1
00:00:01,350 --> 00:00:02,610
‫Eskil injection.

2
00:00:03,720 --> 00:00:09,690
‫So the actual injection is the most famous and perhaps the oldest Web application attack.

3
00:00:11,350 --> 00:00:14,500
‫It is an absolute nightmare for data driven applications.

4
00:00:15,580 --> 00:00:24,430
‫So let me talk to you a little bit about it, thanks to Web 2.0, users can interact with applications

5
00:00:24,430 --> 00:00:26,000
‫in different ways, right?

6
00:00:26,860 --> 00:00:32,620
‫And applications can use user supplied data to perform any task on the back end, such as selecting,

7
00:00:32,620 --> 00:00:34,990
‫deleting, updating and so on and so forth.

8
00:00:35,800 --> 00:00:41,290
‫So if users provide valid and secure data, right, there's no problem.

9
00:00:42,250 --> 00:00:46,870
‫But what if users try to inject codes instead of data?

10
00:00:48,210 --> 00:00:56,220
‫So actually, this is a huge problem for Web applications, because they can confuse a lot of actual

11
00:00:56,220 --> 00:00:57,540
‫valid data and code.

12
00:00:59,240 --> 00:01:03,950
‫So that's why they need to differentiate between valid and invalid data.

13
00:01:05,080 --> 00:01:12,670
‫So I ask you, well, injection arises when the user or pen tester injects escarole statement into data

14
00:01:12,670 --> 00:01:13,750
‫that's sent to the server.

15
00:01:15,320 --> 00:01:22,100
‫And then if there's no sanitation escaping or any other security solution, the objective data can run

16
00:01:22,100 --> 00:01:23,180
‫on a database server.

17
00:01:24,980 --> 00:01:28,820
‫So the result of this execution will be sent back.

18
00:01:30,090 --> 00:01:36,360
‫And then lastly, the Web server processes, the query result, prepares the response and sends it back

19
00:01:36,360 --> 00:01:37,050
‫to the user.

20
00:01:38,480 --> 00:01:42,220
‫OK, so that's how a basic rescue, well, injection works.

21
00:01:43,740 --> 00:01:49,530
‫But by performing this task, one can easily read and manipulate sensitive information that's stored

22
00:01:49,530 --> 00:01:50,180
‫in the database.

23
00:01:51,320 --> 00:01:57,230
‫So here we're not just talking about the date of being like on fire, but it's like the whole system

24
00:01:57,230 --> 00:02:06,040
‫is in danger because database servers are allowed to use and issue operating system commands.

25
00:02:06,890 --> 00:02:11,990
‫And if they're not configured properly, the pen tester or the attacker can even gain access to the

26
00:02:11,990 --> 00:02:12,920
‫entire system.

27
00:02:14,690 --> 00:02:21,620
‫So anyway, we can divide Ezekial injections into three classes based on the extraction of data.

28
00:02:23,200 --> 00:02:23,980
‫In band.

29
00:02:25,320 --> 00:02:31,920
‫So this is the most straightforward injection attack in which retrieve data is presented directly in

30
00:02:31,920 --> 00:02:32,550
‫a Web page.

31
00:02:33,770 --> 00:02:35,870
‫Inferential or blind?

32
00:02:37,430 --> 00:02:44,600
‫So in this type, there's no actual data transfer, but the tester is able to reconstruct the information

33
00:02:44,600 --> 00:02:50,990
‫by sending particular requests and then observing the resulting behavior of the database server.

34
00:02:52,170 --> 00:02:53,190
‫Out of band.

35
00:02:54,060 --> 00:02:59,910
‫Is data that's retrieved using a different channel, such as an email with the result of the injected

36
00:02:59,910 --> 00:03:00,300
‫code.

37
00:03:01,470 --> 00:03:05,940
‫So now we also have five techniques to exploit escarole injections.

38
00:03:07,310 --> 00:03:13,580
‫The union operator can be used when the rescue while injection floor happens in a select statement.

39
00:03:15,310 --> 00:03:20,710
‫And it makes it possible to combine two or more queries into a single ResultSet.

40
00:03:22,900 --> 00:03:29,020
‫The bullying technique, so we can use bullying conditions to verify whether certain conditions are

41
00:03:29,020 --> 00:03:29,890
‫true or false.

42
00:03:32,100 --> 00:03:38,490
‫The error base technique forces the database to generate an error, giving the attacker or testor information

43
00:03:38,760 --> 00:03:41,640
‫upon which to refine their injection.

44
00:03:43,310 --> 00:03:48,650
‫The out-of-band technique is used to retrieve data using a different channel.

45
00:03:50,540 --> 00:03:52,490
‫And time delay techniques.

46
00:03:53,840 --> 00:04:01,280
‫Time delay techniques used database commands to delay answers in conditional queries, so it's very

47
00:04:01,280 --> 00:04:06,500
‫useful when an attacker doesn't have some kind of result immediately from the application.

48
00:04:07,630 --> 00:04:09,700
‫OK, so now let's examine some of them.

49
00:04:11,680 --> 00:04:14,140
‫So open up Caylee and go to the Web.

50
00:04:15,410 --> 00:04:21,700
‫Over the drop down menu and there are several types and aspects for rescue, well, injection and bewell,

51
00:04:23,150 --> 00:04:26,210
‫choose escarole injection post search.

52
00:04:28,370 --> 00:04:34,640
‫OK, so there's a simple search box here, so it's right in the Marvel movies and Search.

53
00:04:36,400 --> 00:04:38,740
‫And it will bring the result in to a table.

54
00:04:40,020 --> 00:04:45,870
‫OK, so now enable Foxe proxy and then type something in and search.

55
00:04:47,580 --> 00:04:50,310
‫Go to berp and here's a request.

56
00:04:51,660 --> 00:04:56,160
‫It sends data over post and the post parameters are here.

57
00:04:57,580 --> 00:04:58,030
‫OK.

58
00:04:58,240 --> 00:04:58,740
‫Forward.

59
00:05:00,090 --> 00:05:01,800
‫And here comes a response.

60
00:05:03,270 --> 00:05:05,340
‫The returned data is in a table.

61
00:05:06,620 --> 00:05:08,650
‫So we're going to play with a request later.

62
00:05:09,730 --> 00:05:11,590
‫So we're now open terminal.

63
00:05:12,840 --> 00:05:16,980
‫And view the page as you well, I sixta BHP.

64
00:05:18,200 --> 00:05:22,100
‫Now, according to levels, there are security checks.

65
00:05:23,590 --> 00:05:28,750
‫So we're going to view each of these functions after this file, so we'll scroll down.

66
00:05:30,520 --> 00:05:35,740
‫Now, this is the actual sentence to perform search operations on the database table.

67
00:05:37,270 --> 00:05:41,400
‫And below is the code that helps to display the data.

68
00:05:42,440 --> 00:05:46,580
‫So exit and for the functions file.

69
00:05:47,820 --> 00:05:52,800
‫The check one function and slashes to the data provided by the user.

70
00:05:54,750 --> 00:05:58,140
‫And of course, we also have seen that function before.

71
00:05:59,930 --> 00:06:05,660
‫And the check to function uses a built in function to escape escarole related, reserved characters

72
00:06:06,380 --> 00:06:08,180
‫such as the double quote.

73
00:06:10,040 --> 00:06:12,590
‫OK, so go back and open up Chrome.

74
00:06:13,770 --> 00:06:22,650
‫And I'm going to open up my hand, men choose movies table and open the actual tab, and I'm going to

75
00:06:22,700 --> 00:06:25,590
‫pace the actual sentence used in the page here.

76
00:06:27,130 --> 00:06:29,740
‫So this is syntax.

77
00:06:30,890 --> 00:06:32,090
‫I'm just going to clear it.

78
00:06:35,720 --> 00:06:40,610
‫And this is the viewer Escorial sentenced to perform this search.

79
00:06:42,370 --> 00:06:46,810
‫And escarole injection happens by injecting this sentence.

80
00:06:47,950 --> 00:06:49,200
‫So let's type something here.

81
00:06:50,900 --> 00:06:54,110
‫And here is the result, one line of data.

82
00:06:57,580 --> 00:07:00,010
‫So what happens if you add a single quote?

83
00:07:02,140 --> 00:07:08,980
‫OK, so you get an error because single quotes are special characters to ask you, Al.

84
00:07:10,760 --> 00:07:15,890
‫And the first two of them are paired with the last one is not.

85
00:07:17,370 --> 00:07:19,920
‫And it confuses my Escuela.

86
00:07:21,350 --> 00:07:29,300
‫So now what happens if you add a hash symbol here, hasher pound, whatever, it will execute no errors

87
00:07:30,080 --> 00:07:34,220
‫because the hash character is also reserved for my escudo.

88
00:07:35,590 --> 00:07:39,130
‫The hashes used the comment, the text in a line, as you can see here.

89
00:07:40,890 --> 00:07:44,810
‫So I think that gives you a pretty good example of how escarole injection works.

90
00:07:46,120 --> 00:07:51,130
‫So now you can do the same thing on the B Web page, put it in a single quote.

91
00:07:52,760 --> 00:07:53,660
‫You get an error.

92
00:07:55,110 --> 00:07:56,040
‫But in a harsh.

93
00:07:58,080 --> 00:07:58,810
‫Nowhere's.

94
00:08:00,180 --> 00:08:02,700
‫So that also means that you can execute rescue.

95
00:08:04,270 --> 00:08:08,470
‫So now let's write some smart queries to get data from Maisky.

96
00:08:08,500 --> 00:08:08,860
‫Well.

97
00:08:09,910 --> 00:08:11,500
‫And order by 10.

98
00:08:12,660 --> 00:08:17,490
‫And by the way, or by 10:00 will order the result by the tenth column.

99
00:08:18,830 --> 00:08:21,830
‫And if there is no intent to kill column, then you'll get an error.

100
00:08:23,330 --> 00:08:24,500
‫As you can see here.

101
00:08:26,230 --> 00:08:31,120
‫So that way you can discover the column numbers in a ResultSet.

102
00:08:32,610 --> 00:08:34,260
‫OK, so it's not at all so.

103
00:08:37,970 --> 00:08:38,810
‫But it's seven.

104
00:08:39,900 --> 00:08:42,630
‫So seven columns are in the result.

105
00:08:43,660 --> 00:08:46,240
‫But only five of them are shown on the page.

106
00:08:47,260 --> 00:08:52,960
‫So now we can use the union operator to merge our own select query.

107
00:08:54,550 --> 00:09:00,970
‫So I'll write this in to see what columns are displayed on the page, and here's the result second,

108
00:09:00,970 --> 00:09:03,310
‫third, fourth and fifth columns.

109
00:09:05,260 --> 00:09:10,870
‫Style, instead of these numbers, we can use Escadrille statements and functions to pull data from

110
00:09:10,870 --> 00:09:11,740
‫the database server.

111
00:09:12,640 --> 00:09:15,340
‫Now, I'm going to pass this payload to find these values.

112
00:09:17,460 --> 00:09:24,270
‫And the version of the database, the current user of the database and the current database.

113
00:09:26,870 --> 00:09:33,050
‫In an Escorial injection process, you extract data step by step.

114
00:09:33,860 --> 00:09:40,190
‫So first you get the version of the database, then the name of the user, and then your current database.

115
00:09:41,290 --> 00:09:45,580
‫Then you can pull data through databases, tables and columns.

116
00:09:46,680 --> 00:09:48,980
‫So that's the way we're going to do.

117
00:09:50,760 --> 00:09:56,550
‫OK, now with this payload, discover the database names on this server.

118
00:09:58,060 --> 00:10:01,570
‫And here are the databases and their properties.

119
00:10:03,420 --> 00:10:05,930
‫So that Target database is BW.

120
00:10:07,660 --> 00:10:10,990
‫And paste this payload to see the tables of Boab.

121
00:10:12,170 --> 00:10:14,240
‫And here it has five tables.

122
00:10:16,850 --> 00:10:20,450
‫So here now you can see the row numbers of the tables.

123
00:10:22,210 --> 00:10:26,620
‫And this is where you get to choose a table to target.

124
00:10:27,730 --> 00:10:30,220
‫So I'm going to get the columns of the movies table.

125
00:10:31,440 --> 00:10:32,730
‫So here the column names.

126
00:10:34,160 --> 00:10:38,060
‫All right, so now we can pull data from this table.

127
00:10:40,110 --> 00:10:41,400
‫Right, this payload.

128
00:10:43,220 --> 00:10:45,350
‫And we'll put data in the first column.

129
00:10:48,240 --> 00:10:55,610
‫All right, I yeah, in this scenario, there's no crucial any important information right in this table,

130
00:10:56,310 --> 00:10:56,700
‫but.

131
00:10:57,770 --> 00:11:01,940
‫Just think of it as being able to execute Escorial statements.

132
00:11:02,890 --> 00:11:09,010
‫So then you can get, well, almost everything from a database at the current Conexion user has rights.

133
00:11:11,270 --> 00:11:13,100
‫So in this example, we can do all of that.

134
00:11:14,290 --> 00:11:18,730
‫For instance, we could get MySQL users and their hashes with this payload.

135
00:11:20,320 --> 00:11:22,760
‫And you can always crack caches later.

136
00:11:23,560 --> 00:11:30,700
‫Now, remember earlier I was saying database systems generally have the capacity to execute operating

137
00:11:30,700 --> 00:11:32,050
‫system level commands.

138
00:11:33,050 --> 00:11:38,720
‫So that means that you could possibly, if you were so inclined, run such a task.

139
00:11:41,040 --> 00:11:46,920
‫OK, so I'll say that, for instance, you can view files on the system.

140
00:11:48,200 --> 00:11:52,550
‫Right, so the magic file can be loaded onto this page with his payload.

141
00:11:54,560 --> 00:11:57,920
‫Now, I think you'll remember the content of the password file.

142
00:11:59,370 --> 00:12:03,930
‫You can also upload files to the server, actually to the database server.

143
00:12:05,430 --> 00:12:12,570
‫But you do have to bear in mind that your connected user should also have the rights and permissions

144
00:12:12,570 --> 00:12:16,020
‫in order to be able to write data to a directory on the server.

145
00:12:17,550 --> 00:12:22,290
‫So I'm going to upload a sample shell to the B Web directory.

146
00:12:23,450 --> 00:12:24,170
‫But I can't.

147
00:12:25,500 --> 00:12:30,840
‫So I need to find a particular folder to see if it exists.

148
00:12:32,110 --> 00:12:37,990
‫And let's see if I can find the documents folder, so paste the payload and search.

149
00:12:39,190 --> 00:12:41,140
‫And yes, we applaud the shell.

150
00:12:42,410 --> 00:12:49,160
‫Actually, it's not a regular upload, we just wrote some data to a file on the server, that's all.

151
00:12:50,590 --> 00:12:55,270
‫And I write a simple BHP shell like we used before.

152
00:12:56,580 --> 00:12:58,950
‫And now let's see if we can run some commands.

153
00:12:59,950 --> 00:13:05,320
‫Go to the documents folder from the you are out and call Shell, not BHP.

154
00:13:06,570 --> 00:13:10,380
‫And add ACMD as a parameter with a Linux command.

155
00:13:12,030 --> 00:13:14,850
‫And here is a result.

156
00:13:16,700 --> 00:13:19,360
‫Of course, you can change the commands, who am I?

157
00:13:21,890 --> 00:13:23,180
‫Rich and see.

158
00:13:24,900 --> 00:13:28,050
‫I want a different show and that cat show.

159
00:13:29,960 --> 00:13:38,420
‫All right, so now I'm going to listen on terminal and see that an MVP four four, four, three, OK?

160
00:13:39,850 --> 00:13:44,320
‫Now, I'm going to pace this one line, Kat, reverse shell.

161
00:13:46,130 --> 00:13:47,120
‫And hit enter.

162
00:13:48,860 --> 00:13:51,200
‫All right, so you see the response doesn't show up.

163
00:13:52,120 --> 00:13:56,160
‫So I think it works and, yeah, it works.

164
00:13:57,090 --> 00:13:59,430
‫Beatbox connects to the port on Carly.

165
00:14:00,950 --> 00:14:02,930
‫And you can run Linux commands now.

166
00:14:04,450 --> 00:14:08,260
‫And run this python code to get a bash style shell.

167
00:14:10,920 --> 00:14:15,300
‫OK, so we got a full shell from a simple escarole injection.

168
00:14:16,510 --> 00:14:22,060
‫So the rest is up to you and your imagination, and now we're going to look at some different examples.