Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated: 1 00:00:00,660 --> 00:00:05,340 In the previous video, we have seen how Arabised sequel injection can be exploited. 2 00:00:05,940 --> 00:00:13,510 Now let's see how we can use an automated tool called Eskil Map to dump information from the database. 3 00:00:13,920 --> 00:00:19,800 Now, before we understand how to use a sequel map, let's try to exploit an application manually and 4 00:00:19,800 --> 00:00:23,370 try to find all the difficulties we face in some applications. 5 00:00:23,850 --> 00:00:27,600 And then we will see how Eskil Map can help us in such cases. 6 00:00:28,050 --> 00:00:32,640 To do this, I'm going to open the bookshelf application in my case. 7 00:00:32,640 --> 00:00:41,400 Once again, the bookshelf application is hosted at 192 168 one or five and the number is eight zero 8 00:00:41,400 --> 00:00:46,060 eight zero and the application is available at bookshelf. 9 00:00:47,520 --> 00:00:51,820 OK, so the login page is vulnerable to sequel injection. 10 00:00:51,840 --> 00:00:53,320 We have discussed it earlier. 11 00:00:53,940 --> 00:01:03,120 Now, what we are going to do is if you try to enter Bob and Bob here, it is going to argue in what 12 00:01:03,120 --> 00:01:06,260 if you enter some descriptions, it won't end of you. 13 00:01:07,080 --> 00:01:13,470 So if you observe the parameters that are being passed from this login page are not visible in the yuan, 14 00:01:13,920 --> 00:01:17,250 which means this page is most likely using post method. 15 00:01:17,550 --> 00:01:23,430 So instead of entering the sequel injection payloads on the login page, it is a good idea to use a 16 00:01:23,430 --> 00:01:26,850 proxy tool which can ease the process of injection. 17 00:01:27,420 --> 00:01:30,390 So I'm going to use the warp speed to do this. 18 00:01:31,080 --> 00:01:35,100 Let me open my terminal and launch Bob's sweet. 19 00:01:37,760 --> 00:01:41,540 This is a community tradition that comes preinstalled with Kali Dynex. 20 00:01:44,630 --> 00:01:47,990 Let's click next and Steinbrück. 21 00:01:50,610 --> 00:01:56,850 To be able to send the traffic to this proxy tool, we will have to change the proxy settings in our 22 00:01:56,850 --> 00:01:57,420 browser. 23 00:01:58,020 --> 00:02:01,180 So I'm going to change in the proxy settings in my browser here. 24 00:02:01,380 --> 00:02:06,870 I'm opening the preferences and let's search for proxy. 25 00:02:10,030 --> 00:02:17,860 And let's change the settings to manual proxy configuration and 127 zero zero one is the localhost IP 26 00:02:17,860 --> 00:02:23,590 address, which is where Boxwood is running and it listens on Port Adelaide. 27 00:02:23,590 --> 00:02:25,540 So we can quickly check that. 28 00:02:26,140 --> 00:02:30,050 You can see that here it is listening on Port eight zero eight zero. 29 00:02:30,820 --> 00:02:33,360 So we are using Port X rated R here. 30 00:02:33,790 --> 00:02:36,940 So let's click OK and close this. 31 00:02:37,390 --> 00:02:43,660 And if you come back to this logging page and into something, it will be intercepted by this proxy. 32 00:02:44,140 --> 00:02:50,330 So let's go to proxy intercept and let's make sure that intercept is set to go on. 33 00:02:51,130 --> 00:02:57,570 Now, let's go back to the login page and enter some test credentials and click login. 34 00:02:59,260 --> 00:03:02,240 As you can see, the request is intercepted. 35 00:03:02,770 --> 00:03:06,600 Now, Bob Speed comes with a very good feature called Repeater. 36 00:03:07,270 --> 00:03:14,320 This feature allows you to repeatedly sending the request from within the box itself without requiring 37 00:03:14,320 --> 00:03:16,600 you to log into the application multiple times. 38 00:03:17,080 --> 00:03:20,740 So for that reason, we are going to send this request to repeater. 39 00:03:23,480 --> 00:03:30,800 OK, we can now temper these parameters and try to inject sequel induction payloads every time we do 40 00:03:30,800 --> 00:03:35,250 that, we can just hit send here and it is going to send a request to the server. 41 00:03:35,750 --> 00:03:37,860 So let me quickly show you an example. 42 00:03:38,270 --> 00:03:42,880 First, let's try to send this request without modifying anything. 43 00:03:45,170 --> 00:03:51,680 There is a 200, OK, and it seems like there is a message which says invalid username or password. 44 00:03:52,400 --> 00:03:58,700 Now let's add a single chord like we did earlier with Ed based sequel injection attempt. 45 00:03:59,960 --> 00:04:09,710 And it said, look at that, there is a five hundred error and there seems to be a Java null pointer 46 00:04:09,710 --> 00:04:14,580 exception, which is possibly coming from this file called Databased or Java. 47 00:04:14,750 --> 00:04:17,550 There is no specific information about sequel queries. 48 00:04:17,690 --> 00:04:21,210 What we can see that the single code is causing some exceptions. 49 00:04:21,920 --> 00:04:24,200 Now, let's add one more thing in code. 50 00:04:24,200 --> 00:04:29,350 And if this error disappears, that confirms that this application is vulnerable. 51 00:04:29,360 --> 00:04:30,280 The sequel injection. 52 00:04:30,830 --> 00:04:34,390 So let's click, send and look at that. 53 00:04:34,730 --> 00:04:37,480 This time we have gotten the status code two hundred. 54 00:04:38,000 --> 00:04:44,360 Let's add one more single code here just to confirm that this is because of the sequel injection I'm 55 00:04:44,360 --> 00:04:45,340 clicking send. 56 00:04:46,250 --> 00:04:49,640 And as expected, we have gotten an exception once again. 57 00:04:50,720 --> 00:04:56,740 So this confirms that this application is Wallabadah, the sequel injection now like we did earlier. 58 00:04:56,810 --> 00:04:59,050 Let's try to use the order by statement. 59 00:05:00,200 --> 00:05:09,530 I'm just going to put a single court order by one action and let's click send. 60 00:05:10,910 --> 00:05:12,560 Seems like there is no error. 61 00:05:13,740 --> 00:05:14,880 Let's try it. 62 00:05:17,750 --> 00:05:18,480 There is an error. 63 00:05:19,370 --> 00:05:22,040 This means the table doesn't have 100 columns. 64 00:05:22,040 --> 00:05:22,340 Right? 65 00:05:22,670 --> 00:05:27,370 So let's reduce the number to probably five and try again. 66 00:05:29,600 --> 00:05:31,150 Once again, there is an exception. 67 00:05:31,160 --> 00:05:32,570 So bring it down to four. 68 00:05:36,470 --> 00:05:38,410 Once again, there is an error. 69 00:05:38,420 --> 00:05:39,950 So let's bring it down to three 70 00:05:43,160 --> 00:05:44,240 and no errors. 71 00:05:44,720 --> 00:05:49,810 This means the back end table has three columns with this information. 72 00:05:49,820 --> 00:05:53,720 Once again, let's try to use the select statement with Union. 73 00:05:58,440 --> 00:06:04,560 So I'm just going to delete this autobio and I'm going to use union. 74 00:06:07,340 --> 00:06:08,030 Select. 75 00:06:09,650 --> 00:06:15,830 One, two, three, and a comment, a little slick said. 76 00:06:18,490 --> 00:06:25,750 This time, it just redirects us to home GSB page, but it doesn't display any information for its. 77 00:06:27,030 --> 00:06:27,810 Let's try. 78 00:06:29,850 --> 00:06:30,780 Database of. 79 00:06:34,360 --> 00:06:41,290 Once again, the same there is no information that is being retrieved for us, so this seems like a 80 00:06:41,290 --> 00:06:42,560 blind sequel injection. 81 00:06:43,030 --> 00:06:48,670 The application is vulnerable to sequel edition, but we cannot see any information being displayed. 82 00:06:48,910 --> 00:06:52,600 So this kind of sequel injection is called Blind Sequel Injection. 83 00:06:53,200 --> 00:06:58,300 To extract information in such situations, we will have to use some complex queries. 84 00:06:58,540 --> 00:07:04,690 One example would be to use timeliness that becomes too complex for us to write manually and it is going 85 00:07:04,690 --> 00:07:05,770 to take a lot of time. 86 00:07:06,100 --> 00:07:09,980 So let's try to use an automated tool to do that for us. 87 00:07:10,420 --> 00:07:13,320 So what we are going to do is we'll use a skill map. 88 00:07:14,620 --> 00:07:24,930 I'm opening a new app and we can specify the are as well as the post barometer's can be tested as important 89 00:07:24,930 --> 00:07:25,930 to the skill map. 90 00:07:26,800 --> 00:07:34,030 The one good feature with a skill map is that it can read the request from a file so we can just simply 91 00:07:34,030 --> 00:07:39,220 save this request in a file and we can just pass it to sequinned map. 92 00:07:42,760 --> 00:07:46,390 Let's go right click copy to file. 93 00:07:49,870 --> 00:07:55,480 Let's say this is clearly not the extreme, let's say it. 9556