1
00:00:01,760 --> 00:00:09,980
Local file inclusion vulnerabilities these exploits or vulnerabilities allow you to read any file that

2
00:00:09,980 --> 00:00:12,870
is within the same server.

3
00:00:12,920 --> 00:00:21,230
So even if the file exists outside the R W W W you'll be able to read it and read ampho with it.

4
00:00:21,270 --> 00:00:26,760
Now why this vulnerability is critical because you can read any files.

5
00:00:26,840 --> 00:00:34,160
So if the users are storing some sort of important files or passwords files then you'll be able to read

6
00:00:34,160 --> 00:00:34,550
them.

7
00:00:34,580 --> 00:00:38,030
And then from there you can further exploit your target.

8
00:00:38,630 --> 00:00:44,330
Also if there is a number of Web sites on the same server and you manage to find this on a Web site

9
00:00:44,330 --> 00:00:50,210
that you're not targeting then you might be able to access files related to that to the Web site that

10
00:00:50,210 --> 00:00:54,820
you're targeting and then further exploit your Web site from there.

11
00:00:55,340 --> 00:01:00,800
So let's have a look on this and we'll also the way we're going to be exploiting this variability is

12
00:01:00,800 --> 00:01:02,280
through with your help.

13
00:01:02,390 --> 00:01:07,660
So usually in our code execution example we were writing the code in here.

14
00:01:07,930 --> 00:01:15,510
Now sometimes you might find the code burned a vulnerability and they are also it will be something

15
00:01:15,510 --> 00:01:16,670
like ACMD.

16
00:01:16,800 --> 00:01:22,680
And then you put the command or for example in this case it would be IP equals to the IP for example

17
00:01:22,680 --> 00:01:32,200
10 20 30 two or three and then you do put the sign and then you put your PWT after it for example.

18
00:01:32,220 --> 00:01:39,140
So because our example was just in the text box same is going to happen here and our file inclusion

19
00:01:39,150 --> 00:01:49,230
vulnerability so we can see that when you're in here and this your L it's saying that this file is going

20
00:01:49,230 --> 00:01:53,940
to take a page and it's loaden something called includes BHB.

21
00:01:54,060 --> 00:01:59,940
So it looks like it's actually loaded another page like this current page is loading another page called

22
00:01:59,990 --> 00:02:01,450
include the Ph.

23
00:02:01,680 --> 00:02:06,840
So again you'd be browsing the web server and trying to get a feel of it and you see something like

24
00:02:06,840 --> 00:02:12,720
this or you see something called IP equals the IP and then you know that there is a ping for example

25
00:02:12,720 --> 00:02:14,930
for the previous video.

26
00:02:14,940 --> 00:02:20,160
So for this that we know that our targets are trying to open a file and the file is called including

27
00:02:20,310 --> 00:02:23,320
BHB.

28
00:02:23,390 --> 00:02:27,270
Let's see if there is actually a file called into that page.

29
00:02:27,560 --> 00:02:30,120
So I'm just going to remove everything here.

30
00:02:32,860 --> 00:02:35,970
And try to access and include the PSP directly.

31
00:02:36,540 --> 00:02:41,400
And as you can see we actually do have a file called into the tree.

32
00:02:41,620 --> 00:02:47,330
It's not running properly but it exists and it's in the same working directory.

33
00:02:47,420 --> 00:02:55,660
So let's try and see if we can read a file that is stored in the computer.

34
00:02:55,860 --> 00:02:59,400
And we're going to use a file called it is the password.

35
00:02:59,430 --> 00:03:06,630
So that's the file which contains all the users and their path is on the current web server.

36
00:03:06,630 --> 00:03:10,950
So let's have a look on this.

37
00:03:11,030 --> 00:03:18,330
So it is see this file contains all the users for the current operating system.

38
00:03:18,330 --> 00:03:28,020
So if I just go on my Michaeli right here and if I run this year if I just do card each U.S. password

39
00:03:28,770 --> 00:03:37,290
you'll see all the users that I have on the current computer and their default Poth on the current operating

40
00:03:37,290 --> 00:03:38,170
system.

41
00:03:38,190 --> 00:03:42,970
So we're going to try to read this file and to do that.

42
00:03:43,130 --> 00:03:46,240
Let's go back and see our current location.

43
00:03:46,240 --> 00:03:51,320
So our current location is in the file in the directory.

44
00:03:51,320 --> 00:04:00,050
So we need to go back one two three four five times and then go through it you see pass or so going

45
00:04:00,050 --> 00:04:03,970
back would be done using the dot dot.

46
00:04:04,220 --> 00:04:06,160
And let's try and do that.

47
00:04:06,200 --> 00:04:10,690
So at the moment where access in this current file.

48
00:04:11,000 --> 00:04:15,270
And just to make it easier for you actually let's just put the full path right here.

49
00:04:18,980 --> 00:04:22,470
So in the page it's trying to access this page.

50
00:04:22,520 --> 00:04:29,720
So all we need we actually want a place called ATC password so we need to go back five times for these

51
00:04:29,720 --> 00:04:30,290
directories.

52
00:04:30,290 --> 00:04:34,200
So this one is going to be to start them from here.

53
00:04:34,280 --> 00:04:39,140
So we're going like bag

54
00:04:41,760 --> 00:04:51,210
like and back and then we're going to go out to eat you see.

55
00:04:51,430 --> 00:04:56,550
And as you can see now we have the output of the ATC passwords file.

56
00:04:56,810 --> 00:04:59,470
We can copy that and store it here.

57
00:04:59,660 --> 00:05:05,510
And then you'll be able to read it and just get more information about the websites that you're targeting

58
00:05:05,570 --> 00:05:13,480
right now again you can use this to try to access different files sensitive files or files of other

59
00:05:13,480 --> 00:05:15,440
web sites on the same server.

60
00:05:18,680 --> 00:05:24,830
Now let's go through the security settings and I'm I've said this to me cause I just want to show you

61
00:05:24,830 --> 00:05:32,040
that the medium setting and this is actually can be exploited exactly the same way as the low level.

62
00:05:32,090 --> 00:05:34,270
So the security set to Medium.

63
00:05:34,280 --> 00:05:40,260
I'm going to go back to file inclusion and we're going to use the exploit the exact same way that we

64
00:05:40,260 --> 00:05:42,580
did it before.

65
00:05:42,740 --> 00:05:47,240
And as you can see we managed to get the contents of ATC password.