1 1 00:00:01,412 --> 00:00:04,414 Local file inclusion vulnerabilities. 2 2 00:00:04,414 --> 00:00:07,300 These exploits or vulnerabilities allow you 3 3 00:00:07,300 --> 00:00:11,563 to read any file that is within the same server. 4 4 00:00:12,830 --> 00:00:17,830 So even if the file exists outside the varwww, 5 5 00:00:17,900 --> 00:00:21,150 you'll be able to read it and read info with it. 6 6 00:00:21,150 --> 00:00:24,100 Now, why this vulnerability is critical 7 7 00:00:24,100 --> 00:00:26,780 because you can read any files, 8 8 00:00:26,780 --> 00:00:30,500 so if the users are storing some sort of important files 9 9 00:00:30,500 --> 00:00:34,460 or password files, then you'll be able to read them 10 10 00:00:34,460 --> 00:00:38,156 and then from there you can further exploit your target. 11 11 00:00:38,156 --> 00:00:41,970 Also, if there's a number of websites on the same server, 12 12 00:00:41,970 --> 00:00:44,270 and you manage to find this on a website 13 13 00:00:44,270 --> 00:00:45,680 that you're not targeting, 14 14 00:00:45,680 --> 00:00:48,054 then you might be able to access files related 15 15 00:00:48,054 --> 00:00:51,160 to the website that you're targeting 16 16 00:00:51,160 --> 00:00:53,873 and then further exploit your website from there. 17 17 00:00:55,450 --> 00:00:56,650 So let's have a look on this, 18 18 00:00:56,650 --> 00:00:58,700 and we'll also, the way we're going to be 19 19 00:00:58,700 --> 00:01:01,483 exploiting this vulnerability is through the URL. 20 20 00:01:02,330 --> 00:01:05,620 So usually in our code execution example, 21 21 00:01:05,620 --> 00:01:07,790 we were writing the code in here, 22 22 00:01:07,790 --> 00:01:11,343 now sometimes you might find 23 23 00:01:11,343 --> 00:01:14,510 the code vulnerability in the URL, 24 24 00:01:14,510 --> 00:01:16,700 so it'll be something like CMD, 25 25 00:01:16,700 --> 00:01:18,070 and then you put the command, 26 26 00:01:18,070 --> 00:01:19,820 or for example, in this case, 27 27 00:01:19,820 --> 00:01:22,640 it would be IP equals to the IP for example, 28 28 00:01:22,640 --> 00:01:23,738 1020, 29 29 00:01:23,738 --> 00:01:25,530 14, 30 30 00:01:25,530 --> 00:01:29,010 two O three, and then you put the sign 31 31 00:01:29,010 --> 00:01:32,150 and then you put your PWD after it for example, 32 32 00:01:32,150 --> 00:01:35,383 so cause our example was just in the text box, 33 33 00:01:36,350 --> 00:01:37,830 same is gonna happen here, 34 34 00:01:37,830 --> 00:01:40,230 in our file inclusion vulnerability. 35 35 00:01:40,230 --> 00:01:43,590 So we can see that when you're in here, 36 36 00:01:43,590 --> 00:01:47,240 in this URL, it's saying that this 37 37 00:01:48,460 --> 00:01:50,350 file is going to take a page 38 38 00:01:50,350 --> 00:01:53,980 and it's loading something called include the PHP, 39 39 00:01:53,980 --> 00:01:56,760 so it looks like it's actually loading another page, 40 40 00:01:56,760 --> 00:01:59,550 like this current page is loading another page, 41 41 00:01:59,550 --> 00:02:01,690 called include the PHP, 42 42 00:02:01,690 --> 00:02:04,210 so again you'd be browsing the web server 43 43 00:02:04,210 --> 00:02:05,570 and trying to get a feel of it, 44 44 00:02:05,570 --> 00:02:07,690 and you see something like this, 45 45 00:02:07,690 --> 00:02:10,220 or you see something called IP equals 46 46 00:02:10,220 --> 00:02:11,940 the IP and then you know that there's a ping, 47 47 00:02:11,940 --> 00:02:14,427 for example, for the previous video, 48 48 00:02:14,427 --> 00:02:16,666 so for this, now we know that our target's 49 49 00:02:16,666 --> 00:02:18,720 trying to open a file, 50 50 00:02:18,720 --> 00:02:20,670 and the file is called include the PHP. 51 51 00:02:23,300 --> 00:02:24,960 Let's see if there is actually 52 52 00:02:24,960 --> 00:02:27,500 a file called include the PHP, 53 53 00:02:27,500 --> 00:02:29,973 so I'm just gonna remove everything here, 54 54 00:02:32,720 --> 00:02:36,410 and try to access include the PHP directly, 55 55 00:02:36,410 --> 00:02:38,930 and as we can see, we actually do have a file 56 56 00:02:38,930 --> 00:02:40,410 called include the PHP, 57 57 00:02:41,480 --> 00:02:43,060 it's not running properly, 58 58 00:02:43,060 --> 00:02:47,017 but it exists and it's in the same working directory, 59 59 00:02:47,017 --> 00:02:48,063 so, 60 60 00:02:49,300 --> 00:02:52,600 let's try and see if we can read a file 61 61 00:02:52,600 --> 00:02:55,750 that is stored in the computer, 62 62 00:02:55,750 --> 00:02:59,490 and we're going to use a file called ETC password. 63 63 00:02:59,490 --> 00:03:01,970 So that's the file which contains all the users 64 64 00:03:01,970 --> 00:03:06,540 and their paths on the current web server. 65 65 00:03:06,540 --> 00:03:08,340 So, 66 66 00:03:08,340 --> 00:03:09,640 let's have a look on this, 67 67 00:03:10,950 --> 00:03:12,443 so ETC, 68 68 00:03:13,890 --> 00:03:16,840 this file contains all the users 69 69 00:03:16,840 --> 00:03:18,250 for the current operating system. 70 70 00:03:18,250 --> 00:03:20,610 So if I just go on my caddy right here, 71 71 00:03:20,610 --> 00:03:22,640 and if I run it here, 72 72 00:03:22,640 --> 00:03:24,103 if I just do cat, 73 73 00:03:25,670 --> 00:03:30,590 etc password, you'll see all the users that I have 74 74 00:03:30,590 --> 00:03:32,870 on the current computer, 75 75 00:03:32,870 --> 00:03:37,870 and their default path on the current operating system. 76 76 00:03:38,120 --> 00:03:40,233 So, we're going to try to read this file, 77 77 00:03:41,440 --> 00:03:43,010 and to do that, 78 78 00:03:43,010 --> 00:03:46,190 let's go back and see our current location. 79 79 00:03:46,190 --> 00:03:49,650 So our current location is in the FI file, 80 80 00:03:49,650 --> 00:03:51,240 and the FI directory, 81 81 00:03:51,240 --> 00:03:52,673 so we need to go back, 82 82 00:03:53,590 --> 00:03:57,950 one, two, three, four, five times and then 83 83 00:03:57,950 --> 00:03:59,620 go to ETC password, 84 84 00:03:59,620 --> 00:04:02,073 so going back would be done using the dot dot, 85 85 00:04:04,150 --> 00:04:06,130 and let's try and do that. 86 86 00:04:06,130 --> 00:04:10,910 So, at the moment we're accessing this current file, 87 87 00:04:10,910 --> 00:04:13,240 and just to make it easier for you actually, 88 88 00:04:13,240 --> 00:04:15,240 let's just put the full path right here, 89 89 00:04:18,890 --> 00:04:22,430 so in the page, it's trying to access this page, 90 90 00:04:22,430 --> 00:04:25,049 so what we need, we actually want a place called 91 91 00:04:25,049 --> 00:04:27,989 ETC password, so we need to go back 92 92 00:04:27,989 --> 00:04:30,210 five times for these directories, 93 93 00:04:30,210 --> 00:04:34,200 so this one is going to be the start time from here, 94 94 00:04:34,200 --> 00:04:37,965 so we're going back, 95 95 00:04:37,965 --> 00:04:40,321 back, 96 96 00:04:40,321 --> 00:04:42,070 back, 97 97 00:04:42,070 --> 00:04:42,903 back, 98 98 00:04:44,260 --> 00:04:47,160 and back, and then we're going to go to ETC 99 99 00:04:48,161 --> 00:04:49,583 password, 100 100 00:04:51,340 --> 00:04:53,650 and as you can see, now we have the output 101 101 00:04:53,650 --> 00:04:55,823 of the ETC password file, 102 102 00:04:56,710 --> 00:04:59,550 we can copy that and store it here, 103 103 00:04:59,550 --> 00:05:01,560 and then you'll be able to read it 104 104 00:05:01,560 --> 00:05:04,148 and just get more information about the websites 105 105 00:05:04,148 --> 00:05:06,143 that you're targeting right now. 106 106 00:05:07,400 --> 00:05:09,789 Again you can use this to try to access 107 107 00:05:09,789 --> 00:05:12,910 different files, sensitive files, or files 108 108 00:05:12,910 --> 00:05:15,123 of other websites on the same server.