1
00:00:00,960 --> 00:00:07,560
‫All right, so in a previous lesson, we exploited the local file inclusion and we got a shell from

2
00:00:07,560 --> 00:00:08,100
‫the target.

3
00:00:10,120 --> 00:00:17,810
‫And if there are no extra checks, including a remote file into the current page is also very possible.

4
00:00:19,000 --> 00:00:22,080
‫So in this example, we're going to use the same page.

5
00:00:22,750 --> 00:00:25,030
‫Here's the language parameter in your URL.

6
00:00:27,050 --> 00:00:32,390
‫And it's very easy to validate if the application is akin to RFI, so.

7
00:00:33,520 --> 00:00:36,310
‫Delete this here and write a website address.

8
00:00:37,090 --> 00:00:40,540
‫I'm just going to use IMDB dot com.

9
00:00:41,910 --> 00:00:47,910
‫And in just a moment, it will appear and yes, indeed, this is the arvi.

10
00:00:49,530 --> 00:00:55,770
‫So now let's think of how we can take advantage of this, hmm, what do you think?

11
00:00:56,810 --> 00:00:59,030
‫All right, so let me read you down the garden path.

12
00:00:59,920 --> 00:01:05,140
‫Open your terminal lists the files in the Web directory of Carly.

13
00:01:08,420 --> 00:01:10,160
‫Now, see, I have two files here.

14
00:01:11,650 --> 00:01:13,990
‫So let's restart the Apache service.

15
00:01:19,840 --> 00:01:22,420
‫And sure enough, a patch is running now.

16
00:01:23,500 --> 00:01:25,600
‫So what do you suppose a plan is?

17
00:01:26,750 --> 00:01:30,860
‫I will serve a page on my local server on Kouy.

18
00:01:31,930 --> 00:01:35,590
‫And then I will include that page in into BW.

19
00:01:36,490 --> 00:01:38,500
‫So I started the Apache Web server.

20
00:01:40,600 --> 00:01:48,790
‫So then let's go to the browser again and change the language parameter to HTP Coingate one nine two

21
00:01:48,790 --> 00:01:56,230
‫dot one six eight two zero four one two eight slash index dot html and go.

22
00:01:58,170 --> 00:02:05,370
‫OK, so the index page is displayed by the application, so now instead of this page, we can provide

23
00:02:05,610 --> 00:02:07,500
‫a shell.

24
00:02:08,470 --> 00:02:09,520
‫To go to terminal.

25
00:02:10,800 --> 00:02:15,960
‫Now has some web shells to use in these wonderful situations.

26
00:02:16,910 --> 00:02:18,770
‫And you can view them just like this.

27
00:02:22,440 --> 00:02:26,760
‫Now I'm going to use the P version of Szell's.

28
00:02:28,590 --> 00:02:34,080
‫So copy both the back door and the reverse shell.

29
00:02:35,210 --> 00:02:37,370
‫And pasted into the Webroot directory.

30
00:02:38,720 --> 00:02:41,810
‫So go to the Web root directory.

31
00:02:43,960 --> 00:02:52,630
‫And the page files are here, so I'm going to use the back door first, so let's view the code to see

32
00:02:52,630 --> 00:02:53,320
‫what it is.

33
00:02:55,530 --> 00:02:58,350
‫Yeah, it's a little bit hard to read the code, but.

34
00:03:00,500 --> 00:03:04,370
‫Yeah, there's nothing to change here, so exit and go to the browser.

35
00:03:06,170 --> 00:03:12,340
‫And type HTP Coleman's last the last one nine two down one six eight two zero for that one to eight

36
00:03:13,220 --> 00:03:18,650
‫BHP Dasch back door that BHP and go.

37
00:03:20,300 --> 00:03:23,420
‫Yeah, so be Web loads, the remote page on Kouy.

38
00:03:24,760 --> 00:03:26,410
‫So this is a sample show.

39
00:03:27,440 --> 00:03:29,330
‫It also has a few bugs.

40
00:03:30,640 --> 00:03:36,670
‫But the upload feature is great, so let's browse to upload a file.

41
00:03:38,120 --> 00:03:40,450
‫Uh, I choose this one.

42
00:03:42,300 --> 00:03:45,510
‫And type here, the directory to upload a file.

43
00:03:46,620 --> 00:03:48,510
‫Upload admin directory.

44
00:03:52,120 --> 00:03:54,910
‫And I think we've already uploaded so go to Reeboks.

45
00:03:56,410 --> 00:03:57,850
‫Was the admin directory.

46
00:04:00,220 --> 00:04:04,630
‫And there is the uploaded file, as you can see here.

47
00:04:06,360 --> 00:04:09,900
‫So this can be any executable as well.

48
00:04:11,430 --> 00:04:16,770
‫OK, you don't believe me, go back to Kelly now, use the reverse shell.

49
00:04:18,050 --> 00:04:19,730
‫And let's give you the code.

50
00:04:22,240 --> 00:04:25,270
‫So I think this code is a little bit more readable than the previous one.

51
00:04:26,560 --> 00:04:31,150
‫But we do have something to change here right at the beginning of the file.

52
00:04:32,070 --> 00:04:37,890
‫So change the IP variable to IP address of Caleigh.

53
00:04:39,080 --> 00:04:46,280
‫And to the port, to any port that you want to listen, for example, it's jus 443.

54
00:04:48,730 --> 00:04:54,340
‫And there is one last thing to do, change the extension to a text file.

55
00:04:56,900 --> 00:05:03,290
‫Because sometimes the content of the reversal can be truncated, so to be sure, we can change.

56
00:05:04,190 --> 00:05:07,430
‫But sometimes, you know, I try it without a change and it works as well.

57
00:05:08,060 --> 00:05:10,090
‫OK, sorry, that might be a spoiler.

58
00:05:11,420 --> 00:05:13,880
‫So remember to restart Apache.

59
00:05:16,590 --> 00:05:22,770
‫And before leaving terminal, I am going to start Nat Cat listener on Port four three.

60
00:05:24,420 --> 00:05:28,590
‫So I just go back to the Web browser and call this show.

61
00:05:30,430 --> 00:05:33,700
‫I think the shell is included, so the terminal.

62
00:05:35,100 --> 00:05:37,380
‫And here is a pretty Basche shell.

63
00:05:38,420 --> 00:05:39,950
‫And you can type commands.

64
00:05:41,110 --> 00:05:47,620
‫All right, so that's a lot of fun and you can have a lot more fun with it, but for now we are done

65
00:05:47,620 --> 00:05:50,410
‫with file inclusion vulnerabilities.