00:04
Hello and welcome to the side. Very secure coding course. My name is Sonny Wear, and this is a lost top 10 for 2013. A six sensitive data exposure demo Hidden or secret? You are Wells.
00:21
This is the demo for secrets or hidden, you are rails.
00:25
So a lot of times, developers or even administrators will set up pages, administrative pages.
00:34
And instead of protecting those pages
00:38
with authorization checks in the application, they will just instead not actually put links to them directly from the application. And so this is away. I'm going to show where you can actually identify and discover
00:57
those administrative pages
01:00
without much effort. Now we're gonna use motility for this. This particular exercise is basically stating that server configurations on pages that are allowed through firewalls is certainly a bad idea
01:15
Hiding pages by not linking to them. So you believe you are the only one who knows The u. R l just doesn't work. And so I'm about to show you how you can discover these.
01:29
So let's go ahead and turn on our interceptor, Enberg. Sweet.
01:34
And I'm gonna go ahead and capture this request,
01:42
and I'm actually going to send this request Toothy intruder.
01:49
And in the intruder,
01:55
my position's tab. Now, when you first come into the intruder, it's going to identify
02:01
areas where variables can be substituted in. I'm actually going to clear these out
02:08
because the only thing that I'm going to guess is the name of an administrative Paige gonna wrap my variable around that.
02:19
And this is what I'm going to substitute with different values to try to determine if they are indeed admin pages.
02:28
Now let's go Payloads.
02:31
So with the payload, I've actually created a custom payload with some page names.
02:38
She'll take a look at that now.
02:43
So here you can see some different page names that I have
02:47
hoping that maybe one of these, or maybe maybe several of these will access the administrative PHP page.
03:00
Now, the only other thing that I want to add is in the options I actually want to
03:07
flag for a particular value, and that would be page not found.
03:15
So I'm actually gonna clear
03:22
the words not found.
03:27
Okay, That's all I'm going to
03:30
to add to that. And I'm gonna start my attack.
03:50
Okay. And so we've finished. I only had 21 entries.
03:54
Course I had my baseline that I used. Now, if I take a look at the results, I can see here that the help that PHP actually found this error message of a not found. So
04:10
that must be a page not found. And I can actually verify that by going to the response, Kath, and rendering it,
04:16
I can take a look at Page
04:20
and yes, indeed. It it says Page not found.
04:26
Now, if I continue down, I can see that I do have a hit. However, with secret dot PHP. So if I look at that in the render
04:36
tab of my response, I can see that this is
04:44
PHP server configuration page.
04:47
And it's got lots of
04:49
great information for me too. Then
04:54
continue my attack and look for weaknesses in this version of PHP.
05:02
So everywhere that I do not have a check mark for not found is where I successfully found an administrative page
