Greetings, and in this short video presentation, we're going to see how we go about performing a couple of different browser based attacks. In this demonstration, we'll be performing a manual SQL injection. And later in the lab, we'll be doing a local file inclusion and a directory traversal attack. As with every lab, I want to confirm that I have good network connectivity. So I've done an IF config on my Kali machine and I see that I have an IP address of 192 dot 168 dot 145 dot 177. And on my medicine portable two machine, I have an IP address of 192 dot 168 dot 145 dot one to eight.

Now I want to do is ping from my Kali over to the meta supportable using the one to eight address. So at the command prompt on my callin machine, I've typed in ping 192 dot 168 dot 145 dot 128 which is the IP address of my mess portable to victim. I'm going to go ahead Hit Enter, and we see that the response comes back positive, I can break that sequence by using Ctrl plus C, I'm going to go ahead and clear the screen, I can clear now we're ready to begin the lab. So SQL injection is a technique that exploits a security vulnerability within a Pacific application. This type of attack is often used against applications that are data driven, such as SQL databases. This attack is performed by including Pacific portions of SQL statements within the field for the website to pass a malicious SQL command to the database to reveal the contents of the database to the attacker.

Now by default, SQL out of the box comes with about 1500 default settings. And most of those make SQL vulnerable. So you can understand how hard it is for any SQL administrator to go in and harden and SQL Server and still expect it to work. That's why Microsoft Soft sets up those default settings, and there's 1500 of them. And so if you go in there and you start setting up your SQL server to be hardened, there's a high probability that you can turn and that SQL Server into a doorstop very quickly, just by setting the wrong checkbox, or setting the wrong registry entry. Minister portable two has a version of matil de, which is a vulnerable web application that we're going to be attacking the problem is the new version of minister portable two does not have the right database configured for Matilda.

So what we're going to have to do is go over to our minister portable to and make some modifications to our config dot i NC file. So at the terminal prompt for my mess portable two I have typed in sudo because we're going to have to be doing this as their route. So I've typed in sudo space nano, which is Going to be the editor that we're going to use to modify the config dot ANC file. And I've typed in the path, forward slash var slash www for slash Mattila day for slash config dot i NC. Now once I've got everything typed in, and I have double checked it, because I don't want to be doing this three or four times, I'm going to go ahead and hit Enter. And it comes up and it wants to know what the root password is.

And that's the same as the login password for your administer portable to so it's MSF admin, and now we're inside of the file. So what I'm going to do is I'm going to use my down arrow, and I come to that last line where it says dollar sign DB name equals, and I'm going to go across here. Now normally, this doesn't say oh w ASP 10 it says meta splittable. But that's the wrong database. We need to be pointing this database To OW, ASP 10. So make sure that you replace the meta supportable inside of those single quotes with o w, sp 10.

When you're done, just go ahead and hit Ctrl x, say y or type in Y for yes, and then just hit enter. I'm not going to make any changes to this file, so I'm just going to do a Ctrl x. And this brings me back to my prompt. We learned previously by doing an IF config on our minister portable to exactly what the IP address was for that victim. It was 192 dot 168 dot 145 dot 128. Now your IP address for your victim will differ.

So make sure that you do an IF config and find out what the IP address is for your installation of menace portable two. In this next step of the lab. We're going to open up Firefox. I'm going to go up here to my quick launch. to double click Firefox and in just a minute, Firefox ESR, which stands for extended service release will open up in just a moment. Up in the address bar of your Firefox you want to type in http colon, forward slash forward slash the IP address of your Manasquan level two machine, forward slash Matilda.

Make sure you spell everything correctly. And then you just hit Enter. And if you did it correctly, and if everything's working like it should be, you'll be brought up to the Matilda vulnerable webpage. Okay, and it tells you that this is a deliberately vulnerable PHP script. Oh w ASP top 10. So what we're gonna do now, we're going to go over here to the top can o w a s p, o w SP face cam, we're going to go to injection and we're going to go to to SQL, I extract data, user info, I'm going to click on that.

And we're now going to type in some information into this name box here, that's going to allow us to pull off some credit card information by just using some tricky SQL expressions. So matil de is a vulnerable web application that is designed to allow you as either a pen tester or a hacker to practice your craft. So everything in here is going to work for the most part, and it's not going to give us any grief out in the real world, you're going to have to do a little bit more research and a lot more recon to be able to find something that's going to allow you to pull this off, but in this context, it works just fine. So first thing we want to do is want to go to the Name field, right click, we're going to go down to inspect element. Now here inside of the element, we have this line Hear that says sizes 20.

Change that 20 to a 100. And now when I hit enter to the field, notice that the name box expands. To show the increase in size, we can go ahead and close out the element box now, we're now going to use the name field to allow us to inject some SQL expressions to exploit the back end. In this example, we're using the union command to join two separate SQL queries as one and it says union and I want you to join all this and I want you to select the following bits of information for me, the CC ID, the CC number, credit card number, the CCTV, the expiration No, and that means that if there's anything else that I forgot, go ahead and put it in here for me from credit cards credit cards is a table of information that is inside of this particular vulnerable database.

And we know that that is the case. So what we're going to do now is we've got this expression at the end of this piece of syntax. And notice there's a space, there's two dashes. And at the end of this dash, there has to be another space. So make sure you do that. Alright, so now we're just going to go ahead, we're going to hit Enter.

And what we've pulled up here from that table called credit cards, using that name field is the credit card number, the CCV number, and we pulled in the expiration date for the credit cards. And that's how easy that was. So all we did was just use the name field, which allows us to use this front end of the database to communicate with the back end of the database. And because sequel, in this sense, is vulnerable. We were able to exploit the data Based using these simple SQL expressions, in this next portion of the lab, we're going to use directory traversal in our browser to access files that were not properly sanitized, and were not properly configured to prevent us from pulling them up just using a browser. So what I've done is, I've gone up here to my address bar, and I've typed in an IP address on my victim, the web application Matilda for slash index dot php, question mark page equals for slash itself inside the etc.

Directory, and I want the password file. Now when I hit Enter, if this page has not been properly sanitized, then it's going to allow me to have access to it. And this is just about any page that you want on the server if it hasn't been properly protected. And we haven't done our due diligence to protect that file that We can use a web browser just like I've done here to pull it up. And we see that I pulled up the password file here. And we see all of the information that's inside of this password file.

And we can use this to help gather more information about how to further exploit this installation of my SQL Server. Now another file that would be of interest to us would be the SSH or slash authorized underscore keys file located up inside of the root directory. So when I just when I go ahead and I load this into the address bar, this is all taken from the lab I just copied and pasted this from the lab into here into my browser's address bar, we hit Enter, and we see that I bring up those SSH keys. Now of course, now this is all hashed. But I can run this through a decrypting utility of some type and I can Probably over time, crack these keys. So that's that's of interest to us if we want to be able to connect remotely using SSH.

So in this short video presentation, you got to see how easy it was to conduct a manual SQL injection, and a local file inclusion and directory traversal attack using just a browser when a SQL database is vulnerable from the front end. Later on, we're going to see another lab where I'm going to use an application called SQL map. And it's going to do all of this for us and you're going to be amazed how easy it is to access and hack a vulnerable SQL database. That concludes this short video presentation and if you have any questions or concerns about this lab or this video, please do not hesitate to reach out and contact your instructor and I'll see you in my next video.