1
00:00:01,720 --> 00:00:05,680
‫You, IMAP, does a great job with every single injection.

2
00:00:07,120 --> 00:00:12,850
‫So using its options, you can exploit many hard escarole injection vulnerabilities.

3
00:00:14,040 --> 00:00:17,460
‫So in this lesson, we're going to exploit such an injection.

4
00:00:18,930 --> 00:00:23,100
‫Now from the menu, open escarole injection, login form user.

5
00:00:24,150 --> 00:00:25,470
‫And this is a login form.

6
00:00:27,080 --> 00:00:30,380
‫And the developer wants to bypass this form.

7
00:00:31,410 --> 00:00:33,960
‫So it's the same with the login form hero.

8
00:00:35,270 --> 00:00:36,250
‫But the code is different.

9
00:00:37,620 --> 00:00:41,310
‫So when you write a wrong log in, it says invalid credentials.

10
00:00:42,190 --> 00:00:45,610
‫And if you type a single quote, you get a escarole error.

11
00:00:47,010 --> 00:00:50,610
‫And that's good because that means that we can break the syntax.

12
00:00:52,260 --> 00:00:55,050
‫So now we need to find the best syntax to exploit.

13
00:00:56,790 --> 00:00:58,220
‫But it's not that easy.

14
00:00:59,270 --> 00:01:00,410
‫The answers in the code.

15
00:01:01,540 --> 00:01:06,880
‫So it's open terminal and view askew, I underscore sticks that BHP.

16
00:01:09,160 --> 00:01:10,930
‫These are the regular checks.

17
00:01:12,280 --> 00:01:15,970
‫So scroll down to the actual part, and here it is.

18
00:01:16,880 --> 00:01:25,100
‫The developer makes a different thing here, so on the hero form, the developer checks the log in and

19
00:01:25,100 --> 00:01:27,650
‫the password in the same query.

20
00:01:29,040 --> 00:01:31,020
‫But on this form, it's not the same.

21
00:01:32,030 --> 00:01:37,370
‫The developer hashes a password provided then checks log in only.

22
00:01:38,940 --> 00:01:40,500
‫Now, if there is a suitable organ.

23
00:01:41,930 --> 00:01:43,730
‫Then they compare the hashas.

24
00:01:44,710 --> 00:01:52,210
‫And if the hashes match, the user is authenticated and the message is printed.

25
00:01:53,160 --> 00:01:57,000
‫Otherwise, an error message is sent to the page.

26
00:01:58,000 --> 00:01:58,480
‫So.

27
00:01:59,460 --> 00:02:06,780
‫We can even accomplish an injection over log in, but we cannot see the output on the page, you know,

28
00:02:06,780 --> 00:02:07,200
‫why write?

29
00:02:08,190 --> 00:02:13,260
‫Because the extra check happens outside the query of the password hashes.

30
00:02:13,710 --> 00:02:15,450
‫OK, so go back to Firefox.

31
00:02:16,930 --> 00:02:21,730
‫Refresh the page for a clean view, then enable Foxe proxy.

32
00:02:22,950 --> 00:02:26,610
‫Now tell you something along infield and go to burb.

33
00:02:28,420 --> 00:02:29,890
‫So the request is here.

34
00:02:31,520 --> 00:02:33,410
‫OK, covid the request to a file.

35
00:02:35,150 --> 00:02:36,110
‫And save it.

36
00:02:37,530 --> 00:02:38,880
‫You can then let it go.

37
00:02:40,280 --> 00:02:43,300
‫We are done with burb, so open terminal again.

38
00:02:44,780 --> 00:02:50,960
‫And then type escarole map dash are to point to the saved request file.

39
00:02:52,050 --> 00:02:55,620
‫Dash plug in to test the login parameter and request.

40
00:02:57,440 --> 00:03:01,900
‫Of course, you can add the age parameter for a special HTP headers.

41
00:03:04,880 --> 00:03:11,030
‫Escarole map will read the file and fudged the login parameter in the request.

42
00:03:12,260 --> 00:03:17,390
‫Now, it will send exactly the same request in the file by adding the special letters.

43
00:03:18,770 --> 00:03:20,210
‫OK, then hit enter.

44
00:03:21,480 --> 00:03:24,130
‫It detects an injection for Maisky.

45
00:03:24,150 --> 00:03:24,480
‫Well.

46
00:03:26,030 --> 00:03:32,720
‫And now, because we don't provide the DBMS parameter, it asks this question, you know the answer.

47
00:03:34,090 --> 00:03:37,540
‫There's no need to test for other DBMS his.

48
00:03:38,530 --> 00:03:41,980
‫A new question, of course, tests for other types.

49
00:03:44,970 --> 00:03:48,000
‫So it finds different types of escarole injections.

50
00:03:49,260 --> 00:03:58,470
‫So accept this, accept this as well, no, don't test for others, OK, it's finalized as Google Map

51
00:03:58,470 --> 00:04:01,290
‫detects three types of escarole injection.

52
00:04:02,420 --> 00:04:03,500
‫So we can go one of them.

53
00:04:04,790 --> 00:04:10,220
‫So just use the same query and add technique as a parameter.

54
00:04:11,690 --> 00:04:15,200
‫Type E, forever based escarole injection.

55
00:04:16,360 --> 00:04:17,680
‫And there's the result.

56
00:04:20,060 --> 00:04:22,640
‫So now we can use some other parameters.

57
00:04:23,710 --> 00:04:26,440
‫Fingerprint and banner information.

58
00:04:29,300 --> 00:04:30,770
‫Boy, it executes quickly.

59
00:04:32,380 --> 00:04:37,690
‫So the point here is escarole map uses air based techniques to get this data.

60
00:04:38,910 --> 00:04:47,910
‫But if we do it manually, I believe you me, it will be mind blowing, mind numbing, perhaps, anyway,

61
00:04:47,910 --> 00:04:53,220
‫the rest of the options you're going to want to use will be done with this technique.

62
00:04:53,220 --> 00:04:56,370
‫So get the current database and the user.

63
00:04:57,710 --> 00:04:59,300
‫And the result is here.

64
00:05:00,720 --> 00:05:07,470
‫So I hope you can see as well that Escorial map provides us a super usage experience.