1
00:00:02,610 --> 00:00:10,470
Remote file inclusion is a special case of file inclusion vulnerabilities we've seen in the previous

2
00:00:10,470 --> 00:00:17,580
videoke how we were able to include any file in the server and have access to it through local file

3
00:00:17,580 --> 00:00:19,710
inclusion vulnerabilities.

4
00:00:19,710 --> 00:00:27,300
In today's video if the server is configured to allow a certain function called allow your owl and allow

5
00:00:27,300 --> 00:00:35,750
your eye open then we will be able to include any file from any computer into the Target's Web site.

6
00:00:35,880 --> 00:00:41,690
So we'll literally be able to inject any ph file into the target computer.

7
00:00:41,790 --> 00:00:48,210
What this would lead to is basically if we can run payloads we can run reverse shells and we can run

8
00:00:48,210 --> 00:00:55,090
even system commands and get access to the target or full control to the target server.

9
00:00:55,470 --> 00:01:02,610
So first of all let's just go here and we'll be using the same file inclusion learnability that we were

10
00:01:02,610 --> 00:01:03,920
using in the previous video.

11
00:01:03,930 --> 00:01:07,200
So it's in the page parameter right here.

12
00:01:07,350 --> 00:01:14,070
The only difference is you need to enable the function that makes this that converts the local file

13
00:01:14,070 --> 00:01:17,010
inclusion to a remote file inclusion.

14
00:01:17,010 --> 00:01:20,580
So has the name local allows you to access local files.

15
00:01:20,650 --> 00:01:28,590
Remote will allow you to access and inject remote files so to enable that I'm going to go to my metastable

16
00:01:28,590 --> 00:01:33,250
machine I'm just going to show you how to enable it so you can test this vulnerability yourself.

17
00:01:33,510 --> 00:01:40,800
So we're coming here to our with us floatable and I'm going to go into the PH settings so the PH settings

18
00:01:40,800 --> 00:01:46,090
are stored in a file and to access that we're going to use nano which is a text editor.

19
00:01:46,380 --> 00:01:54,060
And then I'm going to put the file location which is in UTC ph 5 DGI.

20
00:01:54,960 --> 00:01:57,380
And PSAP that I.A..

21
00:01:57,510 --> 00:02:02,080
So that's the location where the BHP configuration is stored.

22
00:02:02,140 --> 00:02:04,200
I'm going to open it using a file is circled.

23
00:02:04,210 --> 00:02:07,940
Not know and I'm just going to exit this.

24
00:02:07,940 --> 00:02:16,380
I'm going to open it as pseudo as the root actually in Cali we never needed to use sudo because we luggin

25
00:02:16,410 --> 00:02:17,230
as rude.

26
00:02:17,430 --> 00:02:18,120
But.

27
00:02:18,270 --> 00:02:22,510
US Slater Well you need to use sudo when you want to do root actions.

28
00:02:22,560 --> 00:02:27,320
So you say sudo and then you put the command that you want to run.

29
00:02:27,320 --> 00:02:37,380
OK so these are the configurations for the HP that's installed on the web server on the target.

30
00:02:37,390 --> 00:02:42,280
And we're looking for a function called allow your l f open.

31
00:02:42,400 --> 00:02:48,340
So I'm going to type in control and W at the same time and that'll allow me to search and I'm going

32
00:02:48,340 --> 00:02:49,300
to search for

33
00:02:53,480 --> 00:03:03,990
your and we can see here that I have a life URL of Open is on and allow you to include it's own as well.

34
00:03:04,020 --> 00:03:10,290
So these two functions if they're enabled then the local file inclusion vulnerability that we have can

35
00:03:10,290 --> 00:03:16,280
be used as a remote file inclusion so to exit this control and exit.

36
00:03:16,300 --> 00:03:20,020
And it's going to ask you if you want to save just IPY and enter.

37
00:03:20,170 --> 00:03:23,210
For me I didn't change anything so I didn't need to do that.

38
00:03:23,230 --> 00:03:30,580
Once you do that you need to restart your web server so you're going to do it you see and that's the

39
00:03:32,120 --> 00:03:40,190
Apache to restart and you'll need to do the Sussudio actually.

40
00:03:41,290 --> 00:03:45,240
And this is done now so everything should be ready for you.