 --> 00:05:11,010
We have ABC dirtbag's.

62
00:05:11,820 --> 00:05:20,850
So the conclusion of this lecture is whatever you type after the bar command gets executed and the command

63
00:05:21,150 --> 00:05:23,440
that is before the bar gets hidden.

64
00:05:24,120 --> 00:05:25,950
But what, like this?

65
00:05:27,130 --> 00:05:33,820
Now, when you enter that command, that is the IP address, space, bar and space, then the next command,

66
00:05:34,600 --> 00:05:37,490
what does the input validation does it?

67
00:05:37,630 --> 00:05:39,340
It sees the IP address.

68
00:05:39,730 --> 00:05:41,900
It sees space, and that's it.

69
00:05:41,920 --> 00:05:46,940
It thinks that there might be nothing after that space.

70
00:05:47,230 --> 00:05:49,720
So it validates and sends a request to the server.

71
00:05:50,080 --> 00:05:53,830
Now, that is again a problem of server side validation here.

72
00:05:54,070 --> 00:05:59,670
Server is investigating whether there is any other input present after the IP address.

73
00:06:00,370 --> 00:06:05,580
This is a fault of server side validation as well as guarantied validation.

74
00:06:06,250 --> 00:06:11,950
So this is how we exploited the command execution vulnerability at a medium level security.

75
00:06:12,700 --> 00:06:19,580
So you have to follow these principles or these rules when you are trying to check the command execution

76
00:06:19,580 --> 00:06:23,290
of the really valuable testing any application.

77
00:06:24,480 --> 00:06:32,070
Now, again, these commands or these tricks won't work every time we have to research on your own to

78
00:06:32,070 --> 00:06:37,890
find more advanced commands on how to hide commands or how to execute different commands, it is your

79
00:06:37,890 --> 00:06:42,960
job to find everything and read more about advanced commands.

80
00:06:43,380 --> 00:06:45,500
I will see you in the next lecture.