1
00:00:01,250 --> 00:00:09,350
OK, before we start with exploiting Eskil injection, I want to show you a quick guide that will teach

2
00:00:09,350 --> 00:00:15,920
us how exactly this injection works and what are the steps that we need to perform in order to discover

3
00:00:15,920 --> 00:00:16,129
it.

4
00:00:17,430 --> 00:00:22,620
The reason we're going with the guide first is because this is arguably the hardest vulnerability that

5
00:00:22,620 --> 00:00:29,460
we covered by now so we could use a little bit of practice in order to really get used to it and to

6
00:00:29,460 --> 00:00:30,460
really understand.

7
00:00:31,500 --> 00:00:38,900
So what I want you to do is I want you to open your Firefox in your search for typing ESKIL injection

8
00:00:38,910 --> 00:00:43,680
practice, and you should find this link to be among the first ones.

9
00:00:43,860 --> 00:00:46,740
It is Eskil Injection Dash explaining.

10
00:00:47,590 --> 00:00:49,060
You want to click on that link?

11
00:00:51,240 --> 00:00:56,670
And the full you are out to the example is this one case you want to type it in?

12
00:00:57,740 --> 00:01:04,400
Once we get there, we want to click on Get Ready and start the application, so once you click on that,

13
00:01:04,400 --> 00:01:06,480
it will load this application right here.

14
00:01:06,680 --> 00:01:08,810
This is our website.

15
00:01:09,870 --> 00:01:16,140
These are the steps that we need to go through in order to exploit the scale of injection, and here

16
00:01:16,140 --> 00:01:19,740
we will have a small guide which will come as this message.

17
00:01:20,370 --> 00:01:23,430
So the first one says this is the vulnerable application.

18
00:01:23,430 --> 00:01:25,830
We will be trying to hack with an injection.

19
00:01:26,460 --> 00:01:30,600
And it appears it's a bank application with Log-in for.

20
00:01:31,230 --> 00:01:33,090
So let's move on to the next step.

21
00:01:35,290 --> 00:01:41,920
It gives us another window that says, here are the application logs, what what happens here when you

22
00:01:41,920 --> 00:01:44,800
interact with the vulnerable application?

23
00:01:45,500 --> 00:01:51,540
OK, one thing to notice is that logs is something that we wouldn't really have in real life.

24
00:01:52,330 --> 00:01:56,560
This is given to us just so we can understand this vulnerability.

25
00:01:57,190 --> 00:01:59,860
OK, so let's go on to the next step.

26
00:02:00,830 --> 00:02:07,640
It tells us, go ahead and try logging in with the following credentials, user at email, dot com and

27
00:02:07,640 --> 00:02:08,240
password.

28
00:02:10,440 --> 00:02:15,200
Let's type that in user at email, dot com and password.

29
00:02:16,740 --> 00:02:19,230
Let's click on login, don't save.

30
00:02:20,410 --> 00:02:28,030
And nothing really happens if we go to long, it will say invalid credentials specified, but the next

31
00:02:28,030 --> 00:02:31,660
step tells us that getting the password didn't work.

32
00:02:32,020 --> 00:02:37,930
Let's try adding a, quote, character after the password and you will see in just a second.

33
00:02:37,930 --> 00:02:39,790
Why are we adding this, quote, character?

34
00:02:40,120 --> 00:02:41,670
Let's type that in first.

35
00:02:41,680 --> 00:02:42,880
So let's take password.

36
00:02:45,270 --> 00:02:49,440
Our email is specified, and let's just click on log.

37
00:02:52,430 --> 00:02:57,020
Now we get an error and unexpected error occurred.

38
00:02:58,040 --> 00:03:02,180
This says this application crashed with an unexpected error.

39
00:03:02,690 --> 00:03:03,860
What could that mean?

40
00:03:04,700 --> 00:03:11,660
Well, let's go to the next step, which will lead us to log's that says the log shows and Eskil syntax

41
00:03:11,660 --> 00:03:11,970
error.

42
00:03:12,770 --> 00:03:17,920
This indicates that the code character messed something up in an unexpected way.

43
00:03:18,440 --> 00:03:22,460
And if we take a look at the logs, we do get syntax error.

44
00:03:22,880 --> 00:03:31,790
And here we also get the ESKIL query used to query our username and password or in this case, our email

45
00:03:31,790 --> 00:03:32,660
and password.

46
00:03:33,320 --> 00:03:35,780
And you will notice where the error is.

47
00:03:36,380 --> 00:03:42,050
Our credentials are being specified between the single quotes by default.

48
00:03:42,590 --> 00:03:50,060
Once we added a single code at the end of our password, it messed up the syntax because now here we

49
00:03:50,060 --> 00:03:57,270
have one open single quote and to close single codes, which gave us the syntax error.

50
00:03:58,100 --> 00:04:03,600
This is a really, really good indication that there is an ethical injection vulnerability on the application.

51
00:04:04,400 --> 00:04:05,930
Let's move on to the next step.

52
00:04:07,580 --> 00:04:15,410
Now it pops another window, and in this window we get the Eskil Querrey or the Eskil code used to query

53
00:04:15,410 --> 00:04:17,300
our credentials to the database.

54
00:04:18,500 --> 00:04:24,140
And this code that we get right here is the same one that we got inside of our loks.

55
00:04:25,250 --> 00:04:31,720
It will change once we type something and it will show us how it looks like inside of this coat window.

56
00:04:32,630 --> 00:04:37,220
So let's go to the next step and let's type once again password

57
00:04:39,770 --> 00:04:44,680
question mark or pardon me, saying, quote, It even tells us to do that again.

58
00:04:44,690 --> 00:04:51,170
And here we can see how it looks like if I delete this single quote, you will notice that this is the

59
00:04:51,170 --> 00:04:52,540
entire ESKIL query.

60
00:04:52,820 --> 00:04:54,950
This also belongs to this comment.

61
00:04:55,460 --> 00:04:57,350
But as soon as I type.

62
00:04:58,160 --> 00:05:05,720
A single quote, it messes up this part that comes after, so this is why this single quote gave us

63
00:05:05,720 --> 00:05:10,910
an error, the syntax is no longer valid once we specified here.

64
00:05:11,910 --> 00:05:13,130
Let's go to the next step.

65
00:05:14,360 --> 00:05:20,640
It even tells us right here the quote is inserted directly into the string and terminates the inquiry

66
00:05:20,660 --> 00:05:24,440
early, this is what caused that syntax error we saw in Delux.

67
00:05:24,770 --> 00:05:26,440
OK, we already mentioned that.

68
00:05:26,450 --> 00:05:27,590
Let's go to the next step.

69
00:05:29,290 --> 00:05:32,690
It says this behavior indicates that the application might be vulnerable.

70
00:05:33,010 --> 00:05:34,770
We already mentioned that as well.

71
00:05:34,780 --> 00:05:38,710
And the next step tells us to enter the following comment.

72
00:05:39,400 --> 00:05:48,910
We specified the regular user e-mail dot com and the password is single quote or one equals one dash

73
00:05:48,910 --> 00:05:49,290
dash.

74
00:05:50,020 --> 00:05:51,310
Why are we typing that in?

75
00:05:51,760 --> 00:05:54,870
Well, let's type it first and then we're going to explain it.

76
00:05:54,880 --> 00:05:59,260
So let's go with a single quote, space or space.

77
00:05:59,650 --> 00:06:08,140
One equals one batch that if we go to our code window and we take a look at the query.

78
00:06:09,130 --> 00:06:11,600
It actually is a valid query.

79
00:06:11,670 --> 00:06:13,500
It's a valid ask syntax.

80
00:06:14,200 --> 00:06:22,360
We're selecting everything from users where email is equal to this email and password is equal to nothing

81
00:06:22,600 --> 00:06:24,790
or one is equal to one.

82
00:06:25,490 --> 00:06:31,390
And this dash dash at the end is just a syntax for a comment in obscure language.

83
00:06:32,260 --> 00:06:39,850
What this last line does, it simply says find the user with this email that has password to be equal

84
00:06:39,850 --> 00:06:40,540
to nothing.

85
00:06:40,720 --> 00:06:45,880
Or if that user doesn't have a password that is equal to nothing, then check whether one is equal to

86
00:06:45,880 --> 00:06:46,150
one.

87
00:06:46,600 --> 00:06:52,590
And if any of these two conditions are fulfilled, log in to that account.

88
00:06:53,470 --> 00:06:56,870
Now, since probably password is not equal to nothing.

89
00:06:57,220 --> 00:06:58,900
This will not go through.

90
00:06:59,140 --> 00:07:03,040
But the second argument is that one equals to one.

91
00:07:03,400 --> 00:07:10,390
And if any one of them is equal to true, then it will log a scene in case this user exists inside this

92
00:07:10,390 --> 00:07:14,280
application and one is always equal to one.

93
00:07:14,320 --> 00:07:17,170
So this should, like a said, let's give it the try.

94
00:07:20,690 --> 00:07:28,880
And here it is, it says, even here we are in we successfully gained access to the application without

95
00:07:28,880 --> 00:07:30,540
having to guess the password.

96
00:07:31,340 --> 00:07:38,400
Now we are locked into the bank account of that user with a simple or one equals one comment.

97
00:07:39,020 --> 00:07:46,670
So what we essentially did right here is we injected as syntax inside of this query and we tricked the

98
00:07:46,670 --> 00:07:52,160
application to execute our code just because it doesn't filter user input.

99
00:07:53,000 --> 00:07:55,130
Nonetheless, you saw how easy this was.

100
00:07:55,130 --> 00:07:59,380
And we're going to take a look at more similar examples in the next few weeks.