1 00:00:00,900 --> 00:00:09,630 OK, let's cover another XPath injection, so let's navigate to our menu where we can choose our bags 2 00:00:09,930 --> 00:00:15,600 and let's go with the second XML XPath injection that we have available. 3 00:00:16,110 --> 00:00:18,270 Click on that and click on Haak. 4 00:00:19,460 --> 00:00:26,780 So this application has law enforcement, we need to specify username and password. 5 00:00:27,630 --> 00:00:33,450 So let's give it a try, if you remember from the previous video I mentioned that this will be rather 6 00:00:33,450 --> 00:00:36,200 similar to Eskil injection attack. 7 00:00:36,780 --> 00:00:39,510 So let's go in that direction. 8 00:00:40,170 --> 00:00:47,340 Let's, first of all, specify normal username and password, some unspecified test and test. 9 00:00:48,170 --> 00:00:49,010 Click on login. 10 00:00:50,470 --> 00:00:56,560 And nothing really happens, let's go down, it says invalid credentials. 11 00:00:57,590 --> 00:00:59,870 But what would happen if I type test? 12 00:01:00,880 --> 00:01:05,560 Single quote and single quote, click on login. 13 00:01:07,480 --> 00:01:14,610 Hmm, we do get invalid credentials, but up here we will have a warning or an error. 14 00:01:15,600 --> 00:01:19,950 Simple XML element, invalid predicate in this part. 15 00:01:21,100 --> 00:01:29,380 So we do get an error, the way that we can exploit this error is pretty much the same way that we exploit 16 00:01:29,380 --> 00:01:30,330 Eskil injection. 17 00:01:30,790 --> 00:01:37,170 So all we have to do is type test or one equals one with single quotes. 18 00:01:37,660 --> 00:01:43,330 And the same thing for password or one equals one. 19 00:01:43,960 --> 00:01:44,680 Click on login. 20 00:01:46,120 --> 00:01:53,350 And here it is, we logged in as user Neil, while to your secret. 21 00:01:53,400 --> 00:01:55,800 Oh, why didn't I took that black pill? 22 00:01:56,380 --> 00:01:59,200 So we get the username and it's secret. 23 00:01:59,890 --> 00:02:03,070 But there is more to this than just logging in. 24 00:02:03,070 --> 00:02:12,390 As this user, we can try to log in as any user in case this application defines users with an ID. 25 00:02:12,730 --> 00:02:15,760 For example, Neal could be Edesia. 26 00:02:16,300 --> 00:02:22,090 A different user could be either one, another user could be added to and so on and so on. 27 00:02:22,360 --> 00:02:29,410 In case there is a parameter or variable ID that reflects on each user, then we can switch the user 28 00:02:29,410 --> 00:02:36,730 by changing the ID value so we can try something like this test single quote to close off the normal 29 00:02:37,270 --> 00:02:37,840 input. 30 00:02:39,170 --> 00:02:45,170 And with type four, it equals, for example, to. 31 00:02:46,100 --> 00:02:51,410 Remember not to close the single court at the end because it's already getting closed by the application, 32 00:02:51,920 --> 00:03:00,500 let's type the same thing as passwords to test single quote or ID equals to. 33 00:03:02,390 --> 00:03:03,170 Let's go down. 34 00:03:04,530 --> 00:03:12,510 And now we are a different user welcome, Alice, your secret, there's a cure, we can go even more 35 00:03:12,630 --> 00:03:15,840 so ID equals three and let's do the same right here. 36 00:03:22,000 --> 00:03:25,610 We are thornell, and you can see where this goes. 37 00:03:26,290 --> 00:03:33,130 This application allows us to interact with the ID value, therefore allowing us to switch the username 38 00:03:33,130 --> 00:03:37,850 just by selecting test single code or ID equals to. 39 00:03:38,470 --> 00:03:43,390 And then it's the same as that user and we also get their secret. 40 00:03:44,240 --> 00:03:47,810 So this was rather easy to explain in the next lecture. 41 00:03:47,840 --> 00:03:52,190 We're going to take a look at the different type of vulnerability that we haven't encountered before, 42 00:03:52,400 --> 00:03:56,600 which is called X, X, E, C, the next lecture.