1
00:00:10,460 --> 00:00:17,310
Let us start exporting the cross site, scripting vulnerability in a machine in the previous two lectures.

2
00:00:17,480 --> 00:00:23,260
We saw the theoretical explanation of Crosseyed scripting and we also saw the working of crosshatch

3
00:00:23,270 --> 00:00:23,740
scripting.

4
00:00:24,290 --> 00:00:31,020
But to understand the working, we also need to understand how exercise works and therefore we start

5
00:00:31,030 --> 00:00:34,640
started the practicals of exercises we have already seen.

6
00:00:34,910 --> 00:00:41,230
How do we install the time when the real application in the Karlee Linux penetration testing lab set

7
00:00:41,270 --> 00:00:41,870
up S..

8
00:00:42,200 --> 00:00:48,440
So for these lectures and for the remaining lectures, we will use the degree to which is installed

9
00:00:48,440 --> 00:00:49,490
in the Linux.

10
00:00:49,760 --> 00:00:52,610
You won't be needing the portable virtual machine.

11
00:00:53,030 --> 00:00:55,820
So let us login into our candy machine.

12
00:00:56,570 --> 00:01:04,040
So as you can see right now on my screen, forced to launch the device, we should open terminal.

13
00:01:04,950 --> 00:01:07,890
And as you start the services, so just type pseudo.

14
00:01:09,430 --> 00:01:10,270
Service.

15
00:01:11,300 --> 00:01:13,580
About to start.

16
00:01:18,860 --> 00:01:19,970
Enter the password.

17
00:01:23,520 --> 00:01:31,260
Then type pseudo service might start if you do not start these services, you won't be able to run their

18
00:01:31,260 --> 00:01:34,260
debatably on your local machine hit and.

19
00:01:35,390 --> 00:01:39,890
And that's it now minimize close it, minimize the terminal.

20
00:01:41,340 --> 00:01:42,540
Go to your browser.

21
00:01:43,690 --> 00:01:44,890
It is Volvox.

22
00:01:48,940 --> 00:01:56,380
And then in the U.S., we have seen how to start to develop, that is one twenty seven point zero point

23
00:01:56,410 --> 00:01:59,980
zero point one slash divi W.T. in.

24
00:02:03,250 --> 00:02:11,110
And then hit enter login with the default username and password that is admin and password.

25
00:02:14,190 --> 00:02:20,520
Now, you can see this is different than the vulnerable in metallurgical machine, so we use there are

26
00:02:20,550 --> 00:02:28,230
other features like insecure capture, normal injection vexation, etc. So first go to develop security

27
00:02:28,710 --> 00:02:34,980
and set the security to low, because in this lecture we are going to see the working of Exercice.

28
00:02:35,550 --> 00:02:37,560
So just go to Xerces Store.

29
00:02:38,550 --> 00:02:41,710
We'll be exploring the story and really you can try it on anything.

30
00:02:42,210 --> 00:02:48,870
So before doing anything, clear the guestbook so that it becomes really handy.

31
00:02:49,140 --> 00:02:53,100
So now you can see on the screen that it is asking for name and message.

32
00:02:53,400 --> 00:02:59,220
Let's first put Mark as a name and just put hello in the message.

33
00:02:59,610 --> 00:03:01,500
Let us see how it is getting reflected.

34
00:03:02,500 --> 00:03:08,890
You can see we can see the characters as it is now, since I'm a security expert, I will try to input

35
00:03:08,890 --> 00:03:10,500
some different characters.

36
00:03:10,510 --> 00:03:12,100
I will just enter, let's say.

37
00:03:13,060 --> 00:03:16,450
Brackets and in the message, I will enter hello.

38
00:03:21,390 --> 00:03:29,700
Well, the brackets are there as it is, so right now, let us try to insert a double injection, so

39
00:03:29,700 --> 00:03:31,800
just insert dash B.

40
00:03:33,330 --> 00:03:38,100
And in type Mark and then close the B deck.

41
00:03:40,450 --> 00:03:46,060
Now, you might not be able to close the tab because as you can see, it is not allowing us to just

42
00:03:46,240 --> 00:03:46,540
right.

43
00:03:46,540 --> 00:03:49,090
Click the name and click inspect element.

44
00:03:51,430 --> 00:03:57,670
You can you can go to the name tab, just click there and you can see the maximum length extent, therefore

45
00:03:57,670 --> 00:04:04,180
it is only allowing 10 characters change to, let's say, one hundred and close the inspector up and

46
00:04:04,180 --> 00:04:05,920
now close the big.

47
00:04:08,180 --> 00:04:11,030
And in the message type something, hello.

48
00:04:13,720 --> 00:04:15,160
Just click sign guestbook.

49
00:04:15,490 --> 00:04:16,070
There you go.

50
00:04:16,100 --> 00:04:24,570
We can see that Mark is bold, which means that the name Inpart is accepting the script XHTML script.

51
00:04:25,030 --> 00:04:32,470
Now, since it accepted Actimel script, I might guess that it will accept my JavaScript also, but

52
00:04:32,470 --> 00:04:33,780
that wasn't the name tag.

53
00:04:34,060 --> 00:04:37,910
I want to see whether it is accepting the script in message.

54
00:04:38,500 --> 00:04:43,720
So in name just type mark and now type bold in message.

55
00:04:44,110 --> 00:04:47,560
So be and type some the message of your choice.

56
00:04:53,430 --> 00:04:54,900
They just hello, you you hacked.

57
00:04:57,570 --> 00:05:02,400
And then I will see whether the injection is working or not.

58
00:05:04,420 --> 00:05:06,400
And then I will just sign the guestbook.

59
00:05:06,970 --> 00:05:07,580
There you go.

60
00:05:08,380 --> 00:05:15,250
It is also accepting the Ekdahl injection in the message that so the just type mark in the name and

61
00:05:15,250 --> 00:05:19,700
now it's time to exploit the vulnerability that is exercice.

62
00:05:19,990 --> 00:05:21,190
So write script.

63
00:05:27,520 --> 00:05:35,080
Now, if you do not know how JavaScript works, you have to learn the fundamentals of JavaScript, because

64
00:05:35,080 --> 00:05:41,290
in this lecture, in this whole course, we are not currently going to teach the JavaScript fundamentals.

65
00:05:41,420 --> 00:05:45,690
You should be you should have just a basic knowledge of what is script or text.

66
00:05:46,030 --> 00:05:47,870
So this is how you write a script.

67
00:05:47,890 --> 00:05:54,520
And let me tell you that this is the most basic script which is used to test Exercice, and it is also

68
00:05:54,520 --> 00:05:57,080
used by many penetration testers as well.

69
00:05:57,100 --> 00:05:58,660
So just click sign guestbook.

70
00:05:59,640 --> 00:06:00,240
There you go.

71
00:06:00,260 --> 00:06:08,910
We can see on the screen that we have got one, which means it is injectable Texases, so let us try

72
00:06:08,910 --> 00:06:10,760
to find out, get the cookie.

73
00:06:11,250 --> 00:06:18,360
So in the name type market in the message, the best way to find out a cookie is to get through alerts

74
00:06:18,360 --> 00:06:21,030
to just type alert in open brackets.

75
00:06:22,320 --> 00:06:27,060
Document dalkowski, everything should be lowercase, document that cookie.

76
00:06:27,990 --> 00:06:34,260
Close the bracket and also close the script that we should get the session ID here and just click sign

77
00:06:34,270 --> 00:06:35,730
guestbook, they go.

78
00:06:35,820 --> 00:06:39,900
We have got Decision Irey and Security also.

79
00:06:40,470 --> 00:06:41,180
Yes, click.

80
00:06:41,200 --> 00:06:48,090
OK, so now if we are able to get decision, Eileen, on getting such an I.D., one of the most important

81
00:06:48,630 --> 00:06:54,510
hack and hacker could do because of why I say you can impersonate and you can tell a server that you

82
00:06:54,510 --> 00:06:55,480
are actually Mark.

83
00:06:55,740 --> 00:07:01,680
So whenever you try to login and let's say you forgot the password, you click forgot password and then

84
00:07:01,680 --> 00:07:06,880
you use both so you can replace YACKETY with this cookie and therefore the server.

85
00:07:06,880 --> 00:07:09,940
Revalidate that, OK, this computer is valid and you are.

86
00:07:10,590 --> 00:07:13,980
So this is important and I do not clear the guestbook.

87
00:07:14,220 --> 00:07:17,330
I will show you what is the example of store exercice.

88
00:07:17,520 --> 00:07:19,290
So again, just type the name Mark.

89
00:07:20,630 --> 00:07:23,350
And in the message type alert, you are HACCP.

90
00:07:25,060 --> 00:07:26,940
Script alert.

91
00:07:30,950 --> 00:07:32,270
You are being asked.

92
00:07:34,840 --> 00:07:36,270
Right, you were hacked.

93
00:07:38,100 --> 00:07:41,400
Now, you might get the story exercice.

94
00:07:45,350 --> 00:07:51,920
Before clicking sign, let us guess, I'm guessing that I will get your message, let us see what we

95
00:07:51,920 --> 00:07:52,220
get.

96
00:07:52,220 --> 00:07:53,390
Click Sign Guestbook.

97
00:07:55,270 --> 00:07:57,980
What a court decision, S.A.T. Lecoq.

98
00:07:59,070 --> 00:08:01,980
And then we got your hacked, I will tell you why.

99
00:08:03,300 --> 00:08:08,190
The first message in the comment box is the mark.

100
00:08:08,190 --> 00:08:14,070
And at the first time we got the session and the second time inputted our message.

101
00:08:14,070 --> 00:08:20,340
We were asked are we were told it also were to tell us your had the first script of session.

102
00:08:20,340 --> 00:08:27,480
I got already stored on the database and whenever I again tried to inject some script, it showed me

103
00:08:27,480 --> 00:08:30,130
the first result and the second reason as well.

104
00:08:30,480 --> 00:08:33,090
So this is how I across the scripting works.

105
00:08:33,090 --> 00:08:36,400
Basically, it stores the script permanently on the database.

106
00:08:36,690 --> 00:08:42,660
Now suppose let's say our constructor just tries to go in and there he enters some script and let's

107
00:08:42,660 --> 00:08:44,460
say he does something.

108
00:08:44,460 --> 00:08:45,120
One, two, three.

109
00:08:45,450 --> 00:08:49,580
And whenever he does that, he will also get all the results.

110
00:08:49,740 --> 00:08:50,470
Let's see that.

111
00:08:50,490 --> 00:08:52,890
Now, let's say he or she is entering something.

112
00:08:52,890 --> 00:08:56,430
Let's introduce with the constructor and let's to help.

113
00:08:58,800 --> 00:09:01,100
Just as in Brooklyn, hello, click sign guestbook.

114
00:09:02,010 --> 00:09:04,140
There you go again, court decision idee.

115
00:09:05,050 --> 00:09:08,390
Because you are hacked and then he got his message.

116
00:09:08,650 --> 00:09:15,100
So this is how store accesses when that works, basically it stores the scripts that are on the database

117
00:09:15,100 --> 00:09:15,540
server.

118
00:09:16,030 --> 00:09:21,730
From this, you might have got an idea that if such a vulnerability is exploited or it is identified

119
00:09:21,730 --> 00:09:28,570
by the hacker, he can take benefit by injecting malicious scripts and he can get the entire credentials

120
00:09:28,570 --> 00:09:29,300
of the database.

121
00:09:29,770 --> 00:09:31,360
So this is how exercise works.

122
00:09:31,360 --> 00:09:37,990
And we also saw what is stored across scripting, whereas in case of Reflektor crosseyed scripting,

123
00:09:37,990 --> 00:09:41,250
it just reflects the message.

124
00:09:41,260 --> 00:09:41,970
And there you go.

125
00:09:41,980 --> 00:09:43,460
You do not have to get stolen.

126
00:09:43,900 --> 00:09:49,990
So this is how it works in case of Reflektor, because you have got Hellerman, that's it.

127
00:09:50,040 --> 00:09:51,430
It doesn't get stolen.

128
00:09:51,460 --> 00:09:52,900
Let's take another name there.

129
00:09:54,830 --> 00:09:56,690
It's type B, Mark.

130
00:09:57,680 --> 00:09:59,220
Let's see if that works.

131
00:10:01,670 --> 00:10:02,840
Yes, it got bolder.

132
00:10:02,870 --> 00:10:06,030
So did we see the earlier message of Mark?

133
00:10:06,050 --> 00:10:08,710
No, we just saw the bold message.

134
00:10:09,140 --> 00:10:18,770
This is the major difference between reflective excesses and excesses that led us to try alert 10 and

135
00:10:18,770 --> 00:10:20,390
will close the script tag.

136
00:10:27,080 --> 00:10:33,750
Let's see what we get, they go, we got 10, but did we see the mark, which was bold?

137
00:10:33,890 --> 00:10:40,730
No, this is how reflective exercise works, basically doesn't store the script, but in case of exercise,

138
00:10:40,730 --> 00:10:43,320
it just stores the script.

139
00:10:44,150 --> 00:10:50,030
That's it for in this lecture, we saw how we exploited the excesses at Ameliorative at a low level.

140
00:10:50,930 --> 00:10:51,590
Pardon me.

141
00:10:51,800 --> 00:10:59,270
In the next lecture we will try to exploit Exercice story in the medium level will never really let

142
00:10:59,270 --> 00:11:03,560
us see if we can do that and we will see the different techniques used by hackers.

143
00:11:04,920 --> 00:11:06,240
Exploit exercice.