1 00:00:00,840 --> 00:00:06,660 ‫All right, so we detected and exploited different types of rescue, oil injection and the previous 2 00:00:06,660 --> 00:00:07,170 ‫lessons. 3 00:00:08,230 --> 00:00:11,420 ‫And we performed manual detection and exploitation. 4 00:00:12,160 --> 00:00:20,470 ‫It really is important to get the idea behind an actual injection and I think we've, you know, covered 5 00:00:20,470 --> 00:00:20,950 ‫it enough. 6 00:00:20,950 --> 00:00:26,740 ‫So now I would like to introduce you to a wonderful tool. 7 00:00:27,990 --> 00:00:32,460 ‫In the next three videos, we're going to cover the Keywell map. 8 00:00:34,290 --> 00:00:40,110 ‫But first, I want to start with some basic options, so I'm going to use this as Gorell injection page. 9 00:00:41,120 --> 00:00:43,080 ‫And you can open it from the menu. 10 00:00:43,970 --> 00:00:47,300 ‫It's a simple search over the TDP get method. 11 00:00:48,430 --> 00:00:53,740 ‫You can type in something search and the typed input is in the early, you can see. 12 00:00:55,570 --> 00:00:57,100 ‫OK, so copy this, you, Earl. 13 00:00:59,170 --> 00:01:00,430 ‫Then open your terminal. 14 00:01:01,920 --> 00:01:11,370 ‫Now, ask you, a map is a built in and free open source tool and Kouy and I think it's going to solve 15 00:01:11,370 --> 00:01:12,480 ‫many problems. 16 00:01:13,500 --> 00:01:15,870 ‫While you go along escarole injecting. 17 00:01:17,450 --> 00:01:21,110 ‫So with one age, you can see basic options. 18 00:01:22,170 --> 00:01:26,820 ‫And we're going to cover most of them, but the usage is quite simple. 19 00:01:28,770 --> 00:01:30,830 ‫I think the developers did a very good job here. 20 00:01:32,570 --> 00:01:36,770 ‫So it simplifies the detection as well as the exploitation. 21 00:01:38,240 --> 00:01:39,620 ‫But wait, there's more. 22 00:01:41,240 --> 00:01:45,740 ‫With double age, you can view even more options. 23 00:01:46,970 --> 00:01:49,880 ‫And more advanced scenarios, you can use them here. 24 00:01:51,140 --> 00:01:59,930 ‫So let's just stop right here and run it, so type in Escorial, map you and paste the URL here between 25 00:01:59,930 --> 00:02:00,710 ‫the double quotes. 26 00:02:02,010 --> 00:02:03,660 ‫So this is a target, you, Earl? 27 00:02:04,660 --> 00:02:08,980 ‫Then Pete Hidell to specify the target parameter to test. 28 00:02:10,480 --> 00:02:14,200 ‫And type double that cookie to add cookies. 29 00:02:15,640 --> 00:02:22,570 ‫Now, you may need a session value or something in a cookie so you can provide it with this parameter. 30 00:02:24,270 --> 00:02:32,460 ‫So go to Firefox now and open developer tools and go to the network tab refresh page. 31 00:02:34,500 --> 00:02:39,720 ‫And click on a request and copy the value of the cookie header. 32 00:02:43,050 --> 00:02:44,090 ‫Paste here. 33 00:02:46,440 --> 00:02:50,270 ‫Then you can randomize the user agent with random agent. 34 00:02:51,760 --> 00:02:59,200 ‫And the age parameter will add a special HTTP header to the request sent by escarole map. 35 00:03:00,350 --> 00:03:03,650 ‫So I don't know if you can see it, but this is Andy. 36 00:03:04,790 --> 00:03:05,360 ‫Because. 37 00:03:06,560 --> 00:03:12,740 ‫You may want to follow Escorial map requests in a log file or any security device. 38 00:03:14,240 --> 00:03:15,740 ‫So I'm going to add this header. 39 00:03:16,860 --> 00:03:19,290 ‫And with a DBMS parameter. 40 00:03:20,340 --> 00:03:24,090 ‫You can point directly to the database management system of the back end. 41 00:03:26,110 --> 00:03:31,180 ‫And also, you can specify the operating system with the OS parameter as well. 42 00:03:33,360 --> 00:03:36,450 ‫Then F for fingerprinting the database. 43 00:03:37,600 --> 00:03:40,660 ‫B, for better information of DBMS. 44 00:03:42,370 --> 00:03:45,580 ‫And then add current user and current database. 45 00:03:47,070 --> 00:03:51,150 ‫And check to see if the current user is a database administrator. 46 00:03:53,430 --> 00:04:00,720 ‫OK, so now we've completed the Escorial map query, so I know it looks like a long one, but it's very 47 00:04:00,720 --> 00:04:01,320 ‫clear. 48 00:04:02,370 --> 00:04:03,450 ‫OK, hit enter. 49 00:04:05,730 --> 00:04:12,750 ‫So it detects an injection and now if you accept it, will try another type of escarole injection payload. 50 00:04:14,250 --> 00:04:22,860 ‫So, look, it finds several others, the title parameter is vulnerable, and if you want other parameters 51 00:04:22,860 --> 00:04:24,510 ‫to test, you can always ask why. 52 00:04:25,290 --> 00:04:30,600 ‫But you know, we don't need the others now and then. 53 00:04:30,600 --> 00:04:32,760 ‫Let's see how it finalizes the execution. 54 00:04:34,710 --> 00:04:36,720 ‫And now you can see the results here on the screen. 55 00:04:37,860 --> 00:04:42,340 ‫And there happens to be a copy in this file. 56 00:04:42,990 --> 00:04:43,740 ‫So let me show you. 57 00:04:45,210 --> 00:04:48,840 ‫It's under rudimentary in a hidden folder. 58 00:04:50,580 --> 00:04:51,900 ‫So I'll open the log file. 59 00:04:52,770 --> 00:04:56,250 ‫And here is a complete information about our finding. 60 00:04:57,910 --> 00:04:58,810 ‫See the payloads. 61 00:04:59,940 --> 00:05:02,220 ‫And the discovered information. 62 00:05:03,660 --> 00:05:05,340 ‫OK, so go back to the terminal. 63 00:05:06,730 --> 00:05:07,990 ‫Now, I'm going to run this one. 64 00:05:09,120 --> 00:05:12,180 ‫Users is my parameter for getting database user. 65 00:05:13,100 --> 00:05:17,540 ‫And the password parameter for passwords of the database users. 66 00:05:19,630 --> 00:05:22,360 ‫You can also get their privileges and rules also. 67 00:05:23,820 --> 00:05:26,030 ‫So I think the parameters are clear. 68 00:05:27,770 --> 00:05:33,570 ‫It gathers users, then passwords, and then it can even crack the hashes for you. 69 00:05:33,620 --> 00:05:36,770 ‫So accept it by hitting enter. 70 00:05:38,440 --> 00:05:39,280 ‫Choose one. 71 00:05:40,810 --> 00:05:41,620 ‫And No. 72 00:05:42,980 --> 00:05:46,970 ‫Then we'll try to crack the hashes with its own dictionary file. 73 00:05:49,770 --> 00:05:51,600 ‫OK, the execution is finalized. 74 00:05:53,460 --> 00:05:54,960 ‫So go ahead and open a log file. 75 00:05:57,040 --> 00:05:59,920 ‫And here's the output of this second query. 76 00:06:01,340 --> 00:06:07,870 ‫The payloads and the users are here, passwords and the hashes are here, then the privileges show up. 77 00:06:09,050 --> 00:06:13,980 ‫Scrolling down and here are the database users rolls. 78 00:06:14,960 --> 00:06:16,880 ‫OK, so go back to terminal. 79 00:06:18,280 --> 00:06:20,370 ‫And now let's use this query. 80 00:06:22,090 --> 00:06:29,440 ‫It will get all the databases with DVRs and enumerate all the information about them with a schema. 81 00:06:30,950 --> 00:06:33,260 ‫It will bring in everything about the database's. 82 00:06:34,310 --> 00:06:37,070 ‫And of course, the output is very long. 83 00:06:39,230 --> 00:06:40,850 ‫And you can analyze it later. 84 00:06:41,980 --> 00:06:44,590 ‫But this time, just delete the schema parameter. 85 00:06:45,940 --> 00:06:47,490 ‫That's the one that causes the long input. 86 00:06:48,910 --> 00:06:51,880 ‫So here are the database names in the server. 87 00:06:53,810 --> 00:06:56,120 ‫So now we can choose one of them with a deep parameter. 88 00:06:57,320 --> 00:07:00,090 ‫And it lists the tables in. 89 00:07:03,010 --> 00:07:08,500 ‫OK, so now we can choose a table with the T parameter and see the columns. 90 00:07:11,090 --> 00:07:14,030 ‫And these are the columns of the users table. 91 00:07:16,320 --> 00:07:16,610 ‫Great. 92 00:07:16,830 --> 00:07:23,760 ‫So now we have the information about the database, the table and the columns so we can pull the actual 93 00:07:23,760 --> 00:07:24,170 ‫data. 94 00:07:25,380 --> 00:07:29,760 ‫So just use this C parameter and type the name of the column. 95 00:07:32,440 --> 00:07:33,490 ‫Then simply dump. 96 00:07:34,960 --> 00:07:37,720 ‫And it runs quickly, so here's the result. 97 00:07:40,370 --> 00:07:43,280 ‫And we kind of lead here. 98 00:07:44,260 --> 00:07:46,120 ‫You can dump the whole table also. 99 00:07:47,950 --> 00:07:52,600 ‫It'll detect the hashes again, so choose one and crack them. 100 00:07:54,720 --> 00:07:57,120 ‫And thankfully, it cracked the harshest. 101 00:07:58,230 --> 00:08:02,940 ‫And yeah, so here is the result, Perfecta Mondo. 102 00:08:04,580 --> 00:08:11,630 ‫OK, now use this query, the Ezekial Shell parameter will open and ask you all shell for you to run 103 00:08:11,990 --> 00:08:12,720 ‫will statements. 104 00:08:13,430 --> 00:08:14,620 ‫So this is very cool. 105 00:08:15,080 --> 00:08:17,210 ‫You can run a escarole query here. 106 00:08:17,930 --> 00:08:21,170 ‫So like, I'd log in from B Web users. 107 00:08:23,950 --> 00:08:25,440 ‫No, something's wrong here. 108 00:08:26,980 --> 00:08:27,830 ‫That's it there. 109 00:08:27,850 --> 00:08:32,890 ‫I got to add a comma, so it's a really cool feature. 110 00:08:34,030 --> 00:08:35,080 ‫OK, so go back. 111 00:08:36,910 --> 00:08:38,020 ‫Now, use this query. 112 00:08:39,360 --> 00:08:45,870 ‫And you map provides reading and writing files, if possible, so you can read the magic file just like 113 00:08:45,870 --> 00:08:46,230 ‫that. 114 00:08:48,580 --> 00:08:53,560 ‫And now you can accept this to let Escarole map confirm the download. 115 00:08:54,600 --> 00:08:56,140 ‫And the file is in this folder. 116 00:08:56,940 --> 00:08:57,720 ‫Go ahead and check. 117 00:09:00,530 --> 00:09:02,510 ‫OK, so now we can upload a file. 118 00:09:03,530 --> 00:09:05,570 ‫But not an also innocent file. 119 00:09:06,970 --> 00:09:08,770 ‫So I prepared a simple shell. 120 00:09:09,760 --> 00:09:15,010 ‫And with the help of these two parameters, I can upload to a destination on the server. 121 00:09:16,000 --> 00:09:17,440 ‫And again, it wants to confirm. 122 00:09:19,020 --> 00:09:20,580 ‫A file is not uploaded. 123 00:09:21,740 --> 00:09:29,060 ‫You know, I think we don't have the right permission to do that to the directory, so let's just change 124 00:09:29,060 --> 00:09:29,660 ‫it to this one. 125 00:09:32,660 --> 00:09:33,760 ‫We can confirm again. 126 00:09:34,910 --> 00:09:42,170 ‫And I think that uploads the file, so we'll add the command parameter like that. 127 00:09:43,640 --> 00:09:45,800 ‫OK, so now we have a Web show. 128 00:09:46,990 --> 00:09:49,240 ‫And we can run Linux commands. 129 00:09:51,130 --> 00:09:52,600 ‫So go to terminal. 130 00:09:53,780 --> 00:09:56,720 ‫Now, instead of using the Web shell, you can use this query. 131 00:09:58,420 --> 00:10:00,020 ‫Will do almost the same thing that we did. 132 00:10:00,560 --> 00:10:02,840 ‫It will upload a shell file to the server. 133 00:10:04,070 --> 00:10:07,850 ‫OK, choose four and a writable directory. 134 00:10:08,830 --> 00:10:09,610 ‫Type No. 135 00:10:10,700 --> 00:10:18,450 ‫She used to to provide the right of a folder and type dub dub, dub, slash B rap slash documents. 136 00:10:22,590 --> 00:10:23,640 ‫And yes. 137 00:10:25,050 --> 00:10:26,700 ‫And here is the result of that command. 138 00:10:28,090 --> 00:10:32,950 ‫Now, of course, four different operating system commands, you'll need to do all these things again. 139 00:10:34,740 --> 00:10:37,350 ‫So actually, escarole map as another parameter for this. 140 00:10:38,530 --> 00:10:46,720 ‫So use this query and change it here to OS Shell, so choose for and know. 141 00:10:47,690 --> 00:10:55,430 ‫She to to provide the right of a holder and type slash dub dub dub slash B Web slash document. 142 00:10:57,240 --> 00:10:59,520 ‫OK, so we get the operating system show. 143 00:11:01,470 --> 00:11:03,960 ‫Now you can take the operating system commands. 144 00:11:05,730 --> 00:11:10,800 ‫And it looks like it's a Linux server, so I'm going to be typing these ones. 145 00:11:12,580 --> 00:11:19,180 ‫OK, so this is the basic usage of escudo map, and it has been a kind of a long lesson, but. 146 00:11:20,070 --> 00:11:27,960 ‫In the next lessons we are going to dive more into, let's call them advanced scenarios.