1
00:00:00,960 --> 00:00:06,660
The of up vulnerability that we looked at was the final inclusion and we looked at two types the local

2
00:00:06,660 --> 00:00:12,660
file inclusion with allowed us to include any file on the system and then read files which will cause

3
00:00:12,660 --> 00:00:14,890
a file disclosure vulnerability.

4
00:00:15,000 --> 00:00:17,450
And then you'd be able to read any file on the server.

5
00:00:17,700 --> 00:00:23,460
And then we looked at the remote file inclusion which is very dangerous which allowed us to include

6
00:00:23,490 --> 00:00:25,610
any file from any web server.

7
00:00:25,620 --> 00:00:33,050
So we were able to include BHB shelves and then get connection from the target's computer to prevent

8
00:00:33,050 --> 00:00:33,280
these.

9
00:00:33,290 --> 00:00:36,560
First of all make sure you prevent the remote file intrusion.

10
00:00:36,560 --> 00:00:42,440
So just in case anything goes wrong people can include files from outside your server and you can do

11
00:00:42,440 --> 00:00:48,950
that the same way we enabled it using the BHB only by disabling the Allow yourself open and allow your

12
00:00:48,950 --> 00:00:50,020
I'll include.

13
00:00:50,270 --> 00:00:54,040
And if we go here to our display table I'll just show you very quick.

14
00:00:54,080 --> 00:01:01,510
So we do pseudo Nano which is the text editor it is page PTG IPH reader.

15
00:01:01,540 --> 00:01:03,520
I need the same file that we use.

16
00:01:03,540 --> 00:01:05,830
This is the file for the HP settings.

17
00:01:06,120 --> 00:01:17,310
If you open that file and I'm going to do control w I'll look for your el

18
00:01:23,810 --> 00:01:32,640
and you make sure that the Allow yourself open said set off and allow your include a set to off as well.

19
00:01:35,140 --> 00:01:42,310
Control X Y and enter and that'll save it for you.

20
00:01:42,550 --> 00:01:46,960
The other way to prevent these exploits is to use static file inclusion.

21
00:01:46,960 --> 00:01:53,110
So instead of using dynamic file inclusion which we see and you can hard code the files that you want

22
00:01:53,110 --> 00:01:56,900
to include in the code and not get them using GET or POST.

23
00:01:57,010 --> 00:02:02,350
For example what's happening and the examples we see in the vulnerable examples is we have a page called

24
00:02:02,350 --> 00:02:10,490
Page or index that BHP and then this index does which takes a parameter called page and then it takes

25
00:02:10,490 --> 00:02:16,430
another page for example news that Ph.D. and it includes this news BHB in the code.

26
00:02:16,490 --> 00:02:21,320
So what's the code look like in the APHC code you'll see something like.

27
00:02:21,320 --> 00:02:22,070
Include

28
00:02:30,870 --> 00:02:32,480
So what this will do.

29
00:02:32,530 --> 00:02:37,250
Basically that looks like this I believe what this do.

30
00:02:37,250 --> 00:02:43,240
It includes whatever comes after the page parameter.

31
00:02:43,440 --> 00:02:50,250
So the code will dynamically takes whatever that comes in after the page parameter and includes it in

32
00:02:50,250 --> 00:02:50,980
the current page.

33
00:02:50,990 --> 00:02:55,090
So this will be in the index page.

34
00:02:55,180 --> 00:03:01,230
Ok this is very bad because even if it's not get sometimes people use post and in post you won't see

35
00:03:01,230 --> 00:03:03,360
this so it will be posted.

36
00:03:03,360 --> 00:03:07,910
But you can use a proxy such as barer proxy and this would look like that.

37
00:03:07,980 --> 00:03:12,770
And then you can modify it and get it to include anything you want.

38
00:03:12,780 --> 00:03:19,080
And then it's displayed on the page where you really want to do is we want to use or not to be able

39
00:03:19,080 --> 00:03:21,770
to manipulate with what's going to be included.

40
00:03:21,780 --> 00:03:28,840
So if you wanted to include a page called news that BHB just included inside this without giving the

41
00:03:28,840 --> 00:03:35,110
user the ability to change it I know you're going to program your code to just have it looking like

42
00:03:35,110 --> 00:03:36,190
this.

43
00:03:36,400 --> 00:03:42,340
But the users we know we see how users can play with this and just get them to include anything they

44
00:03:42,340 --> 00:03:42,810
want.

45
00:03:42,940 --> 00:03:46,640
So the best way to do it is just to get it to include page that page.

46
00:03:46,900 --> 00:03:49,510
So your code is not using any variables.

47
00:03:49,600 --> 00:03:50,950
It's it's hard coded.

48
00:03:50,950 --> 00:03:54,780
It might make your code LOEG longer but it's much more secure.

49
00:03:58,130 --> 00:04:02,470
And this is exactly what the high security option does.

50
00:04:02,690 --> 00:04:05,800
So let's go back to the file intrusion first.

51
00:04:05,900 --> 00:04:12,920
And we're at the low and if I view the source now you'll see that basically file is what you passed

52
00:04:12,920 --> 00:04:18,230
the word file is what we pass through it in here in the after the page parameter.

53
00:04:18,230 --> 00:04:21,860
And you can see that it tries to display everything that we send it.

54
00:04:21,860 --> 00:04:28,260
So when we send that ATC password it shows us the ATC password.

55
00:04:28,270 --> 00:04:32,980
Now I'm actually going to keep this open and I'm going to go through the security level through the

56
00:04:32,980 --> 00:04:35,530
security and I'm going to set it to high.

57
00:04:38,470 --> 00:04:46,060
Now the medium is similar to the low so you can actually use the same you can exploit it the same way

58
00:04:46,060 --> 00:04:47,810
that we exploited the load.

59
00:04:47,980 --> 00:04:54,870
So we're going to the high straightaway and we're going to view the source and I'm just going to minimize

60
00:04:54,870 --> 00:04:57,650
this because they have the two sources not so we can compare them.

61
00:04:59,890 --> 00:05:05,680
So as you can see here in the low and medium security level you can see that anything we pass through

62
00:05:05,680 --> 00:05:12,040
the file very variable is will be displayed to us whereas in here at the high security level you can

63
00:05:12,040 --> 00:05:21,010
see that it is hard coded that it is only allowed to show us the include file so you can you can modify

64
00:05:21,010 --> 00:05:21,940
this if statement.

65
00:05:21,940 --> 00:05:26,920
If you had a number of files that you wish to include then you can allow them in here or you can have

66
00:05:26,920 --> 00:05:27,920
them in a list.

67
00:05:27,940 --> 00:05:33,480
But basically the concept is you only allow the files that the user is allowed to see.

68
00:05:33,520 --> 00:05:38,650
So you can just have them in a list here you can use an OR statement or you can just have a list and

69
00:05:38,650 --> 00:05:45,650
say if the file is in this list then displayed otherwise give an error saying the file is not found.

70
00:05:46,300 --> 00:05:49,800
So avoid this go with the hard coded method.

71
00:05:49,870 --> 00:05:53,790
Yes it doesn't look as pretty as this but it's much more secure.