1
00:00:02,500 --> 00:00:08,080
‫OK, so another type of directory traversal allows us to read the content of any file.

2
00:00:09,190 --> 00:00:13,450
‫So are these such bugs we need to climb and traverse between folders again.

3
00:00:14,170 --> 00:00:17,110
‫So we'll go to county and log in to be Web.

4
00:00:18,100 --> 00:00:20,950
‫Open directory traversal file from the menu above.

5
00:00:24,210 --> 00:00:25,590
‫And here's a sample page.

6
00:00:26,610 --> 00:00:31,020
‫As you can see, there's nothing with the page itself.

7
00:00:32,480 --> 00:00:36,020
‫So this means that you've got to pay attention.

8
00:00:37,270 --> 00:00:39,790
‫To the you are l just like the previous lessem.

9
00:00:41,350 --> 00:00:46,510
‫Now, it's easy to guess that this time the application displays the content of the file passes page

10
00:00:46,510 --> 00:00:47,440
‫parameter, right.

11
00:00:48,310 --> 00:00:52,870
‫And call the magic file slash ATC slash password.

12
00:00:55,520 --> 00:00:59,780
‫And here's the content of the file, see how perfect this is.

13
00:01:01,210 --> 00:01:04,450
‫So now we can try to climb to reach that same file.

14
00:01:05,550 --> 00:01:06,870
‫Climb up one more level.

15
00:01:08,100 --> 00:01:14,550
‫Now, then climb up more again, no, and climb up one more level.

16
00:01:16,210 --> 00:01:17,380
‫Oh, there it is.

17
00:01:18,700 --> 00:01:24,970
‫So over this kind of traversal attack, we can use it to end called dot, dot, own.

18
00:01:26,910 --> 00:01:32,370
‫Now, it's very easy to use, but first we do need to capture the request.

19
00:01:33,550 --> 00:01:35,050
‫So enable Foxe proxy.

20
00:01:35,980 --> 00:01:38,530
‫Then open berp in interception mode.

21
00:01:40,140 --> 00:01:42,900
‫I'm just going to rearrange the screens for a little bit of you.

22
00:01:44,370 --> 00:01:46,200
‫OK, so now refresh the page.

23
00:01:47,530 --> 00:01:49,300
‫And here is a request in berp.

24
00:01:51,720 --> 00:01:55,530
‫So now I'm going to change here to the string traversal.

25
00:01:57,870 --> 00:02:00,120
‫And copy this request to a file.

26
00:02:02,140 --> 00:02:06,490
‫And let's call it DTT and save.

27
00:02:08,570 --> 00:02:09,350
‫OK, good.

28
00:02:09,380 --> 00:02:16,580
‫So now go to your terminal, simply type dot, dot, PWI in and we'll look at the options.

29
00:02:17,870 --> 00:02:23,240
‫And the options are very clear, so let's run, dot, dot, own against BEA Web.

30
00:02:24,490 --> 00:02:28,450
‫Type dot dot P.W. N. m payload.

31
00:02:29,340 --> 00:02:32,700
‫So the mm parameter is used, you specify the module.

32
00:02:33,970 --> 00:02:38,080
‫Now, because we're going to use the berp output, we should choose this module.

33
00:02:39,600 --> 00:02:43,320
‫And then H for the name of the host.

34
00:02:46,500 --> 00:02:49,890
‫And P for the burbs output file.

35
00:02:51,540 --> 00:02:58,920
‫Oh, Eunuch's, you can use this parameter if you know the target operating system, it's not necessarily

36
00:02:58,920 --> 00:03:09,120
‫necessary and f etsi password, so it is you can look for a specific file on the target file system.

37
00:03:09,730 --> 00:03:11,550
‫Told you earlier I like the password.

38
00:03:13,650 --> 00:03:16,860
‫The three to specify the depth of the payload.

39
00:03:17,930 --> 00:03:21,740
‫And X 80, and that specifies a port No.

40
00:03:23,310 --> 00:03:28,260
‫So finally be to quit after the first vulnerability's found.

41
00:03:29,970 --> 00:03:31,380
‫OK, so now we can hit enter.

42
00:03:32,450 --> 00:03:33,680
‫Oh, dear.

43
00:03:33,710 --> 00:03:34,550
‫Something went wrong.

44
00:03:35,180 --> 00:03:36,800
‫Let me just have a look quickly.

45
00:03:37,750 --> 00:03:44,230
‫And OK, yeah, so I forgot to add a parameter, the parameter K, so add K root.

46
00:03:46,570 --> 00:03:51,740
‫To make the tool understand if it is able to read the final content or not.

47
00:03:52,690 --> 00:03:54,220
‫OK, then go.

48
00:03:57,780 --> 00:03:59,850
‫And it discovered the traversal.

49
00:04:00,950 --> 00:04:05,510
‫And as you can see, it detects the same way we do three consecutive climbs.

50
00:04:07,890 --> 00:04:10,700
‫Now I'm going to exclude the parameter B.

51
00:04:12,490 --> 00:04:15,880
‫So this time it's going to discover as many payloads as it can.

52
00:04:19,750 --> 00:04:22,690
‫All right, so it finds three different versions of payload.

53
00:04:24,900 --> 00:04:27,330
‫OK, so then go to the Web browser again.

54
00:04:29,130 --> 00:04:30,660
‫Disable Foxe proxy.

55
00:04:32,020 --> 00:04:33,640
‫And now change it to a medium level.

56
00:04:37,250 --> 00:04:40,430
‫So I'm going to add the path that we used before.

57
00:04:41,510 --> 00:04:42,820
‫OK, so it doesn't work.

58
00:04:44,510 --> 00:04:47,420
‫OK, so I can delete the first two placeholders.

59
00:04:48,300 --> 00:04:50,210
‫And it works pretty well, huh?

60
00:04:51,440 --> 00:04:52,850
‫And for the last level.

61
00:04:54,340 --> 00:04:55,870
‫I will add the same payload.

62
00:04:57,080 --> 00:04:57,850
‫And it doesn't work.

63
00:04:59,520 --> 00:05:01,930
‫OK, so to be honest, I was waiting for this result.

64
00:05:01,950 --> 00:05:02,990
‫I'm not surprised.

65
00:05:04,640 --> 00:05:11,600
‫But I want to set it up on purpose, obviously, but I want to show you another trick to use here.

66
00:05:12,800 --> 00:05:14,450
‫The final protocols.

67
00:05:15,590 --> 00:05:25,490
‫So type file Colin Haggar, slash etsi slash password, and there you have it.

68
00:05:26,650 --> 00:05:34,810
‫OK, so I want to show you the vulnerable code as well, but it really isn't actually very different

69
00:05:34,810 --> 00:05:36,950
‫than the first one, so I'm going to leave it for you to look at.

70
00:05:37,210 --> 00:05:37,630
‫All right.

71
00:05:39,590 --> 00:05:40,070
‫Good job.