Time
14 hours 26 minutes
Difficulty
Advanced
CEU/CPE
15

Video Description

This lesson covers file inclusion. There are two types of file inclusion:

  • Local File Inclusion (LFI) : allows taking a file from a local web server
  • Remote File Inclusion (RFI) : allows taking a file from a remote web server

Video Transcription

00:04
Now let's take a look at file inclusion. So there's two kinds of file inclusion. Local violin collusion, which will see. And there's also remote file inclusion. So LF I and R s I
00:18
so remote file inclusion, as the name implies, will actually allow us to load off file from another Web server so we could load up
00:28
my spider still going
00:32
so we could load up
00:37
profile from another Web servers are our Web server, for instance. So for this doing
00:43
bigger quest, that gets a file and it will just allow you to get it, like from http dot whatever,
00:50
um,
00:52
you can potentially, like, load malicious code from another Web server doesn't even have to be hosted on
00:59
the Target Web server, which you conceivably, How could that possibly happen? But it actually again, depending on
01:04
how the code goes when you can include things, for instance, and PHP from
01:10
other applications just fine if you give it the past, so
01:15
that's possible. But this particular app doesn't have remote file inclusions. Vulnerability
01:19
does, however, have a local file inclusion vulnerability
01:23
which will allow me to pull
01:26
local files.
01:32
Ah,
01:33
take a look.
01:38
We go to
01:42
our newsletters was in the right place. So I'm still Mike. If I go toe profile and view newsletters,
01:49
then click on this newsletter here. I'm gonna turn on my bird proxy again. So we intercepted
01:59
so we can see in the parameter is here. It's actually pulling this from C on it Pub www Route book newsletter mike at mike dot com Wig Web Hacking Reviewed all tech So it gives us a full past.
02:15
So this is
02:16
going to allow us to actually pull in a file that
02:21
our Web user has access to
02:24
into this
02:27
with the window. So all this leave it alone for now,
02:30
poured it on on. We get that
02:38
they're so we can pull other files
02:42
from the Web server as well.
02:45
Again, anything on the file system
02:52
There, for instance,
02:57
gave it
03:01
edited this value
03:05
on
03:10
Said it thio
03:23
Oh,
03:23
in the dark ticket. Now
03:30
here a year
03:34
log in information is actually all in plain text are less Everybody's
03:38
password
03:40
in plain text, including the user I created
03:45
likes password. Was Michael what we could guess that
03:50
you can also pull things off bio system again. Anger that we have access to.
03:54
I'm as this I user, basically, because we don't have privileges on this
04:01
that we could pull
04:03
so
04:04
greasing information if we hadn't a code on here
04:09
spx backdoor, that we had gotten up some other way, we might be able to execute it even
04:16
through here.
04:18
But seeing the passwords isn't hotbed. Really? Maybe there's a place that store's credit card. Well, it's actually not in this app, but it was a relapse.
04:28
Perhaps there was based.
04:30
Let's look it another thing
04:32
on. Looks like a command execution
04:40
intercept off. Need it right now.
04:43
So actually, this thing called newsletter sign a break here.
04:47
So if we
04:54
get the
04:57
we saw that actually Oscar back for a second.
05:00
I'm looking for the original
05:03
newsletters.
05:06
Socially, Proxy. There's on intercept on
05:11
church.
05:13
So it was on a perp. W freedom you that route book newsletters might at mike dot com. So it looks like
05:19
is actually a full there for each user that has
05:26
newsletters.
05:28
So my guess would be returned,
05:30
obviously can be wrong. There's no
05:33
requirement that developers develop things the way I think they should.
05:39
Um,
05:40
but I would guess that this newsletter sign up will actually create a folder
05:46
for the user that signs up. So what if I do? Georgia medicine, Boyd dot com
05:51
The sign up,
05:53
But then in the process of creating that fool there,
05:59
what if I do? And and sometimes I mean, it just depends on the underlying technology, like
06:04
or like that, and
06:09
things like that. I mean, it depends what the
06:13
syntax is gonna be to get the second
06:17
command, if you like. Five p config
06:20
and the output into sea
06:25
on it.
06:28
We've never re route.
06:30
Look,
06:31
stop That
06:35
passed from the previous vulnerability and I do is describe
06:43
seems to have worked. All right, if I get you,
06:46
that's not. First,
06:48
there's the output of my command, so we can actually execute some commands on the system again. We're gonna be limited by the user that we are,
06:59
but
07:00
could do something. Maybe some power show.
07:05
But we saw in our push X voice location in section two
07:11
make this a little bit cooler. You know
07:13
something? We can try

Up Next

Advanced Penetration Testing

This course covers how to attack from the web using cross-site scripting, SQL injection attacks, remote and local file inclusion and how to understand the defender of the network you're breaking into to. You'll also learn tricks for exploiting a network.

Instructed By

Instructor Profile Image
Georgia Weidman
Founder and CTO at Shevirah and Bulb Security
Instructor