Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated:
1
00:00:12,220 --> 00:00:15,140
Hey, guys, welcome back to another episode on How to Hack.
2
00:00:15,550 --> 00:00:20,650
So today we'll be discussing again about reverse engineering, a mobile application and looking into
3
00:00:20,650 --> 00:00:27,010
the source code to be able to find out more information about the application and sometimes even being
4
00:00:27,010 --> 00:00:31,930
able to get the username, password, credit card details and all these different details.
5
00:00:32,560 --> 00:00:36,340
So over here on the left side, I have a mobile phone running.
6
00:00:36,370 --> 00:00:39,700
And what we can do is we can open up this particular application.
7
00:00:40,120 --> 00:00:46,060
So we actually have this app called Devar that has been installed on duty, mobile phone, so I can
8
00:00:46,060 --> 00:00:47,110
go ahead and open it up.
9
00:00:48,010 --> 00:00:51,870
So once I open it up over here, we have input validation issues, button one.
10
00:00:52,330 --> 00:00:56,440
So of course, this is part of a mobile application penetration testing series.
11
00:00:56,830 --> 00:01:02,800
And of course, clicking on to input validation issues, Part one will be able to enter a specific name
12
00:01:02,800 --> 00:01:03,530
to search for it.
13
00:01:03,970 --> 00:01:10,120
So from the previous video, we actually went through how we could actually do a sequel injection directly
14
00:01:10,120 --> 00:01:10,860
into the system.
15
00:01:10,870 --> 00:01:17,380
So, for example, over here I can actually use a magnifier so it is easier for you to see.
16
00:01:18,050 --> 00:01:23,500
So of course, from the objective, we can see that we are trying to access to user data without knowing
17
00:01:23,500 --> 00:01:24,510
any of the user name.
18
00:01:24,820 --> 00:01:29,710
And of course, the user provided a hint for us to learn about mobile application penetration testing
19
00:01:30,160 --> 00:01:32,050
directly again, this mobile application.
20
00:01:32,200 --> 00:01:34,470
So, of course, we can go ahead and enter the user name.
21
00:01:34,630 --> 00:01:38,080
So in our case that we can enter, for example, Atman.
22
00:01:39,700 --> 00:01:45,550
So once I hit Etman, I can go ahead and click on Search and we'll be able to look at the username,
23
00:01:45,550 --> 00:01:47,230
password and credit card details.
24
00:01:47,500 --> 00:01:53,260
So of course, from the previous video, we actually learn about putting SQL injection into the mobile
25
00:01:53,260 --> 00:01:56,290
application in order to gain access into the data.
26
00:01:56,470 --> 00:02:01,980
So in our case, I can enter, for example, single quote or one equal one followed by semicolon.
27
00:02:02,380 --> 00:02:08,890
So I go ahead and click on Search and it will review to us all of those usernames, passwords and all
28
00:02:08,890 --> 00:02:11,230
those data directly inside the system.
29
00:02:11,770 --> 00:02:14,530
OK, so that is provided.
30
00:02:14,560 --> 00:02:21,580
The input query is subjective and vulnerable to SQL injection, but what if the mobile application is
31
00:02:21,580 --> 00:02:24,030
not vulnerable to sequel injection?
32
00:02:24,040 --> 00:02:28,210
So what we will need to do is to reverse engineer the mobile application.
33
00:02:28,840 --> 00:02:29,880
So on the right site.
34
00:02:29,920 --> 00:02:32,570
So as recommended on the members only video.
35
00:02:32,590 --> 00:02:39,730
So under decs tools we actually learn about how we could actually break down the apk fall into our fall
36
00:02:39,730 --> 00:02:41,480
and be able to view into the source code.
37
00:02:41,950 --> 00:02:49,180
So what we can do now is to actually go ahead and use the function to help us do the conversion of the
38
00:02:49,360 --> 00:02:54,420
file so D to J dash decks to JRA.
39
00:02:55,180 --> 00:02:58,720
So there's also a S.H. for you if you're on Linux system.
40
00:02:58,720 --> 00:03:02,120
So all you got to do is enter the APK file.
41
00:03:02,140 --> 00:03:06,950
So in our case we got Devar Dash Beta apk so go ahead and hit enter on deck.
42
00:03:07,780 --> 00:03:08,140
All right.
43
00:03:08,150 --> 00:03:09,790
So we can use a double dash force.
44
00:03:12,760 --> 00:03:15,980
And he'd enter a net, so that will begin the conversion process.
45
00:03:16,420 --> 00:03:22,530
So once the conversion process is complete, it will be able to get a fall as being specified over here.
46
00:03:22,960 --> 00:03:27,040
So we got Devar Dash beta dash decks to J.R..
47
00:03:27,640 --> 00:03:32,150
J.R., so go back into the folder and scroll all the way down.
48
00:03:32,320 --> 00:03:35,070
And of course, over here we have a number of tutorials for you.
49
00:03:35,410 --> 00:03:44,100
So we are going to learn more about ops go droit, especially in terms of the Falgoust as well as financial.
50
00:03:44,350 --> 00:03:46,800
OK, so we'll be going through those details later on.
51
00:03:47,650 --> 00:03:50,770
And what we can see over here is that we have over here to follow.
52
00:03:50,970 --> 00:03:51,220
All right.
53
00:03:51,220 --> 00:03:55,330
So we got Devar Desh, Beitar Desh decks to J.R., J.R..
54
00:03:55,330 --> 00:03:56,290
So this is the fall.
55
00:03:56,710 --> 00:04:01,510
And we have also downloaded as part of our previous video, one of the previous videos about mobile
56
00:04:01,510 --> 00:04:03,000
application penetration testing.
57
00:04:03,370 --> 00:04:06,990
So we actually have jadi guey so we can open this up.
58
00:04:07,840 --> 00:04:08,060
All right.
59
00:04:08,140 --> 00:04:15,640
So once we have it running, all we got to do is track the Devar Dash beta dash decks to J.R., J.R.
60
00:04:15,640 --> 00:04:17,820
into the DJAVAD compiler.
61
00:04:18,460 --> 00:04:23,860
So once you have done that on the left side, we can look at the more information about this J.R. fall.
62
00:04:23,890 --> 00:04:25,870
So we have Jacare Devar.
63
00:04:26,200 --> 00:04:29,770
So go in, opened it up and we can look at all the different classes.
64
00:04:30,370 --> 00:04:33,850
So we have API credentials, access, control.
65
00:04:34,120 --> 00:04:39,160
And of course, the one thing that we want to look at is the open up the sequel injection activity.
66
00:04:39,490 --> 00:04:41,080
So go ahead and click open on that.
67
00:04:41,680 --> 00:04:44,920
And over here we can immediately find more information.
68
00:04:44,980 --> 00:04:48,400
So we have schoolie I we have the drop table.
69
00:04:48,400 --> 00:04:53,650
If exists equal our user LLC would actually and would actually create a table.
70
00:04:53,930 --> 00:04:54,070
All right.
71
00:04:54,130 --> 00:04:56,410
So once you have dropped the table, it would create a table.
72
00:04:56,680 --> 00:05:01,960
And we have the user variable character, a variable character and credit card variable character.
73
00:05:01,960 --> 00:05:10,870
And immediately we can find all three user records inside this mobile application directly by viewing
74
00:05:10,870 --> 00:05:11,550
the source code.
75
00:05:11,560 --> 00:05:13,030
It has been hot code.
76
00:05:13,030 --> 00:05:17,410
It so hot code it sent into these skillfull.
77
00:05:17,410 --> 00:05:23,140
And that is how we actually gain access to those credentials where we will actually trying to do the
78
00:05:23,140 --> 00:05:23,920
sequel injection.
79
00:05:24,160 --> 00:05:24,490
All right.
80
00:05:24,490 --> 00:05:31,460
And of course, in our case, by being able to break down the jar file or the epic fall, we can gain
81
00:05:31,460 --> 00:05:37,750
direct entry into the source code and know exactly what kind of file, what kind of data is being stored
82
00:05:37,750 --> 00:05:39,650
or created insight to system.
83
00:05:40,660 --> 00:05:43,390
So once again, I hope you've learned something valuable in today's tutorial.
84
00:05:43,390 --> 00:05:47,140
And if I have any questions, feel free to leave a comment below and I'll try my best to answer any
85
00:05:47,140 --> 00:05:47,860
of your questions.
86
00:05:48,040 --> 00:05:49,240
Stromatolite sharing.
87
00:05:49,270 --> 00:05:53,260
Subscribe to the channel so that you can be kept abreast of the latest cybersecurity tutorial.
88
00:05:53,410 --> 00:05:54,760
Thank you so much once again for watching.
9094
Can't find what you're looking for?
Get subtitles in any language from opensubtitles.com, and translate them here.