1
00:00:02,380 --> 00:00:09,280
‫So until now, we have exploited some escarole injection vulnerabilities, but the main queries are

2
00:00:09,280 --> 00:00:10,870
‫all built with select statements.

3
00:00:12,380 --> 00:00:20,090
‫So we add our payloads after select statement now, this time we're going to, hmm, maybe just do something

4
00:00:20,090 --> 00:00:20,440
‫different.

5
00:00:21,870 --> 00:00:26,940
‫And we're going to perform an actual injection over insert statements.

6
00:00:28,800 --> 00:00:33,900
‫So let's go to be WAP and then ask you all injections toward blog.

7
00:00:37,150 --> 00:00:38,350
‫You may remember this page.

8
00:00:39,570 --> 00:00:45,320
‫It has, well, almost the same view as stored excess.

9
00:00:46,600 --> 00:00:49,180
‫But the back end code is completely different.

10
00:00:50,930 --> 00:00:52,850
‫It was kind of like a commenting page.

11
00:00:54,780 --> 00:00:58,920
‫So here you can enter something and it will be displayed below.

12
00:01:00,580 --> 00:01:01,090
‫OK.

13
00:01:03,180 --> 00:01:04,260
‫So open terminal.

14
00:01:06,420 --> 00:01:11,910
‫Type vem Escuela, I underscore seven BHP.

15
00:01:13,190 --> 00:01:18,170
‫And the security check is performed based on whatever the security levels are checked.

16
00:01:20,920 --> 00:01:26,800
‫Scroll down below and in this line, the user's input is checked.

17
00:01:28,630 --> 00:01:30,690
‫Then the insert statement comes.

18
00:01:33,500 --> 00:01:39,920
‫And it uses the user input and the session user name to insert to block tables.

19
00:01:41,420 --> 00:01:46,130
‫And below, there is a select statement to display the entries in that table.

20
00:01:48,350 --> 00:01:50,990
‫And it selects all the records to display.

21
00:01:52,400 --> 00:01:57,590
‫So first, it shows the owner of the entry and it shows the entry itself.

22
00:01:58,990 --> 00:02:00,690
‫And the rest is now very important.

23
00:02:01,710 --> 00:02:02,580
‫So go to be Web.

24
00:02:03,430 --> 00:02:05,410
‫Well, no, no, actually, go to Chrom.

25
00:02:07,750 --> 00:02:11,530
‫So if you're not already, just log in to Miamian.

26
00:02:12,570 --> 00:02:14,100
‫Open Enescu, a window.

27
00:02:15,160 --> 00:02:18,970
‫So I'm going to paste the code here and clear it.

28
00:02:23,610 --> 00:02:31,770
‫All right, so this is pure SQL query and our input data will come into between these first single quotes.

29
00:02:34,080 --> 00:02:39,180
‫OK, and when you put in a single quote, as we did previously.

30
00:02:40,220 --> 00:02:44,630
‫See how it won't cause an error, it will insert the single quote.

31
00:02:45,540 --> 00:02:46,440
‫Into the table.

32
00:02:47,810 --> 00:02:50,060
‫But if you add this payload.

33
00:02:54,030 --> 00:02:56,670
‫It will just execute the query.

34
00:02:58,000 --> 00:03:01,990
‫Then insert A and B in the movies table.

35
00:03:03,650 --> 00:03:07,100
‫And the remaining part will be executed as comment.

36
00:03:08,530 --> 00:03:10,810
‫OK, so covid that payload if you want.

37
00:03:13,500 --> 00:03:15,300
‫And go to Firefox.

38
00:03:16,390 --> 00:03:18,580
‫Pasted in here, an ad entry.

39
00:03:22,300 --> 00:03:23,590
‫So you see, there's no problem.

40
00:03:25,310 --> 00:03:28,700
‫So the last line proves the insert process.

41
00:03:29,770 --> 00:03:31,600
‫OK, then paste this one.

42
00:03:34,420 --> 00:03:38,580
‫This shows the sub select queries also causing no problems.

43
00:03:40,790 --> 00:03:43,610
‫And now we can enumerate the database itself.

44
00:03:45,720 --> 00:03:47,100
‫So now, right, this payload.

45
00:03:50,160 --> 00:03:54,360
‫And here are the values of the version, the database and the user.

46
00:03:56,650 --> 00:04:00,640
‫And the payload we provide selects the data from the database.

47
00:04:01,500 --> 00:04:05,850
‫And then the original query inserts that data into the movie stable.

48
00:04:07,400 --> 00:04:11,600
‫The second original select statement brings the records into the movies table.

49
00:04:14,040 --> 00:04:17,540
‫So, OK, let's go with databases on the server.

50
00:04:21,980 --> 00:04:25,490
‫As you see, we can only view one database.

51
00:04:27,120 --> 00:04:32,490
‫The information of this one database, so the problem is in the insert statement.

52
00:04:33,460 --> 00:04:41,080
‫So because we use some select statement and insert so the insert statement can only insert one line.

53
00:04:42,490 --> 00:04:45,550
‫So that's why we cannot see all the data together.

54
00:04:47,340 --> 00:04:48,990
‫And we can use a limit clause.

55
00:04:49,990 --> 00:04:53,920
‫And this is information for BW.

56
00:04:56,440 --> 00:04:59,970
‫But you can do this for the other ones in this way as well.

57
00:05:01,110 --> 00:05:05,880
‫However, if you group the names, there's no problem.

58
00:05:06,960 --> 00:05:08,880
‫So you see all the names are here.

59
00:05:11,150 --> 00:05:13,550
‫Now, right, this payload to get the table names.

60
00:05:14,500 --> 00:05:15,520
‫You know, we get an error.

61
00:05:16,510 --> 00:05:18,760
‫And it is indeed a syntax error.

62
00:05:21,440 --> 00:05:31,220
‫OK, so now it's done so with its payload, we can one by one read each table, but I have nothing to

63
00:05:31,220 --> 00:05:32,900
‫do with the system tables now.

64
00:05:35,080 --> 00:05:37,090
‫So I need boabs tables.

65
00:05:41,770 --> 00:05:43,030
‫And here they are.

66
00:05:45,140 --> 00:05:48,350
‫So now we can get the call names with this payload.

67
00:05:49,720 --> 00:05:51,280
‫And we need to go one by one.

68
00:05:54,120 --> 00:05:56,520
‫And once again, I only need my targetable.

69
00:05:57,870 --> 00:05:58,920
‫So pace this one.

70
00:06:02,140 --> 00:06:05,110
‫And then these are the columns of the users table.

71
00:06:07,740 --> 00:06:10,380
‫And now we can pull the actual data.

72
00:06:11,950 --> 00:06:16,530
‫OK, so you can use this payload to bring the information from the user's table.

73
00:06:18,210 --> 00:06:21,150
‫But you do need to go one by one again here.

74
00:06:23,050 --> 00:06:28,360
‫And now I of course, I don't want to finish this lesson without my magic file.

75
00:06:30,230 --> 00:06:33,350
‫So use this payload to load the password file.

76
00:06:36,420 --> 00:06:43,740
‫And yeah, I'm sorry, we cannot view all of the content at this time because he is yet another restriction.

77
00:06:45,470 --> 00:06:52,760
‫So normally we inject into every parameter, but the result of the sub select statement is inserted

78
00:06:52,760 --> 00:06:58,160
‫in the owner column and then the size of this column is about 100 characters.

79
00:06:59,860 --> 00:07:03,280
‫So that means that we're only able to read this much data.

80
00:07:04,880 --> 00:07:06,040
‫But you get my meaning.