How to Exploit PHP File Inclusion in Web Apps
canada goose black friday sale File inclusion can allow an attacker to view files on a remote host they shouldn’t be able to see, and it can even allow the attacker to run code on a target. canada goose black friday sale
cheap Canada Goose To demonstrate these vulnerabilities, we’ll be practicing PHP file inclusion using the Damn Vulnerable Web App. canada goose coats We’ll cover how both remote file inclusion and local file inclusion work with the goal of achieving canadian goose jacket shell access to the vulnerable host. cheap Canada Goose
buy canada goose jacket In our first example, we will be looking at a local file inclusion (LFI). This kind of canada goose factory sale file inclusion includes files present on the remote host. It can be used to view configuration files, search for interesting documents, Canada Goose Online and get a low privilege shell. This type of inclusion is present in PHP, JSP, ASP, and other Canada Goose Parka languages. buy canada goose jacket
Don’t Miss: How to Hack Web Apps
Canada Goose Jackets In our uk canada goose second canada goose black friday sale example, we look at remote file inclusion cheap canada goose uk (RFI). It is essentially canada goose outlet Canada Goose Outlet the same concept, the difference being that the attacker isn’t limited by what is available to them canada goose clearance sale on the remote host. An attacker can include files directly from their machine for execution by the remote host. This type of inclusion is also present in many programming languages. Canada Goose Jackets
Local File InclusionLocal file inclusion allows you to read files on the vulnerable host, and if you have the ability to modify files on the buy canada goose jacket cheap local host, execute code as well. For example purposes, I will be using the Damn Vulnerable Web App, or just DVWA for short, running on a virtual machine on my local network. Full instructions for doing so can be found on DVWA’s GitHub page.
Canada Goose Parka Don’t Miss: How to Hack WordPress Web Apps Canada Goose Parka
Canada Goose online Step 1: Test the LFIIn this basic buy canada goose jacket LFI scenario, we will use a local file inclusion to gather information on the remote host and then exploit a vulnerability allowing us to get a root shell. Below is the default “File Inclusion” page in DVWA, which can be found from the menu on the left. Canada Goose online
canada goose clearance First, I will Canada Goose Coats On Sale test to see if I can read a common file such as /etc/passwd. To do so, I input enough previous directories to get me back to root, then input the path canada goose clearance for /etc/passwd. canada goose clearance
Canada Goose sale In this case, we use directory canada goose uk black friday traversal to access the /etc/passwd file. In most operating systems,. represents the previous directory. cheap Canada Goose Since we don’t actually know what directory the app is reading files from, we tell the app to go back a bunch of directories, and then to /etc/passwd. Canada Goose sale
canada goose coats on sale As expected, I am able to recover the /etc/passwd file. Of course, this isn’t limited to use only on /etc/passwd, this can be used to recover any file that the web app user has read privileges on. canada goose coats on sale
canadian goose jacket Let’s break it down a little bit more with an example path. When we execute these attacks, we don’t actually https://www.canadagoosestorevip.com know the working directory of the application; it could be buried deep in a directory tree or it might be in a user’s home directory. That’s fine. Any previous directories beyond the root directory of the filesystem are ignored. This path canada goose uk outlet goes back to the root directory, and then from there, to /etc/passwd. canadian goose jacket
Don’t Miss: How to Find Directories in Websites Using Dirbuster
canada goose deals This is incredibly useful for scenarios where you need to read configuration files. Some LFIs will work when you aren’t logged into canada goose store the app, and you can find usernames and passwords or other useful information in the configuration files. canada goose deals
Now that we know a local file includes work on this app, how do we get a shell back?
Step 2: Inject CodeIn this case, I’m going to take the easy route and insert the code for my shell into the log files, then access it with the web app. First, I verify that I can access the log files. In some cases, these may not be readable.
Canada Goose Outlet If we have done our initial recon, we will have some idea of what type of system we are up against, including what type of web server the host is running. Armed with this knowledge, we can ascertain the path of uk canada goose outlet the log files. Canada Goose Outlet
In this example, we have an Apache server, and the default location for Apache logs is /var/log/apache2/, or /var/log/apache. As we can see below, I’ve successfully included the Apache canada goose coats on sale access log into the page.
canada goose coats Next, we check for command execution. Using Netcat, I connect to my web server and send some PHP code. canada goose coats
nc 192.168.1.111 80
What I’m doing here is sending PHP code directly to the web server. This will allow me to read back the log file using the web app, which will execute any PHP it comes across.
buy canada goose jacket cheap Don’t Miss: Netcat, the Swiss Army Knife of Hacking Tools buy canada goose jacket cheap
Now, I have PHP in the log file to execute a directory listing. Let’s see if it worked:
canada goose I can see below that the ls command Canada Goose online worked my code was executed on the remote host. We included the Apache log file into the app, then PHP reads through the log file and prints the text contents to the top of canada goose the page. When the PHP interpreter hits our code to execute ls on the system, it executes it. canada goose
canada goose store I’ve highlighted the portion where our code was executed; the rest of the text is just the Apache log file. We’ve got RCE, which means, I’m just a step Canada Goose Jackets away from a shell canada goose store.