1
00:00:10,020 --> 00:00:16,290
Let us continue with phyla vulnerability in the last previous two lectures, we saw how to exploit the

2
00:00:16,830 --> 00:00:19,990
vulnerability for medium and high, low level.

3
00:00:20,580 --> 00:00:24,930
In this lecture, we will see how to exploit the volatility in the high.

4
00:00:25,800 --> 00:00:31,060
Now, some applications are secured to the level in which we are going to see in this lecture.

5
00:00:31,410 --> 00:00:38,850
So let us test whether we can upload a shell at a high level and how to upload the shell using it.

6
00:00:39,180 --> 00:00:41,010
So you need to do two things.

7
00:00:41,160 --> 00:00:44,570
Start your portable and log to Akali Linux.

8
00:00:46,450 --> 00:00:51,310
So I have logged in to my colleague and I will launch the Firefox.

9
00:00:55,340 --> 00:00:57,740
It has head to do w e.

10
00:01:01,970 --> 00:01:08,600
And make sure that you practice all these things into watching machines, only these videos are only

11
00:01:08,810 --> 00:01:14,720
for educational purposes, do not make illegal use of this knowledge.

12
00:01:16,120 --> 00:01:25,270
So let us go to DPW security and change the security to high summit and then go to upload, let us try

13
00:01:25,270 --> 00:01:28,380
uploading the BHB that we had then.

14
00:01:28,390 --> 00:01:34,570
So first, we need to go and change the file name to BHB again.

15
00:01:46,810 --> 00:01:51,020
Now, let us try to upload this up there to see if we can upload.

16
00:01:51,640 --> 00:01:52,190
There you go.

17
00:01:52,210 --> 00:01:58,090
Your image was not uploaded and since the security is high, we didn't even get a descriptive error

18
00:01:58,090 --> 00:01:59,280
message there.

19
00:01:59,320 --> 00:02:01,250
US try uploading this using boxset.

20
00:02:01,600 --> 00:02:03,370
So go to Bob Sweet.

21
00:02:08,830 --> 00:02:12,250
Vilaboa pursuit starts, let's go to proxy.

22
00:02:14,540 --> 00:02:18,380
They're just like, OK, let's go to proxy.

23
00:02:30,560 --> 00:02:33,650
Let's go to preferences network settings.

24
00:02:35,340 --> 00:02:39,650
Select manual proxy, make sure that the stock market's checked.

25
00:02:41,590 --> 00:02:43,630
OK, now come to Bob Sweet.

26
00:02:44,610 --> 00:02:49,290
Go to proxy, keep interceptors on, go to DeVita.

27
00:02:52,830 --> 00:02:59,200
Click, browse, share them more open upload now in the last lecture.

28
00:02:59,580 --> 00:03:06,360
We changed the name to GPG, so let us check if we can do this.

29
00:03:06,930 --> 00:03:08,700
Click forward.

30
00:03:10,340 --> 00:03:16,610
Again, our image was not appropriate for why why was this happening, let us view the source code.

31
00:03:20,440 --> 00:03:21,670
The intercept on.

32
00:03:24,540 --> 00:03:26,920
Let us view the source code.

33
00:03:28,020 --> 00:03:33,720
So now you can see if it is checking for extensions, that is.

34
00:03:34,220 --> 00:03:35,110
This is allowed.

35
00:03:35,550 --> 00:03:38,850
It is also checking for content type.

36
00:03:39,880 --> 00:03:50,890
So you can see it is checking for GPG, so in our damn bobsled, we just change the name and it was

37
00:03:50,890 --> 00:03:53,830
just checking it if the content is GPG.

38
00:03:54,040 --> 00:03:59,350
But now if you can see in the code, it is also checking the extension.

39
00:04:00,250 --> 00:04:07,120
Right, so we cannot even if we change the name and then transfer, it is not act, it is actually checking

40
00:04:07,120 --> 00:04:08,770
the extension of the file.

41
00:04:09,010 --> 00:04:09,940
So now what to do?

42
00:04:10,370 --> 00:04:12,540
Well, I have one solution for this.

43
00:04:12,940 --> 00:04:14,440
Let us see if this works.

44
00:04:16,530 --> 00:04:22,320
Intercept all of my sweet it is try to upload the same shell again.

45
00:04:23,540 --> 00:04:29,630
And in here, what I will do is I will just change the name to Shell, the MoveOn.

46
00:04:31,070 --> 00:04:36,560
Not BHP, not GPG, and let us see what happens.

47
00:04:37,070 --> 00:04:45,590
So after doing this, the server will think that, OK, it is a start jpg extension, but whenever there

48
00:04:45,590 --> 00:04:50,530
are two extensions in line, the extension, which is first, is considered.

49
00:04:51,080 --> 00:04:58,340
So for the validation purposes sort of thing that OK, it is a Dogpatch extension, but when the actual

50
00:04:58,340 --> 00:05:05,480
file will get uploaded, it will get uploaded as dot BHP file salters just click forward and there you

51
00:05:05,480 --> 00:05:05,810
go.

52
00:05:06,320 --> 00:05:09,440
Our shell was successfully uploaded.

53
00:05:12,580 --> 00:05:18,220
Now, let us check if Shell one was uploaded again, I change the name just for this laptop users who

54
00:05:18,220 --> 00:05:23,710
can keep the name, same if you want, but it is better to distinguish between the names so that you

55
00:05:23,710 --> 00:05:25,150
don't get confused.

56
00:05:25,180 --> 00:05:25,940
So let's see.

57
00:05:26,260 --> 00:05:27,180
And there you go.

58
00:05:27,190 --> 00:05:30,340
It is blank, which means you have successfully uploaded the shell.

59
00:05:31,440 --> 00:05:34,500
Turn off the intercept and let is go to terminal.

60
00:05:36,020 --> 00:05:38,540
And that will connect the vesely.

61
00:05:40,730 --> 00:05:43,760
They will copy this, you are in.

62
00:05:45,010 --> 00:05:46,330
Let's go to our.

63
00:05:48,100 --> 00:05:49,570
Terminal and then based.

64
00:05:50,710 --> 00:05:55,090
Chalamont, GPG, and then followed by Password.

65
00:05:56,610 --> 00:05:57,210
There you go.

66
00:05:57,240 --> 00:06:04,190
We have successfully connected to the we shall let us see if we can execute commands, the Hugo CHIRLA

67
00:06:04,350 --> 00:06:04,960
one shed.

68
00:06:05,010 --> 00:06:12,390
So our original file, Schlomo, which was updated or uploaded in the last lecture, is also present

69
00:06:12,390 --> 00:06:14,880
here and the movement is also present.

70
00:06:15,120 --> 00:06:16,950
Now, why did I change the name here?

71
00:06:17,130 --> 00:06:22,320
Because it may get over it done with the server and that is why I actually changed the name.

72
00:06:22,650 --> 00:06:31,800
So you can see this is how you can also try to intercept and exploit the high level of vulnerability.

73
00:06:32,130 --> 00:06:38,910
Now, most of the applications execute impossible level of vulnerability, which means they are the

74
00:06:38,940 --> 00:06:43,800
cream, the content extension, Len panic, etc., all those things.

75
00:06:44,100 --> 00:06:50,640
So it totally depends upon how the application is executing or deploying this type of file uploads.

76
00:06:51,000 --> 00:06:57,660
But in most of the cases, if you are keen security researcher, you can get some websites where the

77
00:06:57,660 --> 00:07:05,310
high level is also exploitable, but do not use the word shell or do not use this for illegal or malicious

78
00:07:05,310 --> 00:07:07,290
purposes as you are.

79
00:07:07,430 --> 00:07:11,010
You can always get at least back by security experts.

80
00:07:11,460 --> 00:07:16,910
So this is how we actually exported the file approved vulnerability at a high level.

81
00:07:17,160 --> 00:07:24,580
I hope now you have got an idea of what is file uploading that ability and how dangerous vulnerabilities

82
00:07:24,870 --> 00:07:33,390
can be in the next lecture will start with the most important and the most related topic of application

83
00:07:33,540 --> 00:07:34,530
penetration testing.

84
00:07:34,530 --> 00:07:36,390
That is Eskil injection.

85
00:07:36,810 --> 00:07:39,030
I hope you're excited for the next video.

86
00:07:39,270 --> 00:07:42,450
So let us get started with the next video again.

87
00:07:42,450 --> 00:07:49,560
If you have any doubts, please feel free to ask us and we will try and answer them within 48 hours.

88
00:07:49,950 --> 00:07:56,940
Also, if you are really enjoying this course, do not forget to read the course as this will also help

89
00:07:56,940 --> 00:08:02,940
other students and it will also help instructors to know if you are really enjoying the videos.

90
00:08:02,940 --> 00:08:07,110
And please do not forget to write the review for this course.

91
00:08:07,290 --> 00:08:09,030
I will see you in the next lecture.