1
00:00:00,620 --> 00:00:07,130
So local file inclusion is really good because it allows us to read files in the server and we might

2
00:00:07,130 --> 00:00:11,770
be able to read files with passwords or sensitive information.

3
00:00:11,910 --> 00:00:19,140
What will be really great is if we can actually gain full access or full control over the target server

4
00:00:19,230 --> 00:00:22,320
using local file inclusion vulnerabilities.

5
00:00:22,350 --> 00:00:29,190
So in this lecture We'll see how we can get a reverse shell by exploiting the local file inclusion vulnerability

6
00:00:29,190 --> 00:00:31,500
that we've seen in the previous lecture.

7
00:00:31,950 --> 00:00:39,300
So because they allow us to read files on the server so we managed to write anything on that server.

8
00:00:39,420 --> 00:00:45,880
Then we can write some malicious code and then browse it and get that code to be executed.

9
00:00:45,960 --> 00:00:48,270
So this is exactly what we're going to try to do.

10
00:00:48,270 --> 00:00:50,850
There is a number of methods to achieve that.

11
00:00:51,150 --> 00:00:57,840
So usually it's done using the log files because the lock files usually register or write stuff that

12
00:00:57,840 --> 00:00:59,140
happens on the server.

13
00:00:59,190 --> 00:01:06,030
So you can try to log in with a user name but instead of putting a user name you put a PH pre-code or

14
00:01:06,030 --> 00:01:11,760
you can try to send an e-mail and then instead of the email put APHC code and then try to browse these

15
00:01:12,000 --> 00:01:18,140
files and the page code will be executed the first method that we're going to have a look on.

16
00:01:18,430 --> 00:01:21,390
It's going to exploit the environed variable.

17
00:01:21,510 --> 00:01:29,270
So this is basically a file that contains an array of information about the current environment.

18
00:01:29,310 --> 00:01:31,730
So let's just have an example of this quickly.

19
00:01:31,740 --> 00:01:34,230
So right here I am on my coffee machine.

20
00:01:34,230 --> 00:01:39,420
I'm not taking anything I'm not on any server and I'm just going to see what's the content of that file.

21
00:01:39,420 --> 00:01:42,890
So this file exists in all Linux operating systems.

22
00:01:43,110 --> 00:01:46,440
So I'm just going to open that file right now using the cat command.

23
00:01:50,100 --> 00:01:57,390
And as you can see you'll see a number of environment variables that relate to the current environment.

24
00:01:57,450 --> 00:02:03,480
So what we're going to do now is we're going to try to open this file here in my browser instead of

25
00:02:03,480 --> 00:02:06,250
the easy password.

26
00:02:06,330 --> 00:02:08,490
So it's going to be in proc self on

27
00:02:11,450 --> 00:02:12,450
OK.

28
00:02:14,560 --> 00:02:20,760
And as you can see again we can see an array of variables about the current environment.

29
00:02:20,840 --> 00:02:29,530
What's interesting here is this variable so we can see that the user agent is being sent and it's being

30
00:02:29,530 --> 00:02:30,960
displayed right here.

31
00:02:31,210 --> 00:02:36,880
Now the user agent basically is the current browser used by the by the person by the user.

32
00:02:36,880 --> 00:02:42,130
So you can see that because I'm using Firefox and the Web site things that I'm using Firefox which is

33
00:02:42,130 --> 00:02:42,660
correct.

34
00:02:42,760 --> 00:02:48,850
And that's because Firefox every time you open a website it actually tells the website what browser

35
00:02:48,850 --> 00:02:49,110
it is.

36
00:02:49,110 --> 00:02:54,850
So this happens on our website so we can see that Firefox is still on the Web site or the web browser

37
00:02:54,850 --> 00:02:59,670
that Firefox 5 and is grown on Linux whatever.

38
00:02:59,680 --> 00:03:06,670
So this is actually sent from the client so we can actually modify this value.

39
00:03:06,870 --> 00:03:13,270
And what we're going to try to do is we're going to modify the user agent value and we're going to place

40
00:03:13,270 --> 00:03:17,370
code that will give us a reverse shell before we do that.

41
00:03:17,400 --> 00:03:20,700
Let's make sure that the code will be executed on the server.

42
00:03:20,700 --> 00:03:28,450
So we're going to send just a normal ph code that will display BHB information so I'm going to turn

43
00:03:28,450 --> 00:03:29,840
on my interceptor now.

44
00:03:30,040 --> 00:03:35,290
I showed you how to set up a proxy so if you don't want to do that go back to that lecture and see how

45
00:03:35,290 --> 00:03:36,720
you can set up a proxy.

46
00:03:36,940 --> 00:03:43,860
So I just turned on the interceptor and I'm going to browse the exact same URL and right here if we

47
00:03:43,860 --> 00:03:51,360
go on the headers you'll see that Firefox is sending the user agent right here and it it's as Mozilla

48
00:03:51,590 --> 00:03:54,510
5 and then the next whatever.

49
00:03:54,570 --> 00:03:59,910
So all we're going to do is we're going to modify this value and we're going to quit BHB code and the

50
00:03:59,910 --> 00:04:04,430
code I'm going to put is very simple it'll basically just display the BHB information.

51
00:04:04,440 --> 00:04:07,370
So it's a function called BHP info.

52
00:04:11,470 --> 00:04:13,330
That I'm going to pay for what this packet

53
00:04:16,490 --> 00:04:23,680
and as you can see the PH BE CALLED get executed on the on the Web site on the target website.

54
00:04:23,680 --> 00:04:29,320
This means if we send malicious code to this website we'll actually be able to gain full access or we

55
00:04:29,320 --> 00:04:31,810
can get our code to be executed.

56
00:04:31,990 --> 00:04:34,880
Now you can literally send any ph record you want.

57
00:04:34,960 --> 00:04:37,510
You can send code to files.

58
00:04:37,510 --> 00:04:43,540
You can send code to upload the file or you can send one of the codes that were used before to gain

59
00:04:43,600 --> 00:04:44,790
a reverse connection.

60
00:04:44,890 --> 00:04:49,840
So that's what I'm going to do I'm going to use the exact same code that we used before and the previous

61
00:04:49,840 --> 00:04:54,540
lectures to gain full control over the target computer.

62
00:04:54,550 --> 00:05:00,450
So I'm actually just going to type it down here in terminal and then I'm going to copy it.

63
00:05:00,480 --> 00:05:06,230
So we're going to be using pass through and we're using netcat

64
00:05:11,560 --> 00:05:18,190
and then we're going to put my IP address and I'm going to use the port which is I'm going to end this.

65
00:05:18,220 --> 00:05:24,040
And this attack I'm going to use 8 8 8 8 and then with the semicolon.

66
00:05:24,160 --> 00:05:26,970
So it's the same as just APHC function.

67
00:05:27,070 --> 00:05:29,290
We use that in the code execution next year.

68
00:05:29,290 --> 00:05:34,180
So I'm literally just going to copy this and I'm going to inject it as the user agent.

69
00:05:34,180 --> 00:05:39,010
Now before I do that I'm going to listen on port 8 8 8 8 4 connections.

70
00:05:39,010 --> 00:05:42,310
So we're going to use the same code that we use before I go in with netcat

71
00:05:48,830 --> 00:05:50,590
and now we're listening for connections.

72
00:05:50,640 --> 00:05:52,560
We have our interceptor on.

73
00:05:52,560 --> 00:05:59,850
I'm going to browse the Web site I'm going to enter and I'm going to modify the user agent.

74
00:05:59,950 --> 00:06:05,260
Again don't forget to put the question marks here because I only put the code there so we have the opening

75
00:06:05,290 --> 00:06:14,680
and closing for BHB and then we put our code which is the pass through code and see bin sh our IP followed

76
00:06:14,680 --> 00:06:17,030
by the report that we're listening on.

77
00:06:17,110 --> 00:06:24,470
I'm going to enter and I'm going to forward and as you can see we get a connection back using the local

78
00:06:24,470 --> 00:06:26,260
file inclusion vulnerability.

79
00:06:26,510 --> 00:06:29,180
Now I can browse files I can do that.

80
00:06:29,390 --> 00:06:35,150
I can do ellos I can do ID and I can pretty much do anything I want on the server.

81
00:06:35,150 --> 00:06:38,090
Now that I have full shell access.

82
00:06:38,090 --> 00:06:45,020
So we were able to convert a local file inclusion vulnerability that can only show you files or can

83
00:06:45,020 --> 00:06:47,360
only allow you to read files on the server.

84
00:06:47,360 --> 00:06:53,440
We were able to convert that and exploited to get full access to the target server.

85
00:06:54,220 --> 00:07:02,100
All these are possible because we were able to write to the proc self and Vire on variable which displays

86
00:07:02,140 --> 00:07:08,740
our user agent and by changing the user agent to our P-H recall we were able to run any ph code that

87
00:07:08,740 --> 00:07:09,250
we want.