1 00:00:00,910 --> 00:00:08,370 ‫So until now, we've injected JavaScript as QoL and XPath code into legitimate data. 2 00:00:09,650 --> 00:00:13,970 ‫Now, it may also be possible to inject different languages. 3 00:00:15,440 --> 00:00:19,370 ‫So another popular injection type is peacoat injection. 4 00:00:20,390 --> 00:00:26,060 ‫So code can be injected into a program or script from some outside source. 5 00:00:27,520 --> 00:00:33,940 ‫So the added code is part of the application itself with the same permissions as the application. 6 00:00:34,970 --> 00:00:38,300 ‫Now, imagine the consequences with that. 7 00:00:39,760 --> 00:00:43,210 ‫So in BIAP, there's also an example for this attack. 8 00:00:43,660 --> 00:00:49,660 ‫So you want to have a look and see how it works, open your browser and log in to be Web. 9 00:00:50,930 --> 00:00:55,760 ‫And from the menu above, choose peacoat injection. 10 00:00:56,950 --> 00:01:02,940 ‫And just like it says, this is just a test page that reflects your message. 11 00:01:04,040 --> 00:01:07,370 ‫So if you click here, it writes the phrase test below. 12 00:01:08,660 --> 00:01:11,300 ‫And the data transmits over the URL. 13 00:01:12,690 --> 00:01:14,070 ‫So view the page source. 14 00:01:15,300 --> 00:01:17,130 ‫And here's a park containing the link. 15 00:01:18,930 --> 00:01:23,250 ‫The message parameter in the euro as a default value test. 16 00:01:24,750 --> 00:01:29,460 ‫All right, so now I'm going to check here, I'm going to check in or something. 17 00:01:32,860 --> 00:01:40,540 ‫And see see how the how the link doesn't change, but the value below is changed to something. 18 00:01:41,780 --> 00:01:47,810 ‫OK, so I think that what we have here in the message parameter is reflected back to us. 19 00:01:49,110 --> 00:01:56,720 ‫OK, so now I'm going to add here a semicolon and then I'll observe how the application behaves. 20 00:01:58,100 --> 00:01:59,870 ‫So doesn't print the semicolon. 21 00:02:01,350 --> 00:02:06,000 ‫So let's see, maybe it escaped or it's interpreted in the back and. 22 00:02:08,010 --> 00:02:11,280 ‫So you can also add a piece of peacoat after. 23 00:02:12,360 --> 00:02:13,410 ‫Echo something. 24 00:02:15,230 --> 00:02:16,340 ‫And hit enter. 25 00:02:18,360 --> 00:02:20,880 ‫Well, isn't that super it executes? 26 00:02:21,900 --> 00:02:25,530 ‫OK, so delete the echo function and write up info. 27 00:02:28,400 --> 00:02:30,340 ‫Well, that execute as well. 28 00:02:32,050 --> 00:02:35,560 ‫So that's perfect, we can execute zip code now on the back in. 29 00:02:36,910 --> 00:02:40,540 ‫So he has several functions to execute operating system command. 30 00:02:41,750 --> 00:02:43,610 ‫System command is only one of them. 31 00:02:44,810 --> 00:02:47,810 ‫So we discover the OS is a Linux. 32 00:02:49,000 --> 00:02:50,590 ‫So print working directory. 33 00:02:52,950 --> 00:03:02,340 ‫And it shows boabs directory, so somehow we are able to run command on an operating system, but we 34 00:03:02,340 --> 00:03:07,080 ‫don't display the content of the magic file because it's not a real hack. 35 00:03:07,080 --> 00:03:07,330 ‫Right. 36 00:03:08,880 --> 00:03:12,720 ‫And I mean, that's good, because this is the content of the password file. 37 00:03:14,060 --> 00:03:15,290 ‫So now it's a hack. 38 00:03:17,440 --> 00:03:24,130 ‫OK, so let's move on with burb and enable Foxe proxy and then refresh the page. 39 00:03:25,770 --> 00:03:26,490 ‫Open berp. 40 00:03:27,380 --> 00:03:30,740 ‫And I just intercepted it to you, Sir Peter. 41 00:03:31,910 --> 00:03:34,850 ‫So send it to the repeater and let it go. 42 00:03:36,280 --> 00:03:39,160 ‫And here is a request, so send it. 43 00:03:40,230 --> 00:03:41,670 ‫It executes again. 44 00:03:43,100 --> 00:03:47,210 ‫So now I'm going to delete from here the file name. 45 00:03:48,630 --> 00:03:49,500 ‫And. 46 00:03:51,520 --> 00:03:56,060 ‫Let's have a look, see where the net cat binary is, which ency? 47 00:03:57,450 --> 00:04:03,810 ‫Now, due to you are Ellen Cotting, I'll use the Eurail encoded values of spaces and quote. 48 00:04:05,720 --> 00:04:06,800 ‫So I'll send it. 49 00:04:08,990 --> 00:04:12,050 ‫Net cat is here under the bin directory. 50 00:04:13,110 --> 00:04:17,730 ‫So now I'm going to use Netcare to open a reverse shell on PAYBOX. 51 00:04:19,170 --> 00:04:20,640 ‫I opened the decoder tab. 52 00:04:21,850 --> 00:04:24,970 ‫And I'm going to paste the reverse net shell here. 53 00:04:26,520 --> 00:04:32,250 ‫Now, this line of commands will help us to communicate over another channel with PAYBOX. 54 00:04:33,440 --> 00:04:35,420 ‫And in code, as you are. 55 00:04:37,130 --> 00:04:38,810 ‫Copy this long output. 56 00:04:41,700 --> 00:04:44,760 ‫And paste it instead of this payload. 57 00:04:46,400 --> 00:04:53,360 ‫And then before sending the request over the terminal and make sure that neck cat is listening. 58 00:04:54,490 --> 00:04:59,140 ‫And it can't listen without a port, so it's ad four four, four, three. 59 00:05:00,130 --> 00:05:03,100 ‫Then go back to repeater and send. 60 00:05:05,280 --> 00:05:08,510 ‫So as you can see, there's nothing on the right side. 61 00:05:10,680 --> 00:05:19,350 ‫Because of the execution of reverse shell commands, so go to terminal and here's a session. 62 00:05:20,210 --> 00:05:25,310 ‫The box connects back to Kelly, and you can type Linux commands now. 63 00:05:28,010 --> 00:05:31,310 ‫You name a, it is PAYBOX. 64 00:05:33,240 --> 00:05:35,930 ‫So this type of shell is a little bit weird. 65 00:05:37,800 --> 00:05:42,810 ‫So now if you write this line of python, you will get a shell like Basche Shell. 66 00:05:44,870 --> 00:05:47,600 ‫Yeah, I think it's good, so you can type some in command. 67 00:05:48,180 --> 00:05:49,520 ‫Yeah, it is cool. 68 00:05:50,530 --> 00:05:55,480 ‫So, OK, overall, that's how we use that BHP code injection. 69 00:05:56,840 --> 00:05:58,840 ‫And also create a reverse shell.