Part 2 - LFI & RFI
Video Activity
This lesson covers how LFI works using the Kali Box. Participants learn step by step instructions in how to discover the source of a file. LFI is used to access files and can be used to open doors to sensitive files if one has the ability to access files as a root user.
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Video Description
This lesson covers how LFI works using the Kali Box. Participants learn step by step instructions in how to discover the source of a file. LFI is used to access files and can be used to open doors to sensitive files if one has the ability to access files as a root user.
Video Transcription
00:03
>> Let's take a look at how LFI works real quick.
00:03
Here we are in our Kali box.
00:03
We see if you
00:03
"Right-click," and you inspect the element,
00:03
you could see exactly the source of this file here.
00:03
We're going to come up here, we're going
00:03
to go /dirtrav/
00:03
example.PHP?File=hacker.PNG.
00:03
Just going to right-click. Here we
00:03
are in our lab.
00:03
Right-click, this picture of this hacker and then we're
00:03
going to click "View image."
00:03
This file equals hacker.PNG. Let's do this.
00:03
To ETC past WD. Did I get anything?
00:03
No. Let's try another layer,
00:03
no, still nothing.
00:03
Let's keep adding these. There we go.
00:03
We keep adding dot-dot slash until we
00:03
successfully view the file.
00:03
We can do something like a ETC shadow.
00:03
We did not have
00:03
the correct permissions to view the ETC shadow file,
00:03
which is a good thing here
00:03
but we could view the ETC Past WD file,
00:03
which shows us all the different users
00:03
that are on this system.
00:03
That's how a file inclusion will work on this website.
00:03
Once again, we were in here to directory traversal.
00:03
We viewed the image,
00:03
and we see that it was pulling
00:03
the file hacker.PNG../.. /../,
00:03
which we're calling the different levels
00:03
of the file system structure.
00:03
ETC, pass, WD,
00:03
and boom, variable to view that file.
Up Next
Instructed By
Similar Content
