hello and welcome back to the course identifying with. But thanks to logs,
I'm a go viator eating the last video we talked about injection attacks and as scary injection attacks.
In this video, we'll talk about another injection attack called file Inclusion.
Let's see the view official chiefs
The view objectives are
understand their local the remote fire attacks. And you didn't try their techs using the Web. Several logs
for us. Let's just goes a while. The fire inclusion attack, as we said before is an injection attack
is usually caused by Rome. Using put validation is coming to see the director to his vessel characters.
There are two types. Local file inclusion that access in executes the local files or Commons and remote for inclusion that access in the executes remote files or Commons
and the file inclusion is a service side attack.
Here you can see how Farley clues and works. First the loco.
Our request is sent to this ever and answered.
So oh, happens in the same server.
The remote for inclusion is a little difference.
They use the saints. The request to the Web. Seven in the Rebs Ever send the request? Another Web server
That's why it's called remote. For inclusion,
you need two different service.
There is in our lab, a Web application that is vulnerable to the full inclusion, both local and remote.
For example, here on the example of local inclusion,
passable Auggie is a fire that contains all the passwords from the our users. In Allen's machine,
you can see the director to reverse of characters to change the directors.
The result is the possibility. Fire you'll be reached and displayed in the Web page.
As you can see in this picture,
pledging allies together some logs.
The first line off log is a normal request.
The second line is the director request to the best apology fire
and the website Answer is not found the 404.
So the request didn't answer.
In the third line, we have 200. As I answered, so the website ever found the pencil ready Fire.
Notice the difference between the two requests.
The next line is the same request, but included,
As you can see, it worked.
The Web server answer depressed average e file.
Since the past apogee is local, this attack is a local inclusion
in these examples, we had access to critical files.
It is also possible to execute comments on the Web server
in the stable. We have a summer off most of coma target files for each operational system.
If you want positivity it, take some notes
and now senator actions to help you identify the local fire inclusion.
Look for operational station Commons in fires,
accorded the requests
and is lash on the requests.
You can go to this website and look for more examples of local find inclusion. The next is a remote. For inclusion, we will use the same lab.
The difference between the remote and local for inclusion is where the resource is located.
The remote for inclusion means to access another several fires. In our example, we relaxes Google website from our lab.
In the result, you can see that the Google search bar is loaded in the lab to every page. The remote server is a Google server,
the remote for inclusion access remote service. So maybe we're thinking I don't have access to the remote server. Can I find the remote for inclusion? Attack logs on my Web server? Yes, you confined the logs off the attack on your observer. Access or not, the Web seven is a consequence. Off the attack.
Europe's ever is the target.
That's why we will have dialogues.
Let's analyze some logs.
The first line is the requires to the funeral with Paige.
Notice that there are some luck feuds missing like user agent I. P address in there. In time,
they were removed just a space
in the second line. We have the malicious request.
Another page is access
in this case, the Google Web page.
Other. The logs are I will be serving, requesting the go go every page.
our would be seven. It's downloading the Google Web page.
That's why we have similar logs.
Most of them are pictures.
The full log off this request is bigger. Here we have a small part,
but all the requests are Simula.
You can use the same directions to identify remote in the local inclusion here sent directions more related to the remote.
Look for real the requests,
as we show in our example, request for another Web server. Like outside strike.
It's suspicious. If the server is accessing a remote server, Maybe you can see I increase in Web $7 Dr.
Here to look for recorded requests
look for income a user agents are vulnerability Skinners
Post assessment question on Eliza Webb, seven below and choose the type off the attack.
You composite video if you want.
The answer is the number for remote for inclusion lesson. Now, as along together and see why
we have to i p address there in time and they requested fire
and we have to get method.
If you look the requested file, you can see there. Is there another address in the page? So we have a remote for inclusion because we are trying to access my remote. So ever hear this cyber Web page
under other fields are okay. We have the 200. That means okay,
we have the referring and they use their agents
for the next question. And that's the way we look below
it identified, which would be patient. It's vulnerable to file inclusion. Attack.
Here you have the request,
and you have a small parts off the full of fish.
But you can see the malicious request,
although if we look to the refer, we can see the reason a webpage
remember that the reefer can be crested you, but sometimes it can help.
In this case, it's possible to find the phone number. Web page. Here is the answer.
Fetus summary In this video, we learn about loco, a remote for inclusion attack,
and is it differences? We use it our lives to generate somewhere several logs
and analyzing the Web server logs. We did fight the both type of attacks
local and remote for inclusion.
We also gave some direction, she identified. It takes, like with requests
included a request user agents
request with operational season Commons or files their requests with many slashes
and so specific directions to the remote for inclusion, like the requests to the outside.
In the next view, we analyze closer description attacks,
and we will identify the attack using the Web. Several logs