Now let's take a look at file inclusion. So there's two kinds of file inclusion. Local violin collusion, which will see. And there's also remote file inclusion. So LF I and R s I
so remote file inclusion, as the name implies, will actually allow us to load off file from another Web server so we could load up
my spider still going
profile from another Web servers are our Web server, for instance. So for this doing
bigger quest, that gets a file and it will just allow you to get it, like from http dot whatever,
you can potentially, like, load malicious code from another Web server doesn't even have to be hosted on
the Target Web server, which you conceivably, How could that possibly happen? But it actually again, depending on
how the code goes when you can include things, for instance, and PHP from
other applications just fine if you give it the past, so
that's possible. But this particular app doesn't have remote file inclusions. Vulnerability
does, however, have a local file inclusion vulnerability
which will allow me to pull
our newsletters was in the right place. So I'm still Mike. If I go toe profile and view newsletters,
then click on this newsletter here. I'm gonna turn on my bird proxy again. So we intercepted
so we can see in the parameter is here. It's actually pulling this from C on it Pub www Route book newsletter mike at mike dot com Wig Web Hacking Reviewed all tech So it gives us a full past.
going to allow us to actually pull in a file that
our Web user has access to
with the window. So all this leave it alone for now,
poured it on on. We get that
they're so we can pull other files
from the Web server as well.
Again, anything on the file system
There, for instance,
in the dark ticket. Now
log in information is actually all in plain text are less Everybody's
in plain text, including the user I created
likes password. Was Michael what we could guess that
you can also pull things off bio system again. Anger that we have access to.
I'm as this I user, basically, because we don't have privileges on this
greasing information if we hadn't a code on here
spx backdoor, that we had gotten up some other way, we might be able to execute it even
But seeing the passwords isn't hotbed. Really? Maybe there's a place that store's credit card. Well, it's actually not in this app, but it was a relapse.
Perhaps there was based.
Let's look it another thing
on. Looks like a command execution
intercept off. Need it right now.
So actually, this thing called newsletter sign a break here.
we saw that actually Oscar back for a second.
I'm looking for the original
Socially, Proxy. There's on intercept on
So it was on a perp. W freedom you that route book newsletters might at mike dot com. So it looks like
is actually a full there for each user that has
So my guess would be returned,
obviously can be wrong. There's no
requirement that developers develop things the way I think they should.
but I would guess that this newsletter sign up will actually create a folder
for the user that signs up. So what if I do? Georgia medicine, Boyd dot com
But then in the process of creating that fool there,
what if I do? And and sometimes I mean, it just depends on the underlying technology, like
things like that. I mean, it depends what the
syntax is gonna be to get the second
command, if you like. Five p config
and the output into sea
We've never re route.
passed from the previous vulnerability and I do is describe
seems to have worked. All right, if I get you,
there's the output of my command, so we can actually execute some commands on the system again. We're gonna be limited by the user that we are,
could do something. Maybe some power show.
But we saw in our push X voice location in section two
make this a little bit cooler. You know
something? We can try