1 00:00:00,790 --> 00:00:07,480 ‫So let's say that in a reconnaissance phase, while extracting directory structures, we detect a drupa 2 00:00:07,490 --> 00:00:07,940 ‫folder. 3 00:00:08,530 --> 00:00:11,380 ‫So we need to dig into that folder also. 4 00:00:12,370 --> 00:00:15,880 ‫And we can do many things at this point with Duvel. 5 00:00:17,070 --> 00:00:19,900 ‫But I want to focus on a known of vulnerability. 6 00:00:20,340 --> 00:00:22,260 ‫It's called Droop again. 7 00:00:23,690 --> 00:00:31,850 ‫So when it was first announced, I saw many Web apps vulnerable to it, so here my point is you need 8 00:00:31,850 --> 00:00:36,020 ‫to understand that there are known vulnerabilities out there. 9 00:00:36,020 --> 00:00:42,950 ‫You need to look for known vulnerabilities by using an automated scanner or with your own script. 10 00:00:43,790 --> 00:00:44,570 ‫That also. 11 00:00:45,560 --> 00:00:49,280 ‫You should also go after any information that you detect. 12 00:00:50,760 --> 00:00:54,640 ‫But in any event, let's exploit this vulnerability. 13 00:00:55,620 --> 00:00:57,270 ‫So first we need to discover it. 14 00:00:58,510 --> 00:01:04,450 ‫Now, because it's Drupal insulation, we need the version information in order to detect it. 15 00:01:05,350 --> 00:01:13,450 ‫And to detect the version there just will have to be several ways, but the best is looking for predefined 16 00:01:13,450 --> 00:01:16,190 ‫files on the Drupal installation. 17 00:01:16,990 --> 00:01:20,740 ‫So you're going to see a bunch of them in a Drupal folder like that. 18 00:01:22,690 --> 00:01:25,900 ‫So type changelog t t. 19 00:01:27,570 --> 00:01:29,880 ‫And it's an innocent enough file, don't you think? 20 00:01:30,990 --> 00:01:33,390 ‫But here we get the version information. 21 00:01:34,420 --> 00:01:40,330 ‫The first release of Drupa get an attack affected versions under 73 to. 22 00:01:41,910 --> 00:01:45,360 ‫So, yeah, this version of Drupal on PAYBOX is vulnerable. 23 00:01:46,700 --> 00:01:50,270 ‫So the next thing is finding the exploitation code. 24 00:01:51,490 --> 00:01:56,200 ‫OK, so now I would like to introduce you to exploit that divide outcome. 25 00:01:57,720 --> 00:02:04,260 ‫The XPoint database is a wonderful Web application, it holds lots of exploitation codes and payloads 26 00:02:04,650 --> 00:02:05,940 ‫for vulnerabilities. 27 00:02:06,710 --> 00:02:09,840 ‫And again, it is run by offensive security. 28 00:02:11,270 --> 00:02:14,120 ‫And it gives you a search interface. 29 00:02:15,310 --> 00:02:19,600 ‫So you can check verified for verified exploit. 30 00:02:20,990 --> 00:02:27,680 ‫And I already wrote Drupal in the search box and the exploits related to Drupal are listed right before 31 00:02:27,680 --> 00:02:27,920 ‫you. 32 00:02:28,730 --> 00:02:30,350 ‫So there are three pages. 33 00:02:31,100 --> 00:02:32,970 ‫You're going to examine them if you wish. 34 00:02:33,830 --> 00:02:38,000 ‫And generally, you can see more than one exploit for a particular vulnerability. 35 00:02:39,660 --> 00:02:42,830 ‫But you said choose whichever one works best for yourself. 36 00:02:44,010 --> 00:02:48,690 ‫So it's the same for Drupa Gaden also, and I'm going to use this one. 37 00:02:50,290 --> 00:02:53,050 ‫So you can also hear the content of the exploit code. 38 00:02:55,440 --> 00:02:56,730 ‫Just download it and save it. 39 00:02:59,810 --> 00:03:01,780 ‫And here it is in my download folder. 40 00:03:04,450 --> 00:03:08,700 ‫Now, before downloading and running exploit codes, though, you really should examine them. 41 00:03:09,960 --> 00:03:12,770 ‫I mean, maybe they're militias for your system, right? 42 00:03:15,110 --> 00:03:17,540 ‫And also, they may need to be modified. 43 00:03:18,830 --> 00:03:20,000 ‫So let's view it. 44 00:03:22,360 --> 00:03:30,160 ‫And it is encoded with BHP, so I'm going to change it here to the B Web address on B box. 45 00:03:31,450 --> 00:03:35,830 ‫And for the purpose of this course, I'm going to change this year to seven. 46 00:03:36,780 --> 00:03:39,540 ‫You don't need to then save the file. 47 00:03:41,050 --> 00:03:49,390 ‫And before execution, I will show you Drupal users, so I've logged into my IP, my admin. 48 00:03:52,750 --> 00:03:56,260 ‫And browse the user's table under the drupa in database. 49 00:03:57,400 --> 00:03:58,990 ‫And here are the Drupal users. 50 00:04:01,280 --> 00:04:04,640 ‫Now, what will the downloaded exploit do? 51 00:04:06,060 --> 00:04:11,460 ‫It will change the name and password of a seventh user to admen. 52 00:04:13,310 --> 00:04:15,020 ‫OK, go back to terminal. 53 00:04:16,460 --> 00:04:17,770 ‫And run it like that. 54 00:04:20,080 --> 00:04:23,660 ‫And it's already happened, so we updated the user information. 55 00:04:24,130 --> 00:04:29,010 ‫So now go back to Chrome, refresh, browse the user's table again. 56 00:04:31,330 --> 00:04:33,850 ‫And here is the updated user information. 57 00:04:34,960 --> 00:04:35,690 ‫What do you think? 58 00:04:36,640 --> 00:04:38,350 ‫So let's open Firefox. 59 00:04:40,430 --> 00:04:42,590 ‫Log in with the admin user. 60 00:04:45,030 --> 00:04:48,180 ‫Congratulations, you exploited the vulnerability. 61 00:04:49,410 --> 00:04:52,260 ‫So now you're in the Drupal interface. 62 00:04:53,340 --> 00:05:00,750 ‫And we can go on more to understand how this attack happens, so click the admin button and edit. 63 00:05:02,360 --> 00:05:04,610 ‫So this is the user information page. 64 00:05:05,900 --> 00:05:08,090 ‫OK, so open the web developer tool. 65 00:05:09,450 --> 00:05:11,430 ‫And pick the password element here. 66 00:05:13,010 --> 00:05:19,190 ‫Then look at the HTML code, the name attribute has an array style value. 67 00:05:20,470 --> 00:05:26,200 ‫Then pick the confirmed password element, it also has an array style name value. 68 00:05:27,230 --> 00:05:28,910 ‫So let's fill in the form. 69 00:05:29,790 --> 00:05:31,470 ‫And enable Foxe proxy. 70 00:05:33,150 --> 00:05:35,490 ‫Then save and go back to berp. 71 00:05:38,120 --> 00:05:40,610 ‫And the request will look like that. 72 00:05:42,800 --> 00:05:44,510 ‫And here are the password fields. 73 00:05:45,950 --> 00:05:48,740 ‫And they have a race style values. 74 00:05:50,090 --> 00:05:54,770 ‫So let the request go, OK, go to Firefox and log out. 75 00:05:58,550 --> 00:06:00,670 ‫Disable Foxe proxy as well. 76 00:06:02,130 --> 00:06:06,300 ‫And one more time, open up the web developer. 77 00:06:07,260 --> 00:06:08,190 ‫Pick this element. 78 00:06:10,200 --> 00:06:11,130 ‫Right, click on it. 79 00:06:12,380 --> 00:06:14,180 ‫Edit this HTML. 80 00:06:15,670 --> 00:06:18,550 ‫Now copy this line and pasted below. 81 00:06:22,570 --> 00:06:23,710 ‫But to zero here. 82 00:06:25,940 --> 00:06:29,960 ‫And then add this payload instead of the name attribute. 83 00:06:31,860 --> 00:06:37,170 ‫And this payload will update the first user and his password to admen. 84 00:06:39,440 --> 00:06:42,500 ‫OK, then, so now I'm going to delete the admin user. 85 00:06:44,670 --> 00:06:47,640 ‫It doesn't allow to admin users. 86 00:06:49,310 --> 00:06:52,430 ‫So we can fill in the fields with some junk data. 87 00:06:56,470 --> 00:06:58,120 ‫And Abel Foxe proxy. 88 00:06:59,490 --> 00:07:00,330 ‫Then log in. 89 00:07:01,890 --> 00:07:05,280 ‫And this login request included our payload. 90 00:07:06,630 --> 00:07:09,110 ‫And there's nothing more to change, so let it go. 91 00:07:11,240 --> 00:07:14,630 ‫Now open chrome and refresh the page. 92 00:07:15,790 --> 00:07:18,970 ‫And now the content of the users table is here. 93 00:07:20,620 --> 00:07:22,000 ‫So look at the first line. 94 00:07:23,120 --> 00:07:26,360 ‫The user with ID one is changed to admin. 95 00:07:27,570 --> 00:07:30,360 ‫So now we can log in with this user as well. 96 00:07:31,760 --> 00:07:37,940 ‫And the last thing we can do is for now is view the vulnerable code. 97 00:07:39,520 --> 00:07:46,600 ‫But this function does not check the inputs, but you know what, I know you know how to do it, so 98 00:07:46,600 --> 00:07:47,450 ‫I'll leave it for you. 99 00:07:47,470 --> 00:07:48,090 ‫Go for it.