1 00:00:00,840 --> 00:00:06,660 All right, so we detected and exploited different types of rescue, oil injection and the previous 2 00:00:06,660 --> 00:00:07,170 lessons. 3 00:00:08,230 --> 00:00:11,420 And we performed manual detection and exploitation. 4 00:00:12,160 --> 00:00:20,470 It really is important to get the idea behind an actual injection and I think we've, you know, covered 5 00:00:20,470 --> 00:00:20,950 it enough. 6 00:00:20,950 --> 00:00:26,740 So now I would like to introduce you to a wonderful tool. 7 00:00:27,990 --> 00:00:32,460 In the next three videos, we're going to cover the Keywell map. 8 00:00:34,290 --> 00:00:40,110 But first, I want to start with some basic options, so I'm going to use this as Gorell injection page. 9 00:00:41,120 --> 00:00:43,080 And you can open it from the menu. 10 00:00:43,970 --> 00:00:47,300 It's a simple search over the TDP get method. 11 00:00:48,430 --> 00:00:53,740 You can type in something search and the typed input is in the early, you can see. 12 00:00:55,570 --> 00:00:57,100 OK, so copy this, you, Earl. 13 00:00:59,170 --> 00:01:00,430 Then open your terminal. 14 00:01:01,920 --> 00:01:11,370 Now, ask you, a map is a built in and free open source tool and Kouy and I think it's going to solve 15 00:01:11,370 --> 00:01:12,480 many problems. 16 00:01:13,500 --> 00:01:15,870 While you go along escarole injecting. 17 00:01:17,450 --> 00:01:21,110 So with one age, you can see basic options. 18 00:01:22,170 --> 00:01:26,820 And we're going to cover most of them, but the usage is quite simple. 19 00:01:28,770 --> 00:01:30,830 I think the developers did a very good job here. 20 00:01:32,570 --> 00:01:36,770 So it simplifies the detection as well as the exploitation. 21 00:01:38,240 --> 00:01:39,620 But wait, there's more. 22 00:01:41,240 --> 00:01:45,740 With double age, you can view even more options. 23 00:01:46,970 --> 00:01:49,880 And more advanced scenarios, you can use them here. 24 00:01:51,140 --> 00:01:59,930 So let's just stop right here and run it, so type in Escorial, map you and paste the URL here between 25 00:01:59,930 --> 00:02:00,710 the double quotes. 26 00:02:02,010 --> 00:02:03,660 So this is a target, you, Earl? 27 00:02:04,660 --> 00:02:08,980 Then Pete Hidell to specify the target parameter to test. 28 00:02:10,480 --> 00:02:14,200 And type double that cookie to add cookies. 29 00:02:15,640 --> 00:02:22,570 Now, you may need a session value or something in a cookie so you can provide it with this parameter. 30 00:02:24,270 --> 00:02:32,460 So go to Firefox now and open developer tools and go to the network tab refresh page. 31 00:02:34,500 --> 00:02:39,720 And click on a request and copy the value of the cookie header. 32 00:02:43,050 --> 00:02:44,090 Paste here. 33 00:02:46,440 --> 00:02:50,270 Then you can randomize the user agent with random agent. 34 00:02:51,760 --> 00:02:59,200 And the age parameter will add a special HTTP header to the request sent by escarole map. 35 00:03:00,350 --> 00:03:03,650 So I don't know if you can see it, but this is Andy. 36 00:03:04,790 --> 00:03:05,360 Because. 37 00:03:06,560 --> 00:03:12,740 You may want to follow Escorial map requests in a log file or any security device. 38 00:03:14,240 --> 00:03:15,740 So I'm going to add this header. 39 00:03:16,860 --> 00:03:19,290 And with a DBMS parameter. 40 00:03:20,340 --> 00:03:24,090 You can point directly to the database management system of the back end. 41 00:03:26,110 --> 00:03:31,180 And also, you can specify the operating system with the OS parameter as well. 42 00:03:33,360 --> 00:03:36,450 Then F for fingerprinting the database. 43 00:03:37,600 --> 00:03:40,660 B, for better information of DBMS. 44 00:03:42,370 --> 00:03:45,580 And then add current user and current database. 45 00:03:47,070 --> 00:03:51,150 And check to see if the current user is a database administrator. 46 00:03:53,430 --> 00:04:00,720 OK, so now we've completed the Escorial map query, so I know it looks like a long one, but it's very 47 00:04:00,720 --> 00:04:01,320 clear. 48 00:04:02,370 --> 00:04:03,450 OK, hit enter. 49 00:04:05,730 --> 00:04:12,750 So it detects an injection and now if you accept it, will try another type of escarole injection payload. 50 00:04:14,250 --> 00:04:22,860 So, look, it finds several others, the title parameter is vulnerable, and if you want other parameters 51 00:04:22,860 --> 00:04:24,510 to test, you can always ask why. 52 00:04:25,290 --> 00:04:30,600 But you know, we don't need the others now and then. 53 00:04:30,600 --> 00:04:32,760 Let's see how it finalizes the execution. 54 00:04:34,710 --> 00:04:36,720 And now you can see the results here on the screen. 55 00:04:37,860 --> 00:04:42,340 And there happens to be a copy in this file. 56 00:04:42,990 --> 00:04:43,740 So let me show you. 57 00:04:45,210 --> 00:04:48,840 It's under rudimentary in a hidden folder. 58 00:04:50,580 --> 00:04:51,900 So I'll open the log file. 59 00:04:52,770 --> 00:04:56,250 And here is a complete information about our finding. 60 00:04:57,910 --> 00:04:58,810 See the payloads. 61 00:04:59,940 --> 00:05:02,220 And the discovered information. 62 00:05:03,660 --> 00:05:05,340 OK, so go back to the terminal. 63 00:05:06,730 --> 00:05:07,990 Now, I'm going to run this one. 64 00:05:09,120 --> 00:05:12,180 Users is my parameter for getting database user. 65 00:05:13,100 --> 00:05:17,540 And the password parameter for passwords of the database users. 66 00:05:19,630 --> 00:05:22,360 You can also get their privileges and rules also. 67 00:05:23,820 --> 00:05:26,030 So I think the parameters are clear. 68 00:05:27,770 --> 00:05:33,570 It gathers users, then passwords, and then it can even crack the hashes for you. 69 00:05:33,620 --> 00:05:36,770 So accept it by hitting enter. 70 00:05:38,440 --> 00:05:39,280 Choose one. 71 00:05:40,810 --> 00:05:41,620 And No. 72 00:05:42,980 --> 00:05:46,970 Then we'll try to crack the hashes with its own dictionary file. 73 00:05:49,770 --> 00:05:51,600 OK, the execution is finalized. 74 00:05:53,460 --> 00:05:54,960 So go ahead and open a log file. 75 00:05:57,040 --> 00:05:59,920 And here's the output of this second query. 76 00:06:01,340 --> 00:06:07,870 The payloads and the users are here, passwords and the hashes are here, then the privileges show up. 77 00:06:09,050 --> 00:06:13,980 Scrolling down and here are the database users rolls. 78 00:06:14,960 --> 00:06:16,880 OK, so go back to terminal. 79 00:06:18,280 --> 00:06:20,370 And now let's use this query. 80 00:06:22,090 --> 00:06:29,440 It will get all the databases with DVRs and enumerate all the information about them with a schema. 81 00:06:30,950 --> 00:06:33,260 It will bring in everything about the database's. 82 00:06:34,310 --> 00:06:37,070 And of course, the output is very long. 83 00:06:39,230 --> 00:06:40,850 And you can analyze it later. 84 00:06:41,980 --> 00:06:44,590 But this time, just delete the schema parameter. 85 00:06:45,940 --> 00:06:47,490 That's the one that causes the long input. 86 00:06:48,910 --> 00:06:51,880 So here are the database names in the server. 87 00:06:53,810 --> 00:06:56,120 So now we can choose one of them with a deep parameter. 88 00:06:57,320 --> 00:07:00,090 And it lists the tables in. 89 00:07:03,010 --> 00:07:08,500 OK, so now we can choose a table with the T parameter and see the columns. 90 00:07:11,090 --> 00:07:14,030 And these are the columns of the users table. 91 00:07:16,320 --> 00:07:16,610 Great. 92 00:07:16,830 --> 00:07:23,760 So now we have the information about the database, the table and the columns so we can pull the actual 93 00:07:23,760 --> 00:07:24,170 data. 94 00:07:25,380 --> 00:07:29,760 So just use this C parameter and type the name of the column. 95 00:07:32,440 --> 00:07:33,490 Then simply dump. 96 00:07:34,960 --> 00:07:37,720 And it runs quickly, so here's the result. 97 00:07:40,370 --> 00:07:43,280 And we kind of lead here. 98 00:07:44,260 --> 00:07:46,120 You can dump the whole table also. 99 00:07:47,950 --> 00:07:52,600 It'll detect the hashes again, so choose one and crack them. 100 00:07:54,720 --> 00:07:57,120 And thankfully, it cracked the harshest. 101 00:07:58,230 --> 00:08:02,940 And yeah, so here is the result, Perfecta Mondo. 102 00:08:04,580 --> 00:08:11,630 OK, now use this query, the Ezekial Shell parameter will open and ask you all shell for you to run 103 00:08:11,990 --> 00:08:12,720 will statements. 104 00:08:13,430 --> 00:08:14,620 So this is very cool. 105 00:08:15,080 --> 00:08:17,210 You can run a escarole query here. 106 00:08:17,930 --> 00:08:21,170 So like, I'd log in from B Web users. 107 00:08:23,950 --> 00:08:25,440 No, something's wrong here. 108 00:08:26,980 --> 00:08:27,830 That's it there. 109 00:08:27,850 --> 00:08:32,890 I got to add a comma, so it's a really cool feature. 110 00:08:34,030 --> 00:08:35,080 OK, so go back. 111 00:08:36,910 --> 00:08:38,020 Now, use this query. 112 00:08:39,360 --> 00:08:45,870 And you map provides reading and writing files, if possible, so you can read the magic file just like 113 00:08:45,870 --> 00:08:46,230 that. 114 00:08:48,580 --> 00:08:53,560 And now you can accept this to let Escarole map confirm the download. 115 00:08:54,600 --> 00:08:56,140 And the file is in this folder. 116 00:08:56,940 --> 00:08:57,720 Go ahead and check. 117 00:09:00,530 --> 00:09:02,510 OK, so now we can upload a file. 118 00:09:03,530 --> 00:09:05,570 But not an also innocent file. 119 00:09:06,970 --> 00:09:08,770 So I prepared a simple shell. 120 00:09:09,760 --> 00:09:15,010 And with the help of these two parameters, I can upload to a destination on the server. 121 00:09:16,000 --> 00:09:17,440 And again, it wants to confirm. 122 00:09:19,020 --> 00:09:20,580 A file is not uploaded. 123 00:09:21,740 --> 00:09:29,060 You know, I think we don't have the right permission to do that to the directory, so let's just change 124 00:09:29,060 --> 00:09:29,660 it to this one. 125 00:09:32,660 --> 00:09:33,760 We can confirm again. 126 00:09:34,910 --> 00:09:42,170 And I think that uploads the file, so we'll add the command parameter like that. 127 00:09:43,640 --> 00:09:45,800 OK, so now we have a Web show. 128 00:09:46,990 --> 00:09:49,240 And we can run Linux commands. 129 00:09:51,130 --> 00:09:52,600 So go to terminal. 130 00:09:53,780 --> 00:09:56,720 Now, instead of using the Web shell, you can use this query. 131 00:09:58,420 --> 00:10:00,020 Will do almost the same thing that we did. 132 00:10:00,560 --> 00:10:02,840 It will upload a shell file to the server. 133 00:10:04,070 --> 00:10:07,850 OK, choose four and a writable directory. 134 00:10:08,830 --> 00:10:09,610 Type No. 135 00:10:10,700 --> 00:10:18,450 She used to to provide the right of a folder and type dub dub, dub, slash B rap slash documents. 136 00:10:22,590 --> 00:10:23,640 And yes. 137 00:10:25,050 --> 00:10:26,700 And here is the result of that command. 138 00:10:28,090 --> 00:10:32,950 Now, of course, four different operating system commands, you'll need to do all these things again. 139 00:10:34,740 --> 00:10:37,350 So actually, escarole map as another parameter for this. 140 00:10:38,530 --> 00:10:46,720 So use this query and change it here to OS Shell, so choose for and know. 141 00:10:47,690 --> 00:10:55,430 She to to provide the right of a holder and type slash dub dub dub slash B Web slash document. 142 00:10:57,240 --> 00:10:59,520 OK, so we get the operating system show. 143 00:11:01,470 --> 00:11:03,960 Now you can take the operating system commands. 144 00:11:05,730 --> 00:11:10,800 And it looks like it's a Linux server, so I'm going to be typing these ones. 145 00:11:12,580 --> 00:11:19,180 OK, so this is the basic usage of escudo map, and it has been a kind of a long lesson, but. 146 00:11:20,070 --> 00:11:27,960 In the next lessons we are going to dive more into, let's call them advanced scenarios.