File Inclusion Vulnerabilities

00:00

file inclusion vulnerabilities

00:03

in this lesson, we're going to understand what file inclusion vulnerabilities are and also demonstrate how to exploit both local file inclusion

00:11

and remote file inclusion vulnerabilities.

00:15

So what does file inclusion? Well, we saw with the FTp where we could enumerate the directories going back beyond the root of that FTp server.

00:24

So that's basically what we're looking at here. But in a web application where if you do dot dot slash dot dot slash dot dot slash, you can go back into that server and you can enumerate things like the etc. Password file or any file that the server has permissions to access, or whatever the user is for that server, which is usually dub, dub, dub data.

00:47

Or it could be a demon you have or Damon, you whatever, however you spell it, but you can go back into the server and look at various files.

00:57

So this affects PHP based applications mostly. And

01:03

it basically is a way that developers

01:06

develop PHP code where they can include files within the web server, but they don't code it properly. And that allows us as Attackers to go back and either look at files within the server itself

01:19

or also include files remotely from our server.

01:26

So when we talk about local file inclusion, what we're talking about is the ability to lead read files on that machine

01:34

and you'll see for Lennox machines at T password is a file that most people look for one because it's everyone can read it most usually. And the other time is because you can enumerate the users on that machine.

01:49

So if I know what the users are on that machine, I can then try to look look for things like

01:56

ssh keys to ssh into the machine.

02:00

Um, and here's some common files for Lennox etc, password etc issues at sea group.

02:06

If someone is mis configured the etc. Shadow file making meaning is globally readable. You can read this also. If the server is running with escalated privileges like root,

02:19

then you can read the shadow file, in which case if you get the etc. Shadow file and that's your password file, etc. Password file, you can combine them and crack the password. In theory, if it's a password that's not too crazy. We'll talk about that later in the password cracking lab

02:35

for Windows. These are some files you can look for as well. Windows system 32 drivers, etc. Hosts. It's like the host file and Lennox

02:43

and some other ones. Users, you have to know what the user name is, desktop I and I

02:49

um or when I and I is something that you can look for as well.

02:53

It's important to know whether you're on a Windows machine or Lennox machine. Right? Because if you're looking for the sc password file on Windows, you're not gonna, something's gonna pop up.

03:01

I've done that before. I think a lot of other people have to.

03:07

So

03:07

again, you can only look at the files that you have access to view, which is the permissions of whatever that server is running at. So like I said, if it's not running with escalated privileges, you're not going to be able to see things like um like the like the shadow file or files for users that that that

03:28

whatever the server is can't view.

03:30

So you may try to be looking for certain files and not pull them up and be wondering why because you don't have the right permissions to view it.

03:42

So here's the etc password file. As you can see, this is a vulnerability in a Wordpress plug in. This might be important later in your lab just telling you.

03:51

So as we can see here, if we look we have a bit NAMI user. So that's an important thing to know. Um, and also note some of the other services that are running this is kind of an ugly output.

04:02

What I like to do is right click and view the source and it usually is a nicer view than this.

04:12

All right. So now what? So like I said that Vietnam the user is 1000. I can try to see if there uh, if they're private key is accessible. If it's mis configured and I can view it, then I can log in as them with Ssh.

04:27

That's of course if SSS is enabled and running on Port 22 or whatever hidden port it might be on.

04:33

Also can you view logs, maybe there's passwords or user names in different log files and you can you can view that again. This is something that comes with time and knowing what kind of servers running if it's an Apache server where the log, where the log files stored if its engine X

04:53

where those stored. Again, a lot of googling.

04:55

And also like I said, can you leverage LF I with another service? If you can view private keys, you can ssh onto it. Like we saw we had FTP access or SMB access on a server. If you can upload that file to the FTP server, SMB, you can then leverage LF I to activate

05:15

that file. So

05:17

that's another thing that we can think about as well in accessing a may be executed all file. We can go back and you're on a Windows box, we can use LF I to hit that file. Txt file then activated.

05:30

You get a shell

05:32

remote file inclusion. So this is where we can load files from our own server

05:36

and of course you wanna get a shell doing this. I'm gonna show you this in the demo keep in mind the architecture, like I said, this this affects PHP but think about the architecture of the application is at a S P is a java.

05:49

Um again Arifi affects PHP but think about what kind of shell we're gonna need on the box.

06:00

So here's how it works for our fight to work.

06:03

Um it has to be mis configured or I shouldn't say mis configured but configured differently than its default.

06:11

So it has to have allow your LF open on and allow your I'll include on

06:15

which is set to off by default. So you have to get lucky with or if I

06:23

also keep in mind when you do are if I maybe it's looking for a certain file. So what I'll do is I'll set up Net Cat on a certain port and I'll put my, here's the example. It's like filter dot PHP and my server and I see this looking for this WP low dot PHP. So I will make my

06:43

file my shell

06:45

that name, WP hyphen or attack load dot PHP. So because that's what it's looking for. If I name it something else, it won't be looking for that file and it won't activate the shell.

06:57

You can also use things like the null byte percent 00 at the end. That might work as well. Uh that works with older versions of PHP, newer versions. It doesn't so

07:06

try that, give it a try. Sometimes it works. Sometimes it will work or it won't just depending on the version of PHP.

07:15

So what we'll do is we'll create a reverse shell

07:18

and we'll make it a text file

07:20

a lot of times that I've done this, I've had a PHP file,

07:25

uh and I will activate it and I'll look at my maternal intercession, it will open on my own host.

07:31

So a lot of these servers are made so that if you have a text file, it looks at it differently than if you name it a PHP file. So I know I showed you the last one is looking for a certain file. In that case the PHP file worked. But if you're trying to do our F. I, and you're noticing that the interpreter sessions opening up on your own machine,

07:54

try to rename the PHP file to a text file.

08:00

So in D V W A um if you're using it and you've configured it correctly, you'll add your I. P. To the end. I'm gonna show you a demo of this so I'm not going to go over it in depth here.

08:13

What will happen is you should get a shell and I adapted this from the steps in the municipal unleashed um course. So they don't they don't do all this. They don't show you how to get a shell, but because we're practicing for oh SCP

08:26

Shell is important.

08:28

Yeah.

08:30

So I'm going to do a demo after this and actually show you how to get a shell.

08:35

But in summary now we should understand what file inclusion vulnerabilities are. And I'm going to demonstrate how to exploit both local file inclusion and remote file inclusion Vulnerabilities,