1
00:00:10,290 --> 00:00:16,200
Let us start with a brand new topic file observing the reality in the last lecture.

2
00:00:16,270 --> 00:00:20,730
These are the commercial injection and setting up and configuration of Bob.

3
00:00:21,690 --> 00:00:28,290
So what are available when the abilities uploaded files represent a significant risk to applications?

4
00:00:28,890 --> 00:00:33,830
The first step in many attacks is to get some code to the system to be attacked.

5
00:00:34,650 --> 00:00:42,960
Then the attack only needs to find a way to get the code executed using a file vulnerability.

6
00:00:43,170 --> 00:00:48,560
It helps the attacker accomplish the first step that is getting inside the system.

7
00:00:51,330 --> 00:00:58,740
The consequences of unrestricted file upload can vary, including complete sistem, take over and overloaded

8
00:00:58,740 --> 00:01:06,030
a file system or database forwarding attacks to backend systems, kleinsorge attacks or simple defacement

9
00:01:06,030 --> 00:01:06,670
of the website.

10
00:01:07,830 --> 00:01:14,520
It depends on what the application does with the file upload file and especially where it is stored.

11
00:01:16,280 --> 00:01:18,500
There are really two classes of problems here.

12
00:01:18,980 --> 00:01:25,430
The first is with the file metadata like the part and the file name, and the other part of the problem

13
00:01:25,430 --> 00:01:27,280
is with the size or content.

14
00:01:28,880 --> 00:01:32,390
Now, what is the risk of uploading a dangerous, malicious file?

15
00:01:33,540 --> 00:01:40,260
The impact of this vulnerability is high supposed goal can be executed in the server context or on the

16
00:01:40,260 --> 00:01:47,040
client side, the likelihood of detection for the attacker is high and the prevalence is common as a

17
00:01:47,040 --> 00:01:48,960
result of the severity is high.

18
00:01:50,190 --> 00:01:56,730
It is important to check file, upload models, access controls to examine the risks properly.

19
00:01:57,900 --> 00:02:03,960
The Web server can be compromised by uploading and executing a web shell which can run commands, browse

20
00:02:03,960 --> 00:02:10,350
the stolen files, browse local resources, attack other servers or exploit the local nativities and

21
00:02:10,350 --> 00:02:10,850
so forth.

22
00:02:11,580 --> 00:02:15,570
We are going to see this type of attack in the next couple of minutes.

23
00:02:16,620 --> 00:02:20,850
File upload vulnerability can also result in client attacks.

24
00:02:21,240 --> 00:02:29,010
For example, uploading malicious files can make the website vulnerable to clients attacks such as exercice

25
00:02:29,010 --> 00:02:31,050
or crosstabs scripting hijacking.

26
00:02:32,380 --> 00:02:39,010
Uploaded files can be abused to exploit other vulnerable sections of an application when a file on the

27
00:02:39,010 --> 00:02:41,070
same or trustor server is needed.

28
00:02:42,300 --> 00:02:49,410
Also, uploaded files might trigger vulnerabilities in broken libraries or applications on the client

29
00:02:49,410 --> 00:02:58,410
side, a malicious file such as a Unix Shell script of Windows Virus and Excel file with a dangerous

30
00:02:58,410 --> 00:03:05,610
formula or a reverse shell can be uploaded on the server in order to execute code by an administrator

31
00:03:05,610 --> 00:03:06,600
or a webmaster.

32
00:03:07,620 --> 00:03:12,390
An attacker might be able to put a phishing page into the website or deface the website.

33
00:03:13,430 --> 00:03:20,090
The file storage server might be abused to host troublesome file, including malware, illegal software

34
00:03:20,300 --> 00:03:23,370
or other contents file upload.

35
00:03:23,370 --> 00:03:29,300
Those may disclose internal information such as server internal parts in their error messages.

36
00:03:30,080 --> 00:03:34,820
So this is the one of the major impacts of available vulnerabilities.

37
00:03:35,180 --> 00:03:39,220
And now let us see how to upload a malicious file on the server.

38
00:03:40,250 --> 00:03:46,220
Again, we're telling that these tutorials are just for educational purposes so as to tell you that

39
00:03:46,220 --> 00:03:52,010
how these vulnerabilities work and how you should work in order to protect them, but not use these

40
00:03:52,010 --> 00:03:55,600
attacks on any random websites as you can get compromised.

41
00:03:56,210 --> 00:04:01,690
So keep your copy machine on as well as Dammann Rybolovlev application on.

42
00:04:02,270 --> 00:04:03,760
So let us get started.

43
00:04:06,920 --> 00:04:13,450
So as you can see right now, I am on my coffee machine and the first thing that I need to do is start

44
00:04:13,460 --> 00:04:19,460
the Firefox for this practical, we do not need the suite because we are going to exploit the file,

45
00:04:19,460 --> 00:04:25,430
upload all the reality at a low level, just launch the damn vulnerable Web application.

46
00:04:35,830 --> 00:04:39,730
Go to the security tab and just select a security to look.

47
00:04:40,690 --> 00:04:46,720
Then go to applaud, and there you go, you have to upload an image now, let us choose an image to

48
00:04:46,720 --> 00:04:47,350
download.

49
00:04:53,980 --> 00:04:59,050
Let us see if we can upload that image into the shell and what result we get.

50
00:05:00,890 --> 00:05:04,310
So what what I will do is I will download this image.

51
00:05:07,860 --> 00:05:14,070
And now I will go to the Shell Barrales and again, see the image which I have been downloaded will

52
00:05:14,070 --> 00:05:15,570
appear in the download STAP.

53
00:05:18,550 --> 00:05:26,100
And click open and then upload, you can successfully upload and check the part where it was uploaded,

54
00:05:26,470 --> 00:05:27,580
you just copy.

55
00:05:28,560 --> 00:05:29,310
The pot.

56
00:05:30,640 --> 00:05:37,270
Copy and go to DVD slash pasted there and then hit enter.

57
00:05:37,540 --> 00:05:39,980
You can see our image has been uploaded here.

58
00:05:40,570 --> 00:05:43,450
Now what we need to do is we need to upload.

59
00:05:44,620 --> 00:05:52,930
A different BHP shell, I let us see if we can get access to the Web server by uploading the BHP shell.

60
00:05:54,310 --> 00:06:03,790
So now to or in order to create a special we will use in the application known as the WTVG Elvi, so

61
00:06:03,790 --> 00:06:09,630
using we believe we can create a remote shell and then upload that beashel to the website.

62
00:06:09,640 --> 00:06:11,350
So just type Vele.

63
00:06:13,340 --> 00:06:15,740
Followed by generate.

64
00:06:17,980 --> 00:06:23,920
Then the password to that actual I will give one, two, three, four, five, six, and the name of

65
00:06:23,920 --> 00:06:26,350
the shell, I will give Shell.

66
00:06:27,840 --> 00:06:30,120
Demo Darte.

67
00:06:32,970 --> 00:06:36,420
BHP and then hit Enter.

68
00:06:36,810 --> 00:06:43,020
You can see it has generated a shell demo with password one, two, three, four, five, six of 680

69
00:06:43,020 --> 00:06:43,680
byte file.

70
00:06:44,250 --> 00:06:45,190
Now very little.

71
00:06:45,870 --> 00:06:46,890
Let us go here.

72
00:06:48,890 --> 00:06:52,900
And you can see them on that BHP story here now.

73
00:06:52,980 --> 00:06:56,420
We want to applaud this shell to that DPW.

74
00:06:57,620 --> 00:07:03,570
You can see choose an image to upload, let us see if we can upload the BHP files.

75
00:07:03,590 --> 00:07:04,550
Just click browse.

76
00:07:06,510 --> 00:07:11,070
Go to home and you can see Sheldon Modot, BHP, and then he opened.

77
00:07:12,670 --> 00:07:16,780
And upload, you can see it has been successfully uploaded.

78
00:07:16,990 --> 00:07:18,360
Now, why did this happen?

79
00:07:18,970 --> 00:07:24,940
This happened because there was no server side checking or clydeside checking whether the content that

80
00:07:24,940 --> 00:07:28,630
is being uploaded is a BHP or a GBG.

81
00:07:29,020 --> 00:07:34,540
This is a failure of blindsight validation that the security is low.

82
00:07:35,080 --> 00:07:36,280
The shell got uploaded.

83
00:07:36,430 --> 00:07:38,810
Now let's see if it got successfully uploaded.

84
00:07:39,160 --> 00:07:40,420
Just copy the part.

85
00:07:42,630 --> 00:07:45,540
Again, pasted after divi w e.

86
00:07:47,950 --> 00:07:52,130
And hit enter, it's a blank page Softshell got uploaded.

87
00:07:52,540 --> 00:07:57,830
Now we will connect to the shell through the application we to just type with.

88
00:08:00,490 --> 00:08:05,460
Go to your browser, copy this website, this you are Eurail.

89
00:08:05,510 --> 00:08:11,500
Well, we have uploaded the shells, so copy come to your terminal based.

90
00:08:12,830 --> 00:08:18,800
And then type the password, that is one, two, three, four, five, six, and then hit enter.

91
00:08:19,430 --> 00:08:25,040
You can see we have successfully connected to the server session has been generated.

92
00:08:25,280 --> 00:08:32,120
And now let us see if we can list out the commands using the Alaska command or the president working

93
00:08:32,120 --> 00:08:32,660
directly.

94
00:08:33,170 --> 00:08:36,200
So I'll execute the Alaska and see what I can get.

95
00:08:36,620 --> 00:08:37,290
Vola.

96
00:08:37,400 --> 00:08:40,010
You can see cyber security.

97
00:08:40,030 --> 00:08:43,900
iStock photo the photo, which we had uploaded a couple of minutes ago.

98
00:08:44,270 --> 00:08:47,270
We can see our picture is also uploaded.

99
00:08:47,540 --> 00:08:54,310
Shelden will not BHB, which means we have successfully compromised the division of a server.

100
00:08:54,860 --> 00:09:02,600
If you write dot dash help here, you can see these are all the commands that you can execute using

101
00:09:02,600 --> 00:09:10,010
really can initiate TCP ports can you can execute shell commands, execute commands with super user,

102
00:09:10,310 --> 00:09:18,570
execute BHP commands, compress or expand archives, copy single file, compress, expand zip files

103
00:09:18,620 --> 00:09:19,540
and everything.

104
00:09:19,940 --> 00:09:26,720
Which means if the server or if there is no validation while uploading a file, we can help us to compromise

105
00:09:26,720 --> 00:09:28,650
the server entirely.

106
00:09:29,300 --> 00:09:34,550
Now, this was pretty simple because the security level was set to look in the next lecture.

107
00:09:34,820 --> 00:09:41,540
You will see even if we said the security level to medium, how we can upload a BHP file.