Time
14 hours 26 minutes
Difficulty
Advanced
CEU/CPE
15

Video Description

This lesson covers file inclusion. There are two types of file inclusion:

  • Local File Inclusion (LFI) : allows taking a file from a local web server
  • Remote File Inclusion (RFI) : allows taking a file from a remote web server

Video Transcription

00:04
Now let's take a look at file inclusion. So there's two kinds of file inclusion. Local violin collusion, which will see. And there's also remote file inclusion. So LF I and R s I
00:18
so remote file inclusion, as the name implies, will actually allow us to load off file from another Web server so we could load up
00:28
my spider still going
00:32
so we could load up
00:37
profile from another Web servers are our Web server, for instance. So for this doing
00:43
bigger quest, that gets a file and it will just allow you to get it, like from http dot whatever,
00:50
um,
00:52
you can potentially, like, load malicious code from another Web server doesn't even have to be hosted on
00:59
the Target Web server, which you conceivably, How could that possibly happen? But it actually again, depending on
01:04
how the code goes when you can include things, for instance, and PHP from
01:10
other applications just fine if you give it the past, so
01:15
that's possible. But this particular app doesn't have remote file inclusions. Vulnerability
01:19
does, however, have a local file inclusion vulnerability
01:23
which will allow me to pull
01:26
local files.
01:32
Ah,
01:33
take a look.
01:38
We go to
01:42
our newsletters was in the right place. So I'm still Mike. If I go toe profile and view newsletters,
01:49
then click on this newsletter here. I'm gonna turn on my bird proxy again. So we intercepted
01:59
so we can see in the parameter is here. It's actually pulling this from C on it Pub www Route book newsletter mike at mike dot com Wig Web Hacking Reviewed all tech So it gives us a full past.
02:15
So this is
02:16
going to allow us to actually pull in a file that
02:21
our Web user has access to
02:24
into this
02:27
with the window. So all this leave it alone for now,
02:30
poured it on on. We get that
02:38
they're so we can pull other files
02:42
from the Web server as well.
02:45
Again, anything on the file system
02:52
There, for instance,
02:57
gave it
03:01
edited this value
03:05
on
03:10
Said it thio
03:23
Oh,
03:23
in the dark ticket. Now
03:30
here a year
03:34
log in information is actually all in plain text are less Everybody's
03:38
password
03:40
in plain text, including the user I created
03:45
likes password. Was Michael what we could guess that
03:50
you can also pull things off bio system again. Anger that we have access to.
03:54
I'm as this I user, basically, because we don't have privileges on this
04:01
that we could pull
04:03
so
04:04
greasing information if we hadn't a code on here
04:09
spx backdoor, that we had gotten up some other way, we might be able to execute it even
04:16
through here.
04:18
But seeing the passwords isn't hotbed. Really? Maybe there's a place that store's credit card. Well, it's actually not in this app, but it was a relapse.
04:28
Perhaps there was based.
04:30
Let's look it another thing
04:32
on. Looks like a command execution
04:40
intercept off. Need it right now.
04:43
So actually, this thing called newsletter sign a break here.
04:47
So if we
04:54
get the
04:57
we saw that actually Oscar back for a second.
05:00
I'm looking for the original
05:03
newsletters.
05:06
Socially, Proxy. There's on intercept on
05:11
church.
05:13
So it was on a perp. W freedom you that route book newsletters might at mike dot com. So it looks like
05:19
is actually a full there for each user that has
05:26
newsletters.
05:28
So my guess would be returned,
05:30
obviously can be wrong. There's no
05:33
requirement that developers develop things the way I think they should.
05:39
Um,
05:40
but I would guess that this newsletter sign up will actually create a folder
05:46
for the user that signs up. So what if I do? Georgia medicine, Boyd dot com
05:51
The sign up,
05:53
But then in the process of creating that fool there,
05:59
what if I do? And and sometimes I mean, it just depends on the underlying technology, like
06:04
or like that, and
06:09
things like that. I mean, it depends what the
06:13
syntax is gonna be to get the second
06:17
command, if you like. Five p config
06:20
and the output into sea
06:25
on it.
06:28
We've never re route.
06:30
Look,
06:31
stop That
06:35
passed from the previous vulnerability and I do is describe
06:43
seems to have worked. All right, if I get you,
06:46
that's not. First,
06:48
there's the output of my command, so we can actually execute some commands on the system again. We're gonna be limited by the user that we are,
06:59
but
07:00
could do something. Maybe some power show.
07:05
But we saw in our push X voice location in section two
07:11
make this a little bit cooler. You know
07:13
something? We can try

Up Next

Advanced Penetration Testing

The Advanced Penetration Testing course teaches the cyber attack lifecycle from the perspective of an adversary. Become more familiar with the most widely used penetration-testing tools, manipulate network traffic, and perform web application attacks such as cross-site scripting and SQL injection.

Instructed By

Instructor Profile Image
Georgia Weidman
Founder and CTO at Shevirah and Bulb Security
Instructor