1 00:00:00,940 --> 00:00:07,620 ‫So in a normal scenario, when you get an actual error, then you can shave Enescu all injection attack 2 00:00:08,530 --> 00:00:12,190 ‫and when you don't get an error, you can try Boolean technique's. 3 00:00:13,490 --> 00:00:17,350 ‫But there were other times that sometimes even this doesn't work. 4 00:00:18,980 --> 00:00:26,600 ‫So in this lesson, we're going to examine another school injection, OK, open school injection, blind 5 00:00:26,840 --> 00:00:27,980 ‫time-based. 6 00:00:29,500 --> 00:00:35,770 ‫So as in the previous lesson, you will see a simple search field, so let's try something to search. 7 00:00:38,260 --> 00:00:43,090 ‫And maybe a single quote could leak something, hmm, nothing. 8 00:00:44,940 --> 00:00:48,970 ‫So it seems that we always display the same page, same response. 9 00:00:48,990 --> 00:00:56,820 ‫Yeah, and we have nothing to determine whether our searches or payloads reach the database and execute. 10 00:00:58,500 --> 00:01:03,200 ‫OK, folks, open your terminals before going any further. 11 00:01:04,230 --> 00:01:09,320 ‫Them as Kuli underscore 15 dot BHP. 12 00:01:11,100 --> 00:01:12,570 ‫So online, 26. 13 00:01:13,480 --> 00:01:15,550 ‫Air reporting is turned off. 14 00:01:16,810 --> 00:01:19,120 ‫That explains why we don't get the errors. 15 00:01:20,400 --> 00:01:24,240 ‫And rigorous security checks, here they come. 16 00:01:25,380 --> 00:01:32,430 ‫So this part is important to us here, the actual query is just like this. 17 00:01:33,480 --> 00:01:38,790 ‫It's not any different to the previous query that we see in boolean based escarole injection. 18 00:01:40,020 --> 00:01:41,820 ‫Then this query execute. 19 00:01:43,150 --> 00:01:47,560 ‫And if there's no error and the ResultSet is not empty, then it does something. 20 00:01:48,740 --> 00:01:52,520 ‫Actually, it sends an email to the user's address. 21 00:01:54,060 --> 00:01:55,440 ‫So scroll down a little bit. 22 00:01:56,910 --> 00:01:58,350 ‫Now, this is a search box. 23 00:02:00,170 --> 00:02:03,560 ‫There is no code that can affect the page here. 24 00:02:04,780 --> 00:02:05,890 ‫So go back. 25 00:02:10,140 --> 00:02:12,360 ‫OK, I forgot to try boolean values. 26 00:02:14,330 --> 00:02:17,630 ‫So type or one equals one. 27 00:02:19,190 --> 00:02:20,150 ‫Nothing happens. 28 00:02:21,250 --> 00:02:22,390 ‫At a harsh character. 29 00:02:24,350 --> 00:02:25,100 ‫No, nothing. 30 00:02:26,170 --> 00:02:27,940 ‫All right, change one to two and try. 31 00:02:29,370 --> 00:02:36,990 ‫Nothing happens yet, I'm I'm the one who's supposed to know what he's doing right now, what I'm showing 32 00:02:36,990 --> 00:02:45,530 ‫you here is you can tell the comparing with boolean operators doesn't necessarily work all the time. 33 00:02:46,980 --> 00:02:53,850 ‫So that means that we need to use time based escarole payloads, which is what I guess I began telling 34 00:02:53,850 --> 00:02:54,030 ‫you. 35 00:02:55,050 --> 00:02:58,350 ‫But I want you to see when you need to use. 36 00:03:01,850 --> 00:03:03,620 ‫So now let's have a look at this payload. 37 00:03:04,720 --> 00:03:07,270 ‫Now, focus on the end statement. 38 00:03:08,450 --> 00:03:16,340 ‫So if the whole query is legitimate, the left side of the and will execute very quickly and the right 39 00:03:16,340 --> 00:03:20,060 ‫side of the end will sleep for two seconds and then execute. 40 00:03:22,030 --> 00:03:25,210 ‫So we're going to observe the page for the response. 41 00:03:26,300 --> 00:03:33,830 ‫If the page loads approximately after two seconds, then it means we get an actual injection, so quick 42 00:03:33,830 --> 00:03:34,370 ‫search. 43 00:03:35,280 --> 00:03:39,810 ‫And look at the left lower corner browsers waiting for the page. 44 00:03:41,680 --> 00:03:44,890 ‫Now, I forgot to count for two seconds, but you can see it works. 45 00:03:46,440 --> 00:03:49,470 ‫And then you can shape the payload to pull data. 46 00:03:50,940 --> 00:03:55,810 ‫But I'm going to show you some other types of payloads as well, so let's have a look at this one. 47 00:03:56,310 --> 00:03:57,430 ‫Oh, no, no, wait, wait, wait. 48 00:03:58,440 --> 00:04:01,800 ‫You can also use this, the benchmark function. 49 00:04:03,300 --> 00:04:06,390 ‫So there's several payloads with Benchmark's. 50 00:04:07,960 --> 00:04:10,810 ‫And now we can perform the version detection. 51 00:04:12,480 --> 00:04:13,800 ‫So use this payload. 52 00:04:14,750 --> 00:04:21,710 ‫And if the first character of the version is five, it will sleep for two seconds. 53 00:04:22,710 --> 00:04:28,050 ‫Yes, so it waits so you can get all one by one. 54 00:04:30,260 --> 00:04:33,800 ‫And then right this payload to get the first character of the current database. 55 00:04:34,820 --> 00:04:37,010 ‫The page will load after two seconds of its B. 56 00:04:38,280 --> 00:04:40,050 ‫And yes, it is B. 57 00:04:42,410 --> 00:04:48,770 ‫OK, so try this one to get the length of the current database up, no, wait, wait, then change it 58 00:04:48,770 --> 00:04:50,690 ‫here to five and search. 59 00:04:52,360 --> 00:05:00,100 ‫And yes, it has five characters, so to learn the length, you can also use the like operator with 60 00:05:00,100 --> 00:05:01,120 ‫placeholders. 61 00:05:02,480 --> 00:05:04,370 ‫So let's add one more placeholder. 62 00:05:08,430 --> 00:05:09,260 ‫Yeah, it works. 63 00:05:11,140 --> 00:05:14,810 ‫OK, so I think I think you get the point now. 64 00:05:14,830 --> 00:05:15,190 ‫Yeah. 65 00:05:16,370 --> 00:05:21,350 ‫Now, I, of course, have several other payloads, but they do pretty much the same things. 66 00:05:22,800 --> 00:05:28,470 ‫So I'm going to share all that with you in a separate file, and I'm going to stop at this point and 67 00:05:28,470 --> 00:05:32,820 ‫you can try some of the other payloads on your own, go for broke, see what you can do.