Time
4 hours 20 minutes
Difficulty
Intermediate
CEU/CPE
5

Video Description

This lesson offers a brief introduction into Local File Inclusion (LFI) and Remote File Inclusion (RFI) and will cover the following: 1. What is LFI 2. What does LFI look like? 3. Why is LFI dangerous? 4. What is RFI? 5. What does RFI look like and why is it dangerous?

Video Transcription

00:04
welcome to Cyber. Very I am Raymond Evans and I will be your subject matter expert for Cyber Aires. Web app penetration, testing course. In this video, we will be discussing Al, if I and R, if I or
00:16
remote file inclusion and local file inclusion so it will be covered. We're gonna talk about what is local file inclusion.
00:23
It was local file inclusion Look like why is it dangerous? We'll also look at what is remote file inclusion.
00:31
What does remote follow inclusion look like and why that's dangerous. So what is Al if I or local filing collision?
00:38
Well,
00:38
local file inclusion is a process of including files on a server through a browser. Simple terms allows you to view files on the server and in some cases, execute commands.
00:50
This could be used to first systems and gain access to files that she normally not be accessible. Basically, what this does is allows individuals thio, look through your system and rifle through your files. You would never know it that they're there.
01:03
It is easily executed
01:06
and is very, very hard to detect unless you have something like a
01:12
i d S r I P s intrusion detection intrusion prevention system with a signature written to identify this and the packets. So what exactly does it look like? Well, from the example here we see example dot com preview PHP question mark file equals
01:30
dot us slash slash slash slash Etc. Password. So what this is doing is it's looking
01:34
for a specific file type and the way that this was written this code on this Web pages, it just calls to the system and says, Hey,
01:44
open up this file. Not the best thing to do exactly. You know, if you're trying to find file equals home dot html for the home page.
01:55
Well,
01:56
the way that that structured it also allows anybody to just
02:00
put
02:00
the directory for whatever file that they wouldn't look at and in this fight directory here. So again, the etc password file
02:08
and able to get that information there. So why is local file inclusion dangerous? Exactly, Well, local fire conclusion, As I said before, it could be used to be able to access files.
02:19
If you have the ability to access files a user, this opens the door sensitive files the things like the etc Shadow file, which could be used to get password hash is and could be cracked. If the passwords are weak enough, you could also enumerates the SS H authorized keys, which could be used to gain access to A systems
02:38
the S S H.
02:40
And you could also look at the Lenox Network configuration vase gain more info about the internal networks.

Up Next

Web Application Penetration Testing

In this web application penetration testing course, SME, Raymond Evans, takes you on a wild and fascinating journey into the cyber security discipline of web application pentesting. This is a very hands-on course that will require you to set up your own pentesting environment.

Instructed By

Instructor Profile Image
CyDefe
Instructor