1
00:00:01,160 --> 00:00:01,790
Welcome back.

2
00:00:02,500 --> 00:00:11,950
Let's see an example of command injection on our TV w a page, so open up your own up and navigate to

3
00:00:11,950 --> 00:00:20,980
the TV w a here we are going to log in with our credentials and make sure, as usual, that intercept

4
00:00:20,980 --> 00:00:24,550
is turned off so we can navigate between the pages.

5
00:00:25,030 --> 00:00:31,000
Now, once we get to this page, we want to go to this part right here that says command execution.

6
00:00:31,000 --> 00:00:33,970
It's essentially the same thing as command injection.

7
00:00:33,970 --> 00:00:35,540
They just named it differently.

8
00:00:36,370 --> 00:00:37,180
Let's go there.

9
00:00:37,420 --> 00:00:44,330
And for this first example, make sure the security level is set to low and we'll be checking out security

10
00:00:44,350 --> 00:00:46,630
level low and security level medium.

11
00:00:47,110 --> 00:00:53,710
I believe in these newer versions of the high security level is actually not vulnerable.

12
00:00:53,710 --> 00:01:00,640
And it's an example of how the code should look like once the input is not vulnerable or wants, the

13
00:01:00,640 --> 00:01:02,610
input is filtered properly.

14
00:01:03,490 --> 00:01:11,880
So right here it tells us being for free, we can enter an IP address and it will ping that IP address

15
00:01:11,890 --> 00:01:12,280
here.

16
00:01:12,280 --> 00:01:19,330
I typed in the IP address all my router and it's performed three ping requests and it outputted the

17
00:01:19,330 --> 00:01:20,320
results right here.

18
00:01:20,920 --> 00:01:27,850
So already by seeing these results, we can imagine that the page is performing something like this

19
00:01:28,360 --> 00:01:36,490
ping one to that one, 68 at one point that you see for the count, and then three, then it pings the

20
00:01:36,490 --> 00:01:41,690
router three times and it outputs this result back to us on the page.

21
00:01:42,520 --> 00:01:45,580
So this page is interacting with the system.

22
00:01:45,970 --> 00:01:49,840
Now, let's try to inject our comment so we'll type in the IP address.

23
00:01:49,840 --> 00:01:53,390
And by the way, this IP address most likely won't work for you.

24
00:01:53,410 --> 00:01:59,530
This is just my routers IP, so feel free to try with a different type instead, whether it's external

25
00:01:59,530 --> 00:02:02,830
IP address or a local IP address inside of your network.

26
00:02:03,700 --> 00:02:09,820
And now let's type semi column and let's type let's submit this.

27
00:02:11,620 --> 00:02:18,400
And here is our command injection, it executed the second command as well, so simple as that, we

28
00:02:18,400 --> 00:02:23,020
manage to run our command injection and now we can do pretty much anything that we performed in the

29
00:02:23,020 --> 00:02:28,720
previous videos, such as running reversal, such as taking a look at different accounts and passwords

30
00:02:28,720 --> 00:02:29,650
and all of that.

31
00:02:30,200 --> 00:02:33,670
But this is not why we performed this example.

32
00:02:33,670 --> 00:02:39,150
We want to see how we can also perform command injection on security level medium.

33
00:02:39,610 --> 00:02:48,460
So to change the security level on a page, navigate to hear that says to a security and change from

34
00:02:48,460 --> 00:02:49,990
low to medium.

35
00:02:50,770 --> 00:02:51,760
Click on Submit.

36
00:02:52,770 --> 00:02:58,620
And go back to the command execution and down here, you should see that now the security level is set

37
00:02:58,620 --> 00:02:58,970
to meet.

38
00:03:00,230 --> 00:03:02,070
So let's try the same thing.

39
00:03:02,090 --> 00:03:08,720
Let's go with the IP address first, just to see what type of output do we get and we get pretty much

40
00:03:08,720 --> 00:03:09,980
the same output as before.

41
00:03:10,610 --> 00:03:16,520
Now, let's try to execute our comment by typing Semih column space and then El's.

42
00:03:18,820 --> 00:03:20,470
Nothing happens.

43
00:03:21,560 --> 00:03:28,540
And you will notice that on this TV page, we do have the source code to how this input is filtered,

44
00:03:28,550 --> 00:03:30,050
this source code is written in.

45
00:03:30,920 --> 00:03:36,360
And we're going to take a look at it just so we can see why our command injection doesn't work now.

46
00:03:36,650 --> 00:03:38,240
So let's open the source code.

47
00:03:38,750 --> 00:03:43,190
As I mentioned, it's written in B, even though we don't really need to know.

48
00:03:43,730 --> 00:03:47,080
We can try to guess what this code is doing.

49
00:03:47,900 --> 00:03:52,430
So this is the IP address that we input or should I say the command that we input.

50
00:03:52,820 --> 00:03:57,650
And now it performs this part right here, or should I say this part?

51
00:03:57,770 --> 00:03:59,440
This is the important part for us.

52
00:04:00,050 --> 00:04:04,700
It creates an array that uses these characters.

53
00:04:05,420 --> 00:04:07,870
And if we can see our semicolon right here.

54
00:04:08,180 --> 00:04:14,030
So pretty much every time in our command that it sees semicolon, it will change it to nothing.

55
00:04:14,510 --> 00:04:16,329
Same goes with these two sides.

56
00:04:16,339 --> 00:04:20,390
And by the way, these two sides are also used to conquer different commands.

57
00:04:20,570 --> 00:04:27,100
Let me show you, in terminals, you can type something like pink one to the 168 of one, one dash C

58
00:04:27,200 --> 00:04:27,740
three.

59
00:04:27,740 --> 00:04:34,900
And then you can use these two sides to also run URLs right afterwards, as you can see right here.

60
00:04:35,510 --> 00:04:43,490
So semicolon is not the only way that we can concat commands and we can see both of these ways are filtered.

61
00:04:43,490 --> 00:04:47,360
It will replace them with nothing in this line right here.

62
00:04:47,990 --> 00:04:50,560
And that's why our command doesn't work.

63
00:04:51,290 --> 00:04:54,150
So does this mean that the input is not available?

64
00:04:55,100 --> 00:04:56,450
Well, not really.

65
00:04:56,720 --> 00:05:00,020
There are more ways that we can concat comments.

66
00:05:00,440 --> 00:05:06,200
For example, we can typing one or two that 168 at one, fantasy three.

67
00:05:06,710 --> 00:05:13,570
And then instead of using two of these signs, we can just use one of that and it will still work.

68
00:05:13,700 --> 00:05:16,640
Let me show you if I type one sign and then else.

69
00:05:19,030 --> 00:05:27,940
Here it is, it printed out both of these things that it just did this first comment straight away and

70
00:05:27,940 --> 00:05:33,030
the second comment right after, but it did perform both of these comments.

71
00:05:33,970 --> 00:05:36,550
So can we try something like that right here?

72
00:05:36,880 --> 00:05:39,340
As we can see, it's not filtering just one of them.

73
00:05:39,340 --> 00:05:41,980
It's filtering once it sees two of these signs.

74
00:05:42,700 --> 00:05:43,980
Well, let's give it a try.

75
00:05:44,740 --> 00:05:52,840
Let's try to ping one or two to the 68 that want that one and use one of these signs and then tell us,

76
00:05:53,470 --> 00:05:54,790
let's submit this.

77
00:05:56,780 --> 00:06:05,810
Oops, it actually won't work because we typed pink, so we just need to type an IP address and let's

78
00:06:05,810 --> 00:06:06,630
see, who am I?

79
00:06:06,710 --> 00:06:07,960
Let's type who am I this time?

80
00:06:08,240 --> 00:06:10,850
Just by using one sign to separate the comments.

81
00:06:11,450 --> 00:06:18,920
And we do get both of the outputs back, just the whole my output is somewhere in the middle of this

82
00:06:18,920 --> 00:06:19,340
comment.

83
00:06:19,940 --> 00:06:26,720
That is because once you type only one sign and not two of them, it actually executes both command

84
00:06:26,870 --> 00:06:27,920
simultaneously.

85
00:06:27,920 --> 00:06:31,730
And whichever output comes first will be printed out right here.

86
00:06:31,970 --> 00:06:36,710
And currently we got the output of who am I in the middle of the pink comment.

87
00:06:36,800 --> 00:06:40,970
But we did run our command injection on medium security level.

88
00:06:43,010 --> 00:06:47,990
And in reality, you don't really have the source code right here, you wouldn't be able to see the

89
00:06:48,530 --> 00:06:48,890
code.

90
00:06:49,220 --> 00:06:54,500
However, you would try all of these signs, you would try semicolon, you would try both of these signs.

91
00:06:54,500 --> 00:06:56,250
You would try one of the signs.

92
00:06:56,570 --> 00:07:00,500
You can also try the pipe character in order to conquer different commands.

93
00:07:00,770 --> 00:07:05,270
And all of those things could be filtered or maybe most of them are filtered.

94
00:07:05,270 --> 00:07:09,980
But you do manage to find one sign that isn't that will allow you to perform command injection.

95
00:07:10,280 --> 00:07:13,730
So you just try all of them and see whether any of them works.

96
00:07:14,210 --> 00:07:19,160
Now that we covered command injection in the next section, we're going to cover another big set of

97
00:07:19,340 --> 00:07:22,220
abilities that is called broken authentication.

98
00:07:22,940 --> 00:07:23,990
See you in the next lecture.