1
00:00:00,940 --> 00:00:08,350
OK, in the previous lecture, we saw an example of how we can exploit the ESKIL injection inside of

2
00:00:08,350 --> 00:00:16,210
TBWA application, but right now let's see how we can apply the same comment that we used to exploit

3
00:00:16,210 --> 00:00:19,960
it, which I have written right here.

4
00:00:20,140 --> 00:00:26,320
This is the comment or the end comment that we use to extract all of the data from the database.

5
00:00:27,160 --> 00:00:31,240
Let's see how we can change it to make it work on the medium level.

6
00:00:31,840 --> 00:00:33,730
So last video was a low level.

7
00:00:34,030 --> 00:00:41,860
Now let's change it to medium and submit and navigate back to the injection.

8
00:00:43,370 --> 00:00:48,260
Now, if you try to run the same comment, we just hope this.

9
00:00:50,280 --> 00:00:51,900
And we tried to run it.

10
00:00:55,090 --> 00:00:56,180
It will not work.

11
00:00:56,200 --> 00:00:58,570
It will result in an error.

12
00:00:59,720 --> 00:01:07,130
Luckily, this error does give us a little bit more information than it should, for example, if we

13
00:01:07,130 --> 00:01:15,200
scroll all the way to the right here, we will see how exactly our comment is getting processed in the

14
00:01:15,200 --> 00:01:15,560
page.

15
00:01:16,280 --> 00:01:23,020
You can see it wherever we have a single quote specified, it is getting filtered by a backslash.

16
00:01:23,240 --> 00:01:27,670
So every time we specify a single quote, it adds a backslash.

17
00:01:27,740 --> 00:01:32,510
The application at backslash, which then results in my ESKIL error.

18
00:01:33,200 --> 00:01:37,430
This comment is not valid once it has this backslash.

19
00:01:37,940 --> 00:01:43,730
Another thing that we can notice is that it doesn't really give us the entire command to top.

20
00:01:44,330 --> 00:01:46,440
It only gives us a part of the comment.

21
00:01:47,000 --> 00:01:52,910
This could mean that there could be a character limitation that we can specify.

22
00:01:53,910 --> 00:02:00,330
Let's give it a try to see how we can bypass this backslash and how we can actually bypass the character

23
00:02:00,330 --> 00:02:01,990
limitation in case there is one.

24
00:02:02,190 --> 00:02:06,030
So let's go back to the page and let's delete this.

25
00:02:07,810 --> 00:02:13,990
Let's delete all of it, and the first thing that I want to take a look at is the source code.

26
00:02:15,600 --> 00:02:17,580
Let's enlarge this.

27
00:02:19,060 --> 00:02:25,760
And what we are mostly interested in is the actual query used to query the database.

28
00:02:26,050 --> 00:02:31,090
Of course, the source code is not something that we would have in the real application, but luckily

29
00:02:31,750 --> 00:02:36,820
during the practice, we can take a look at the source code and figure out how we can exploit this.

30
00:02:37,770 --> 00:02:44,550
You will notice one main difference that's different, this application from the low level application,

31
00:02:45,150 --> 00:02:50,860
our I.T. or our input is not getting stalled between the single quotes.

32
00:02:51,840 --> 00:02:57,120
This is really good because this can help us bypass the single, quote, problem that gets filtered

33
00:02:57,120 --> 00:03:02,130
by a backslash, because if it doesn't get added between the single quotes, we don't really need to

34
00:03:02,130 --> 00:03:03,710
use single quotes at all.

35
00:03:04,410 --> 00:03:07,150
We can type a command that looks something like this.

36
00:03:07,710 --> 00:03:11,130
So if we take this same command, we can make it work.

37
00:03:11,130 --> 00:03:19,320
If we run it like this to union select concat and let's type user idea.

38
00:03:20,370 --> 00:03:26,100
Now, since this is getting processed as a character, we must remove it altogether.

39
00:03:26,130 --> 00:03:31,020
So what we are going to do is we're just going to type it like this user I.D. and then first name.

40
00:03:31,860 --> 00:03:37,860
The only problem with this is that these users and first and last names are not going to be physically

41
00:03:37,860 --> 00:03:39,760
divided by the semicolon.

42
00:03:40,350 --> 00:03:46,040
Nonetheless, it's still better than not extracting any data so we can run it like this.

43
00:03:46,560 --> 00:03:49,230
We need to specify the user and the password.

44
00:03:49,710 --> 00:03:53,630
And we're extracting this from TBWA Dot users.

45
00:03:54,300 --> 00:03:58,440
We specify two dashes to Common Part, the rest of the comment.

46
00:03:58,920 --> 00:04:00,750
And if we copy this.

47
00:04:05,550 --> 00:04:07,230
Go back to our application.

48
00:04:08,690 --> 00:04:09,950
And Freenet.

49
00:04:13,960 --> 00:04:15,590
Well, here it is.

50
00:04:16,089 --> 00:04:23,050
It worked successfully, we managed to extract all the data just by removing the single quotes from

51
00:04:23,050 --> 00:04:25,900
our comment, as we can see right here.

52
00:04:27,010 --> 00:04:32,500
It appears to be that that is the only filter I thought there could maybe be a character limitation

53
00:04:32,500 --> 00:04:35,370
filter there as well that could easily be bypassed.

54
00:04:35,710 --> 00:04:41,560
We could just remove the unnecessary data, such as, for example, this one, we don't really need

55
00:04:41,560 --> 00:04:48,070
the user I.D. The first or last name on thing we are interested in are users and passwords.

56
00:04:48,070 --> 00:04:57,390
And we can type it like this to union select one comma and then concat user password from TBWA users.

57
00:04:57,400 --> 00:05:04,110
And this will make our comment even shorter, allowing us to perhaps bypass the character limitation.

58
00:05:04,360 --> 00:05:08,010
Let's give it a try to see whether this command will also work.

59
00:05:08,020 --> 00:05:13,420
And before I type it in, you will take a look at the only problem that we have is that the first last

60
00:05:13,420 --> 00:05:20,980
name is not getting separated and the username and password are also not getting separated, but we

61
00:05:20,980 --> 00:05:22,960
are extracting them nonetheless.

62
00:05:23,860 --> 00:05:27,040
Let's take a look at this third comment to see whether it will work.

63
00:05:28,520 --> 00:05:33,480
And it will work, we removed specifying the first and last name.

64
00:05:33,590 --> 00:05:39,950
So now in the first name field, we only get number one, which we specified right here.

65
00:05:40,940 --> 00:05:43,340
And in the last name field.

66
00:05:45,350 --> 00:05:53,360
We get the username and password all together and we get that, as usual, for every user in the application.

67
00:05:54,080 --> 00:05:58,760
Nonetheless, I just want to show you how we can exploit the injection on medium level.

68
00:05:59,120 --> 00:06:06,020
And in the next lecture, we're going to tackle the subject of blind Ezekial Injection Suder.