Time
4 hours 20 minutes
Difficulty
Intermediate
CEU/CPE
5

Video Description

This lesson covers how LFI works using the Kali Box. Participants learn step by step instructions in how to discover the source of a file. LFI is used to access files and can be used to open doors to sensitive files if one has the ability to access files as a root user.

Video Transcription

00:04
Let's take a look at how LF I works real quick. All right? So here we are in our Kelly box, and
00:13
we see if you right click and you inspect Element you could see
00:19
exactly the source of
00:22
this file here is going to come up here.
00:27
We're going forward slash
00:30
there,
00:31
trav
00:34
four slash Example.
00:38
Duh
00:40
PHP.
00:43
Question mark.
00:45
File
00:47
equals
00:49
hacker
00:51
that PNG
01:04
It's gone right. Click and
01:11
all right, so here we are in our lab.
01:15
Right. Click this picture. This hacker, we're going click of you image. So just file equals hacker doubt PNG. Well,
01:25
let's do this
01:26
Still
01:27
at sea past a beauty,
01:30
they get anything? Well,
01:36
try another layer. Still nothing.
01:38
Keep adding these. Oh, there we go. So we keep adding dot, dot slash until we successfully
01:46
view the file
01:53
and we could do something like that's the shadow
01:55
Elegant view. Oh,
01:57
so we do not have the correct permissions to view the S e shadow file, which is a good thing here,
02:04
but we could view the etc
02:07
passed a VD file which shows us all the different at users that are on this system. So that's how file inclusion will work on this website.
02:16
So once again,
02:21
who went here?
02:23
The directory traverse a ll. We viewed the image.
02:25
We see that it was pulling the file. Hacker doubt PNG
02:30
Did I slashed that slashed at that slash
02:34
which we're calling the different
02:36
levels of the file system structure
02:42
at sea
02:43
pass.
02:45
Okay,
02:46
The beauty
02:49
boom.
02:50
We're able to see that file.

Up Next

Web Application Penetration Testing

In this web application penetration testing course, SME, Raymond Evans, takes you on a wild and fascinating journey into the cyber security discipline of web application pentesting. This is a very hands-on course that will require you to set up your own pentesting environment.

Instructed By

Instructor Profile Image
CyDefe
Instructor