1
00:00:00,870 --> 00:00:05,800
Our guest now in this, we will see local for inclusion to the market execution.

2
00:00:06,390 --> 00:00:10,790
So first, let's discuss what is a fight that there is no call for inclusion.

3
00:00:11,460 --> 00:00:13,800
OK, I suppose I have this file.

4
00:00:15,300 --> 00:00:16,550
It contains some text.

5
00:00:16,920 --> 00:00:18,560
So what take do.

6
00:00:18,870 --> 00:00:21,010
So this is a thing as a Web page.

7
00:00:21,030 --> 00:00:23,650
So this Web page contains this content.

8
00:00:23,820 --> 00:00:28,860
So this is another webpage now instead of copying all these lines.

9
00:00:29,070 --> 00:00:38,420
Now, what I can do is I can say include I've said this filename is, uh, Beezy Lati.

10
00:00:41,910 --> 00:00:52,020
OK, now this function takes this parameter p0 and go to this piece erotics you to this one and copies

11
00:00:52,020 --> 00:00:55,150
are the content and pasted in here.

12
00:00:55,320 --> 00:01:01,090
So this will not be directly it will render, uh, when we open this up.

13
00:01:01,830 --> 00:01:06,760
So that means this longer file has been included in this webpage.

14
00:01:07,230 --> 00:01:14,640
Now instead of this particular DHT, what we can say, we can also get the possibility for.

15
00:01:16,950 --> 00:01:21,910
So it's fresh out of sight, so you can also get a configuration file also.

16
00:01:22,140 --> 00:01:25,260
So that means these include function should be filtered.

17
00:01:25,530 --> 00:01:32,580
If that did not feel that you can get information, disclosure.

18
00:01:33,900 --> 00:01:36,540
So that means this actual function should be filled.

19
00:01:37,530 --> 00:01:39,300
So here is an example.

20
00:01:39,690 --> 00:01:43,440
So this is the, uh, file parameter.

21
00:01:43,530 --> 00:01:49,310
So we need to send the file parameter in new order and it'll be stored in the file available.

22
00:01:49,710 --> 00:01:56,520
So you set to file so the variable is not null and we are including this file contents.

23
00:01:57,360 --> 00:02:03,660
So so we can say attacker dot com which mark.

24
00:02:05,670 --> 00:02:18,150
And five seconds to be sealed, so this will be the string of this file and then the disenthrall will

25
00:02:18,150 --> 00:02:24,940
copy the content of this piece composite here instead of this piece to what I can do is I can say it's

26
00:02:24,940 --> 00:02:26,730
see, possibly.

27
00:02:28,700 --> 00:02:32,300
So you can get the contents of this possibly into this.

28
00:02:36,290 --> 00:02:38,560
So this is a vulnerability for inclusion.

29
00:02:39,230 --> 00:02:45,800
Now we are going to discuss the next mission I am bringing up as part of our mission here and I have

30
00:02:45,800 --> 00:02:47,200
already done that and Metzker.

31
00:02:49,680 --> 00:02:56,180
So this is an Majken and but there are so many polls open, so one of the parties at Observer economist

32
00:02:56,280 --> 00:02:56,730
David.

33
00:02:59,810 --> 00:03:06,590
And if you the conditions are admin and the password, and if you click on this file inclusion, you

34
00:03:06,590 --> 00:03:12,710
can see tancred a file, edit the page is already used.

35
00:03:12,830 --> 00:03:14,530
Include that page picture this.

36
00:03:14,570 --> 00:03:15,440
What we can do is.

37
00:03:18,680 --> 00:03:26,620
It's he paused and he did, and you can see the contents of possibility for you to can search for any

38
00:03:26,620 --> 00:03:29,090
uses which does not have any password.

39
00:03:29,930 --> 00:03:32,150
Again, I'll refresh this.

40
00:03:36,650 --> 00:03:40,120
So first, let's see the source code.

41
00:03:40,970 --> 00:03:51,650
So this is a very simple get page and then, uh, storing it in a favorable sometimes here, uh, what

42
00:03:51,680 --> 00:03:54,080
it will be is, uh, it will happen.

43
00:03:54,110 --> 00:03:55,540
The BHP extensional.

44
00:03:56,330 --> 00:04:05,270
So this will be for these girls to get that BHP that means whatever you include here, and another BHP

45
00:04:05,270 --> 00:04:10,910
Shrem will be appended here and then, uh, it will be stored in the file.

46
00:04:11,660 --> 00:04:17,170
So if you put the C possibility.

47
00:04:17,450 --> 00:04:23,890
So this, uh, source code will add BHP at the end and it will send to the, uh, Renderos.

48
00:04:24,050 --> 00:04:26,660
So that means you cannot fix the passably.

49
00:04:27,200 --> 00:04:30,910
So one thing you can bypass is you can put the character here.

50
00:04:32,420 --> 00:04:34,980
So percentage Strache percentage.

51
00:04:35,570 --> 00:04:46,220
So there is another Terminator and whenever, uh, this opening has been taking place, it will get

52
00:04:46,220 --> 00:04:48,040
truncated because of this Marguerita.

53
00:04:51,530 --> 00:05:02,840
So this, uh, percentage Ruggiero, uh, plus this one, this person, the of Terminator, like BHP

54
00:05:03,350 --> 00:05:03,940
externship.

55
00:05:04,010 --> 00:05:04,670
No, he didn't.

56
00:05:05,060 --> 00:05:06,680
So you can see similar output.

57
00:05:07,130 --> 00:05:12,640
In our case, there is no apparent explanation that we can simply said t possibility.

58
00:05:13,670 --> 00:05:17,770
And sometimes you need to go back to the Paternot.

59
00:05:18,260 --> 00:05:27,580
That is far from the territory because this, uh, uh, included BHP maybe in the summer in South Florida.

60
00:05:28,310 --> 00:05:34,550
So you make sure you have sufficient updated so that you read the raw data and then you can request

61
00:05:34,550 --> 00:05:35,050
for it.

62
00:05:35,060 --> 00:05:37,640
See, possibly so you can see the same output.

63
00:05:40,440 --> 00:05:51,300
So this is the basic information disclosure, and you can also see shadow, you can also give permission.

64
00:05:51,330 --> 00:05:51,590
OK.

65
00:05:51,650 --> 00:05:52,640
This some.

66
00:05:56,930 --> 00:05:57,260
So.

67
00:05:58,100 --> 00:05:58,600
I'm sorry.

68
00:05:59,470 --> 00:06:00,850
OK, permission denied.

69
00:06:01,040 --> 00:06:06,580
Um, you can get for some varies depending upon the, uh, security permissions.

70
00:06:09,700 --> 00:06:15,520
OK, this is the basic roll for inclusion, know how to convert this into the remote code execution

71
00:06:17,320 --> 00:06:19,400
is due to the rock poisoning.

72
00:06:20,110 --> 00:06:29,320
So when we're using the environment variables, proc self-insurance, OK, distorts the ah, the environment

73
00:06:29,320 --> 00:06:32,850
where was required by the browser server server.

74
00:06:35,050 --> 00:06:37,440
What we can do is we can set up.

75
00:06:39,240 --> 00:06:41,640
Self and we.

76
00:06:46,160 --> 00:06:55,840
And so you can see here, you can see the rhetoric, shtetls and HTP and course that is our IP address,

77
00:06:56,570 --> 00:07:05,000
it should be user, that is Firefox, but you are Bergonzi, cookies, S.A.G., etc. So these will be

78
00:07:05,000 --> 00:07:08,300
stored in the cell phone.

79
00:07:08,810 --> 00:07:12,530
OK, now what we can do is I'm turning the Sudan.

80
00:07:16,170 --> 00:07:20,580
Proxy Perceptron and good end of this --.

81
00:07:22,880 --> 00:07:24,530
So now we are sending the.

82
00:07:25,640 --> 00:07:26,730
OK, now what?

83
00:07:27,350 --> 00:07:28,820
I want to send it to Peter.

84
00:07:29,870 --> 00:07:32,870
So let's turn this into sort of show here.

85
00:07:32,890 --> 00:07:36,270
What we can do is let's send and get the result.

86
00:07:36,560 --> 00:07:37,760
So these are the environment.

87
00:07:37,760 --> 00:07:40,100
Where are right now?

88
00:07:40,100 --> 00:07:41,810
We can change this region.

89
00:07:43,070 --> 00:07:50,300
So use the region to execute some BHB system of.

90
00:07:53,750 --> 00:07:57,320
Underscored that get tough with Jesse.

91
00:08:11,250 --> 00:08:13,440
So let's send this.

92
00:08:15,350 --> 00:08:25,670
And you can see HDB user agent is equal to nothing because this is a BHP picture and it is, uh, cannot

93
00:08:25,670 --> 00:08:26,750
be seen in the normal.

94
00:08:26,750 --> 00:08:35,270
Hegde You know what we is, however, this will be discussed, is definitely included in this to prove

95
00:08:35,270 --> 00:08:39,440
that you can send the value of CE here.

96
00:08:39,590 --> 00:08:47,300
So this is the get of see and you can see the value of SI as he is equals to address and now xanthan.

97
00:08:54,240 --> 00:09:01,560
I think you can see this is the output in crude, that BHP index for BHP and the source so might be

98
00:09:01,570 --> 00:09:01,820
there.

99
00:09:02,220 --> 00:09:04,380
So this is output.

100
00:09:05,050 --> 00:09:08,230
Now, what we can do is you can start.

101
00:09:08,460 --> 00:09:08,970
It is not.

102
00:09:15,680 --> 00:09:21,350
So I'm listening on this one, two, three, four, four, now go to Decoder and.

103
00:09:23,670 --> 00:09:27,060
You can see and see and we and I appeared.

104
00:09:30,860 --> 00:09:35,180
These are my colleagues, IP address and post, one, two, three, four, chariot's.

105
00:09:37,270 --> 00:09:38,440
Let's see.

106
00:09:43,060 --> 00:09:51,670
I'm sorry, it's 4:00 and then upon execution, excuse this big bash, so you need to send this.

107
00:09:52,030 --> 00:09:57,040
You are and so you can encoders, you are so cocky this.

108
00:10:03,550 --> 00:10:06,700
And go to Jupiter and based of evidence.

109
00:10:09,310 --> 00:10:14,830
So if you're going in the browser in the right order, you don't need to and you can try to send the

110
00:10:14,950 --> 00:10:17,590
net controversial, but you need to.

111
00:10:19,160 --> 00:10:27,630
No, sir, we do not get response because the researcher has been executer and see correction from Hegan.

112
00:10:27,640 --> 00:10:29,700
There we are right there.

113
00:10:30,040 --> 00:10:36,190
Unless you can see the same output we have seen in the previous packet.

114
00:10:37,300 --> 00:10:41,340
So you can upgrade to the previous Shell and do some Linux Proscar something.

115
00:10:41,890 --> 00:10:42,950
So let me close this.

116
00:10:42,970 --> 00:10:44,500
So this is one we're using the.

117
00:10:50,350 --> 00:10:55,870
So this is one way to exploit this environment, which was so we are.

118
00:11:00,730 --> 00:11:08,780
So this is the easy not in this environment variables, so the next one is either Diggnation poisoning.

119
00:11:08,800 --> 00:11:11,240
So where are the Dutrow now?

120
00:11:11,260 --> 00:11:13,600
Let's go and see.

121
00:11:17,110 --> 00:11:18,700
Where blog?

122
00:11:20,710 --> 00:11:31,000
Do not drop, so the is it unlocks, so whenever you switch on your system, is that any username and

123
00:11:31,000 --> 00:11:34,340
password, it will belong to the virtual items also.

124
00:11:34,720 --> 00:11:46,070
So now what we can do is, as I said, instead of as a user, you can take this BHP, CAMAC, so get

125
00:11:46,210 --> 00:11:50,830
the same we have used in that environment was poisoning.

126
00:11:51,730 --> 00:11:59,500
So instead of this normal user name, you can send this one now hit, enter the password, type something.

127
00:11:59,510 --> 00:12:02,790
Bravo and exit.

128
00:12:04,120 --> 00:12:07,030
Now refresh this page.

129
00:12:10,410 --> 00:12:11,790
It's also.

130
00:12:16,630 --> 00:12:17,920
That's sort of again.

131
00:12:21,950 --> 00:12:31,430
Sent to repeat the support of so no, I don't actually assure you with a normal user.

132
00:12:31,490 --> 00:12:32,120
This is it.

133
00:12:32,480 --> 00:12:34,040
Let's put it.

134
00:12:34,250 --> 00:12:36,640
It's a great idea.

135
00:12:40,460 --> 00:12:42,140
I don't know, password Hidari.

136
00:12:43,960 --> 00:12:49,900
No, across this weekend, no request for this WLOX, son.

137
00:12:50,380 --> 00:12:53,060
No, you can search for Rican.

138
00:12:55,070 --> 00:12:58,530
So you can see in the user from the IP address.

139
00:12:58,550 --> 00:13:05,240
So this is my car, looks like it has failed and also my IP address and user name has been locked.

140
00:13:05,870 --> 00:13:10,940
So in the same way, the previous request, this BHP has been over.

141
00:13:11,270 --> 00:13:13,370
Now, what you can do is you can simply.

142
00:13:16,460 --> 00:13:16,850
Sir.

143
00:13:18,710 --> 00:13:26,690
Send us here, because this this will already be rendered by the BHP and you need to supply them.

144
00:13:27,410 --> 00:13:29,400
Come on, that's a loss.

145
00:13:30,580 --> 00:13:32,330
I don't think you can see that.

146
00:13:32,360 --> 00:13:33,110
Let's hear.

147
00:13:36,400 --> 00:13:43,680
OK, I don't know, there is so much book you can see here, this is but help that page be next page.

148
00:13:44,680 --> 00:13:45,730
I'll output is.

149
00:13:50,000 --> 00:13:59,750
A shooting incident, this user, so we have this user has been repeating a few times in the few and

150
00:13:59,780 --> 00:14:05,950
so that user name, this output has been discovered, output has been placed.

151
00:14:06,290 --> 00:14:07,730
You can see here the file names.

152
00:14:08,060 --> 00:14:10,610
So if you delete this, you can normalize.

153
00:14:10,610 --> 00:14:14,310
You invited a user protector from this IP address.

154
00:14:14,510 --> 00:14:19,760
So now you can simply go to the decoder and copy the same.

155
00:14:23,460 --> 00:14:27,400
And pasted in here, it should offer this similary.

156
00:14:35,780 --> 00:14:43,970
A new Trenta, sorry, sorry, not underage, and so now you can see correction from this idealist's.

157
00:14:45,980 --> 00:14:47,040
So let's close this one.

158
00:14:47,240 --> 00:14:57,770
So this one technique, if you will, phone if you find this, uh, is is it a porcupine?

159
00:14:57,940 --> 00:15:01,090
You can see her as a of Port-Au-Prince.

160
00:15:01,760 --> 00:15:04,380
You can use the poison poisoning.

161
00:15:04,520 --> 00:15:07,910
You can buy those rocks and also if logs.

162
00:15:09,960 --> 00:15:14,130
So why don't we yes, FPP or.

163
00:15:17,100 --> 00:15:18,330
OK, permission denied.

164
00:15:18,360 --> 00:15:24,130
So this log, we cannot open this log because the permission has been denied.

165
00:15:24,930 --> 00:15:25,090
So.

166
00:15:27,650 --> 00:15:32,090
So if there is a permission access, so what we can do is you can say FPP.

167
00:15:38,440 --> 00:15:49,090
So I'm not into the safety of this username on let's compare this, so let's copy and pasted in here

168
00:15:49,180 --> 00:15:56,690
so it will be logged into the server and to browse around and you can see it.

169
00:15:58,540 --> 00:16:07,900
So now you can normally refresh this page and send, uh, uh, Ampersands Colston's, you're not controversial.

170
00:16:08,740 --> 00:16:11,210
So in our case, the permission has been denied.

171
00:16:11,310 --> 00:16:17,780
OK, so the next one is mail double available data.

172
00:16:18,100 --> 00:16:21,170
So generally there isn't some tippity server.

173
00:16:23,410 --> 00:16:24,790
So this is unquantified.

174
00:16:24,800 --> 00:16:25,360
Yes.

175
00:16:25,930 --> 00:16:31,110
So there the file structure is different for this metastable two.

176
00:16:31,960 --> 00:16:35,810
And generally memories are stored that were mail user.

177
00:16:35,920 --> 00:16:38,770
So generally the user name will be doubled over the data.

178
00:16:39,790 --> 00:16:47,320
So you can send this, you know, medicament using this mail subject instead of this subject, you can

179
00:16:47,320 --> 00:16:50,630
send this PSP system command.

180
00:16:51,860 --> 00:17:02,050
And after that, you can just go to the user and go to this e-mail where username C and so you can also

181
00:17:02,050 --> 00:17:03,520
see if we as a people.

182
00:17:05,440 --> 00:17:05,930
OK.

183
00:17:07,150 --> 00:17:10,330
You can also do the Web log.

184
00:17:14,700 --> 00:17:25,230
Apache to Apache to you to access that rock so you can similary, you can generate a fake request and

185
00:17:25,650 --> 00:17:35,310
get index leader BHP, you can get that question about this system so you can send that and that will

186
00:17:35,310 --> 00:17:42,570
be logged into this access so you can simply share ampersand seeds equals to your Chalco.

187
00:17:42,990 --> 00:17:43,700
So simple.

188
00:17:43,710 --> 00:17:48,190
But in our case, we have we do not have access to this access bartrop.

189
00:17:49,140 --> 00:17:59,300
So you can use this Apache axis of evil axis and then you can use is a Pipistrelle and many more.

190
00:18:00,450 --> 00:18:10,400
So that's how you do the, uh, you use the these poisoning methods to take advantage of this struggle

191
00:18:10,410 --> 00:18:12,240
for inclusion and to get the reverse.