Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated: 1 00:00:01,760 --> 00:00:09,980 Local file inclusion vulnerabilities these exploits or vulnerabilities allow you to read any file that 2 00:00:09,980 --> 00:00:12,870 is within the same server. 3 00:00:12,920 --> 00:00:21,230 So even if the file exists outside the R W W W you'll be able to read it and read ampho with it. 4 00:00:21,270 --> 00:00:26,760 Now why this vulnerability is critical because you can read any files. 5 00:00:26,840 --> 00:00:34,160 So if the users are storing some sort of important files or passwords files then you'll be able to read 6 00:00:34,160 --> 00:00:34,550 them. 7 00:00:34,580 --> 00:00:38,030 And then from there you can further exploit your target. 8 00:00:38,630 --> 00:00:44,330 Also if there is a number of Web sites on the same server and you manage to find this on a Web site 9 00:00:44,330 --> 00:00:50,210 that you're not targeting then you might be able to access files related to that to the Web site that 10 00:00:50,210 --> 00:00:54,820 you're targeting and then further exploit your Web site from there. 11 00:00:55,340 --> 00:01:00,800 So let's have a look on this and we'll also the way we're going to be exploiting this variability is 12 00:01:00,800 --> 00:01:02,280 through with your help. 13 00:01:02,390 --> 00:01:07,660 So usually in our code execution example we were writing the code in here. 14 00:01:07,930 --> 00:01:15,510 Now sometimes you might find the code burned a vulnerability and they are also it will be something 15 00:01:15,510 --> 00:01:16,670 like ACMD. 16 00:01:16,800 --> 00:01:22,680 And then you put the command or for example in this case it would be IP equals to the IP for example 17 00:01:22,680 --> 00:01:32,200 10 20 30 two or three and then you do put the sign and then you put your PWT after it for example. 18 00:01:32,220 --> 00:01:39,140 So because our example was just in the text box same is going to happen here and our file inclusion 19 00:01:39,150 --> 00:01:49,230 vulnerability so we can see that when you're in here and this your L it's saying that this file is going 20 00:01:49,230 --> 00:01:53,940 to take a page and it's loaden something called includes BHB. 21 00:01:54,060 --> 00:01:59,940 So it looks like it's actually loaded another page like this current page is loading another page called 22 00:01:59,990 --> 00:02:01,450 include the Ph. 23 00:02:01,680 --> 00:02:06,840 So again you'd be browsing the web server and trying to get a feel of it and you see something like 24 00:02:06,840 --> 00:02:12,720 this or you see something called IP equals the IP and then you know that there is a ping for example 25 00:02:12,720 --> 00:02:14,930 for the previous video. 26 00:02:14,940 --> 00:02:20,160 So for this that we know that our targets are trying to open a file and the file is called including 27 00:02:20,310 --> 00:02:23,320 BHB. 28 00:02:23,390 --> 00:02:27,270 Let's see if there is actually a file called into that page. 29 00:02:27,560 --> 00:02:30,120 So I'm just going to remove everything here. 30 00:02:32,860 --> 00:02:35,970 And try to access and include the PSP directly. 31 00:02:36,540 --> 00:02:41,400 And as you can see we actually do have a file called into the tree. 32 00:02:41,620 --> 00:02:47,330 It's not running properly but it exists and it's in the same working directory. 33 00:02:47,420 --> 00:02:55,660 So let's try and see if we can read a file that is stored in the computer. 34 00:02:55,860 --> 00:02:59,400 And we're going to use a file called it is the password. 35 00:02:59,430 --> 00:03:06,630 So that's the file which contains all the users and their path is on the current web server. 36 00:03:06,630 --> 00:03:10,950 So let's have a look on this. 37 00:03:11,030 --> 00:03:18,330 So it is see this file contains all the users for the current operating system. 38 00:03:18,330 --> 00:03:28,020 So if I just go on my Michaeli right here and if I run this year if I just do card each U.S. password 39 00:03:28,770 --> 00:03:37,290 you'll see all the users that I have on the current computer and their default Poth on the current operating 40 00:03:37,290 --> 00:03:38,170 system. 41 00:03:38,190 --> 00:03:42,970 So we're going to try to read this file and to do that. 42 00:03:43,130 --> 00:03:46,240 Let's go back and see our current location. 43 00:03:46,240 --> 00:03:51,320 So our current location is in the file in the directory. 44 00:03:51,320 --> 00:04:00,050 So we need to go back one two three four five times and then go through it you see pass or so going 45 00:04:00,050 --> 00:04:03,970 back would be done using the dot dot. 46 00:04:04,220 --> 00:04:06,160 And let's try and do that. 47 00:04:06,200 --> 00:04:10,690 So at the moment where access in this current file. 48 00:04:11,000 --> 00:04:15,270 And just to make it easier for you actually let's just put the full path right here. 49 00:04:18,980 --> 00:04:22,470 So in the page it's trying to access this page. 50 00:04:22,520 --> 00:04:29,720 So all we need we actually want a place called ATC password so we need to go back five times for these 51 00:04:29,720 --> 00:04:30,290 directories. 52 00:04:30,290 --> 00:04:34,200 So this one is going to be to start them from here. 53 00:04:34,280 --> 00:04:39,140 So we're going like bag 54 00:04:41,760 --> 00:04:51,210 like and back and then we're going to go out to eat you see. 55 00:04:51,430 --> 00:04:56,550 And as you can see now we have the output of the ATC passwords file. 56 00:04:56,810 --> 00:04:59,470 We can copy that and store it here. 57 00:04:59,660 --> 00:05:05,510 And then you'll be able to read it and just get more information about the websites that you're targeting 58 00:05:05,570 --> 00:05:13,480 right now again you can use this to try to access different files sensitive files or files of other 59 00:05:13,480 --> 00:05:15,440 web sites on the same server. 60 00:05:18,680 --> 00:05:24,830 Now let's go through the security settings and I'm I've said this to me cause I just want to show you 61 00:05:24,830 --> 00:05:32,040 that the medium setting and this is actually can be exploited exactly the same way as the low level. 62 00:05:32,090 --> 00:05:34,270 So the security set to Medium. 63 00:05:34,280 --> 00:05:40,260 I'm going to go back to file inclusion and we're going to use the exploit the exact same way that we 64 00:05:40,260 --> 00:05:42,580 did it before. 65 00:05:42,740 --> 00:05:47,240 And as you can see we managed to get the contents of ATC password. 6798