1
00:00:02,560 --> 00:00:10,400
Remote vile inclusion is a special case of file inclusion vulnerabilities we've seen in the previous

2
00:00:10,400 --> 00:00:18,020
video how we were able to include any file in the server and have access to it through local file inclusion

3
00:00:18,020 --> 00:00:20,710
vulnerabilities in today's video.

4
00:00:21,110 --> 00:00:27,980
If the server is configured to allow a certain function called allow your URL and allow your I'll f

5
00:00:27,980 --> 00:00:36,230
open then we will be able to include any file from any computer into the Target's Web site so we will

6
00:00:36,230 --> 00:00:41,750
literally be able to inject MEP HP file into the target's computer.

7
00:00:41,750 --> 00:00:44,590
What this would lead to is basically it will.

8
00:00:44,630 --> 00:00:51,830
We can run payloads we can run reverse shells and we can run even system commands and get access to

9
00:00:51,830 --> 00:00:55,400
the targets our full control to the target server.

10
00:00:55,400 --> 00:01:02,540
So first of all let's just go here and will be using the same file inclusion vulnerability that we were

11
00:01:02,540 --> 00:01:03,850
using in the previous video.

12
00:01:03,860 --> 00:01:07,280
So it's in the page parameter right here.

13
00:01:07,280 --> 00:01:14,600
The only difference is you need to enable the function that makes this that convert the local file inclusion

14
00:01:14,780 --> 00:01:16,870
to a remote file inclusion.

15
00:01:16,940 --> 00:01:20,600
So hence the name local allows you to access local files.

16
00:01:20,600 --> 00:01:27,020
Remote will allow you to access and inject remote files so to enable that.

17
00:01:27,050 --> 00:01:28,850
I'm gonna go to my methods portable machine.

18
00:01:28,850 --> 00:01:33,320
I'm just gonna show you how to enable it so you can test this vulnerability yourself.

19
00:01:33,440 --> 00:01:37,040
So we're coming here to our with exploitable.

20
00:01:37,040 --> 00:01:43,670
And I'm gonna go into the PSP settings so the P2P settings are stored in a file and to access that we're

21
00:01:43,670 --> 00:01:52,110
gonna use nano which is a text editor and then I'm gonna put the file location which is in UTC BHP 5

22
00:01:53,130 --> 00:01:57,290
CGI and BHP they are tiny.

23
00:01:57,450 --> 00:02:02,110
So that's the location where the BHP configuration is stored.

24
00:02:02,130 --> 00:02:07,890
I'm going to open it using a file like the third called Nano and I'm just going to exit this.

25
00:02:07,890 --> 00:02:16,170
I'm going to open it a pseudo as the root actually in Cali we never needed to use sudo because we log

26
00:02:16,170 --> 00:02:22,460
in as root but with the exploitable you need to use sudo when you want to do rude actions.

27
00:02:22,500 --> 00:02:27,540
So you say sudo and then you put the command that you want to run OK.

28
00:02:27,570 --> 00:02:37,600
So these are the configurations for the BHP that's installed on the web server on the target and we're

29
00:02:37,610 --> 00:02:42,260
looking for a function called allow your l f open.

30
00:02:42,360 --> 00:02:48,690
So I'm gonna type in control and W at the same time and that'll allow me to search and I'm gonna search

31
00:02:48,690 --> 00:03:02,510
for low you are L and we can see here that I have a line or a left open is on and allow your URL include

32
00:03:02,540 --> 00:03:03,950
is on as well.

33
00:03:03,950 --> 00:03:10,220
So these two functions if they're enabled then the local file inclusion vulnerability that we have can

34
00:03:10,220 --> 00:03:17,330
be used as a remote file inclusion so to exert this control and X and it's gonna ask you if you want

35
00:03:17,330 --> 00:03:23,550
to save just type in y and enter for me I didn't change anything so that you need to do that once you

36
00:03:23,550 --> 00:03:25,700
do that you need to restart your web server.

37
00:03:25,830 --> 00:03:38,430
So you're going to do it you see and it's got these Apache to restart and you'll need to do this as

38
00:03:38,440 --> 00:03:45,010
sudo actually and this is done now so everything should be ready for you.