1
00:00:01,260 --> 00:00:10,530
File inclusion attacks now in Web applications, developers sometimes can include files stored on local

2
00:00:10,530 --> 00:00:11,520
or remote servers.

3
00:00:12,670 --> 00:00:19,900
Referencing files other than the ones in the webroot may cause a full system compromise if the server

4
00:00:19,900 --> 00:00:22,180
software executes the included file.

5
00:00:23,580 --> 00:00:26,040
So this action we are going to discover.

6
00:00:26,980 --> 00:00:29,950
Some file inclusion vulnerabilities.

7
00:00:30,940 --> 00:00:36,460
There are basically two types of fire inclusions, local or remote file inclusion.

8
00:00:37,330 --> 00:00:44,320
The local voyle inclusion comes out when the user accesses a local file out of the Web root directory.

9
00:00:45,430 --> 00:00:51,040
And the access file is included in the execution environment of the Web application.

10
00:00:51,950 --> 00:00:59,900
And won't file inclusion comes out when the user includes a remote file into the execution environment

11
00:00:59,900 --> 00:01:06,170
of the Web application, so that way the included file is going to be executed with the actual content

12
00:01:06,170 --> 00:01:08,280
and served up to the user.

13
00:01:09,080 --> 00:01:15,050
Now, besides being an authorisation problem, some people can categorize past traversal and file inclusion

14
00:01:15,050 --> 00:01:18,530
vulnerabilities as input validation problems.

15
00:01:19,520 --> 00:01:25,640
No matter how you categorize it, it is up to us to evaluate how these vulnerabilities work.

16
00:01:27,710 --> 00:01:35,570
So go to Caleigh and I'm going to show a basic file inclusion, so log in to be Web and from the menu

17
00:01:35,570 --> 00:01:39,080
above, go to remote and local file inclusion.

18
00:01:40,620 --> 00:01:46,530
Now, you see there's a drop down menu of languages, so when you choose a language and go, then the

19
00:01:46,530 --> 00:01:48,330
you are Eliz change to this.

20
00:01:49,140 --> 00:01:52,740
And then a language parameter is added with the value of the chosen language.

21
00:01:53,250 --> 00:01:59,640
But this value seems to me to be a page laying underscore in that BHP.

22
00:02:00,280 --> 00:02:00,710
Yeah.

23
00:02:00,870 --> 00:02:03,000
So this is suspicious.

24
00:02:03,030 --> 00:02:07,180
So the application know the language file when a user chooses that language, you see.

25
00:02:07,620 --> 00:02:09,780
So for us to benefit from this.

26
00:02:10,230 --> 00:02:10,600
Hmm.

27
00:02:10,830 --> 00:02:13,930
Maybe we're able to load another file on the system.

28
00:02:14,430 --> 00:02:15,000
What do you think.

29
00:02:16,220 --> 00:02:19,970
Well, let's go and enable Foxe proxy.

30
00:02:21,040 --> 00:02:22,090
And click on Go.

31
00:02:24,380 --> 00:02:32,360
OK, so now go to berp and the request comes to berp, but before forwarding from the action button,

32
00:02:32,360 --> 00:02:39,830
let's send the request to the repeater tool and then the request go now open up the repeater tab.

33
00:02:40,860 --> 00:02:43,800
All right, so here's a request, so send it to the server.

34
00:02:45,260 --> 00:02:51,230
And it executes without any problem, so let's try to read the magic file on Linux.

35
00:02:53,210 --> 00:02:59,660
So instead of this profile type slash EDC slash password.

36
00:03:00,520 --> 00:03:02,530
And send the request.

37
00:03:03,670 --> 00:03:06,910
OK, so now let's look at the response, here's a result.

38
00:03:08,460 --> 00:03:15,630
We can read a file out of the Web directory now, change the cookie security level to medium.

39
00:03:16,970 --> 00:03:19,100
OK, he said this to one.

40
00:03:20,370 --> 00:03:21,840
And this same request.

41
00:03:23,390 --> 00:03:27,140
So it doesn't work this time, but look at the year.

42
00:03:28,670 --> 00:03:32,750
Because it depends upon extension to the end of the file we provided.

43
00:03:34,110 --> 00:03:41,100
So we need to get rid of this extension to read the file content, and we do have a little trick for

44
00:03:41,100 --> 00:03:41,370
that.

45
00:03:41,600 --> 00:03:42,240
You want to know?

46
00:03:42,870 --> 00:03:43,410
All right.

47
00:03:43,410 --> 00:03:46,200
So just add a nail biter to the end of the file.

48
00:03:46,500 --> 00:03:47,960
Present seven zero.

49
00:03:48,890 --> 00:03:50,090
And the request.

50
00:03:51,880 --> 00:03:56,890
And scroll down, see the response and the content of the file is here.

51
00:03:58,000 --> 00:04:01,630
All right, so now clear here and go back to low level.

52
00:04:02,160 --> 00:04:09,640
I want to show you another payload so sometimes be rappers can help us read a file on a system.

53
00:04:10,500 --> 00:04:18,590
So he comes with many built in raptors for various world style protocols for use with filesystem functions.

54
00:04:19,470 --> 00:04:24,180
So what I'll do is I'll just add a filter here.

55
00:04:24,790 --> 00:04:31,470
HP Crowlands last filter slash resource equals slash etek slash password.

56
00:04:33,460 --> 00:04:33,940
And.

57
00:04:35,160 --> 00:04:37,860
The response has the file content.

58
00:04:39,250 --> 00:04:45,940
Yeah, so when you want to read a special file types such as AP or XML, it will break the execution.

59
00:04:47,100 --> 00:04:52,890
So in these types of situations, you can encode the file if you want to view it.

60
00:04:54,130 --> 00:04:56,980
So now I'm going to paste this payload here.

61
00:04:58,150 --> 00:05:02,470
And it'll convert the file to base64, send the request.

62
00:05:04,230 --> 00:05:11,430
And what you see here is a response has the basic C4 output of the foil, so I'm going to copy just

63
00:05:11,430 --> 00:05:11,970
that part.

64
00:05:13,680 --> 00:05:18,000
And open to Khoder and paste it here.

65
00:05:19,630 --> 00:05:21,580
And then decode is base64.

66
00:05:23,390 --> 00:05:27,170
OK, here is the content of the password file.

67
00:05:28,780 --> 00:05:34,600
Now, you may wonder what's the difference between the past traversal and the local fire conclusion?

68
00:05:35,770 --> 00:05:43,810
Yeah, many people on the surface might confuse the two, but I'll tell you that in a past traversal

69
00:05:43,810 --> 00:05:51,870
flaw, the application will only read the contents of the file or directory and then display it.

70
00:05:52,510 --> 00:05:59,200
But in a file inclusion flaw, instead of displaying the content, the application will include the

71
00:05:59,200 --> 00:06:07,960
file as if it is an executable script and then execute it with the same privileges as the Web application.

72
00:06:09,280 --> 00:06:11,380
So I think that's a pretty big difference.

73
00:06:11,380 --> 00:06:15,250
And it's, you know, the most evident difference between the two.

74
00:06:16,630 --> 00:06:18,970
But they're both very useful.

75
00:06:20,110 --> 00:06:22,720
OK, so let's exploit them then and this way.