Hack Website using Local File Inclusion Vulnerability
Hello friends, after a short break m back with an interesting post on Web-Hacking. So today m gonna teach you one of the most dangerous vulnerability called "Local File Inclusion-(LFI)". OWASP Top 10 - A4 Insecure Direct Object References.
Local File Inclusion - (LFI)
Local File Inclusion (LFI) is a type of vulnerability most often found on websites. It allows an attacker to include a local file, usually through a script on the web server. The vulnerability occurs due to the use of user-supplied input without proper validation.
In Simple words LFI Vulnerability allows an attacker to add any local file to Website Server through script. LFI is very dangerous vulnerability can lead to website Defacement, Command Execution, Creating more vulnerabilities, Website Defacement and Complete Database takeover. So let's learn LFI Today.
An attacker can do following things :
- Open Redirects
- Shell Upload
- Website Defacement
- Directory Travesal
- Sensitive Data Leakage
- Database Takeover
- Creating Multiple Vulnerabilities
LFI Vulnerability Exploitation and Website Hacking : As you know guys our all post doesn't teach any kind of Black hat Hacking or Cyber Crime. We Always use Penetration testing lab to teach Pure Ethical Hacking tutorials with Complete Guide. So same we're using DVWA Penetration testing lab for this tutorial. If you don't have Vulnerable Website Always use Penetration testing lab.
Requirements :
- DVWA Pentest Lab [Click to Created]
- Little bit knowledge of HTTP and Networking
Understanding LFI Vulnerability :
- Start DVWA and Click on [File Inclusion] - Security on [Low]
Click on Image to Enlarge it
-
- Mostly in LFI Vulnerabilities URL looks little bit different and if you're experienced hacker, you'll understand that the Website is vulnerable to LFI. So look carefully in URL.
- Okay let's just replace include.php with http://google.com/robots.txt
- As I said LFI vulnerability can include any local file to web-pages,http://127.0.0.1/dvwa/vulnerabilities/fi/?page=http://google.com/robots.txt Enter
- Now you'll see that google Robots.txt file will comes into DVWA Web-page. did you understand? that means the web-page is including any file and that is really very dangerous this can lead to Shell Upload and Command Execution so web server can be Hacked.
Click on Image to Enlarge it
-
- An attacker can do many things with this vulnerability.
- Now as you know if you can include any local file than how about to include some Source file on Web Server like password :D
- Guess some file inclusion commands like : ../../etc/passwd but in DVWA this will work try it in URL ../../../../../etc/passwd
Click on Image to Enlarge it
-
- Now try to include .html file :
Click on Image to Enlarge it
- #Cool, I hope you can understand how an attacker can include his own .php, .html or any other file to Hack Website Server.
Click on Image to Enlarge it
- Okay! now just look into Source code on Web-Page to know why this vulnerability occurred : [Click on View Source]
Click on Image to Enlarge it
I hope you can understand that coding : Its simply easy - the code is $_GET['Page']without any type of filter or Protection. Simply it will add any type of file on web-pages? Now use some more evil mind : What if we'll create one Shell and include it in Web Server. So simply we can completely Deface Website and Get Database :D. well this is just study of Vulnerability in our upcoming post Part 2 of LFI will contain more advance methods and techniques of LFI Vulnerability exploitation.
Hello friends, after a short break m back with an interesting post on Web-Hacking. So today m gonna teach you one of the most dangerous vulnerability called "Local File Inclusion-(LFI)". OWASP Top 10 - A4 Insecure Direct Object References.
Local File Inclusion (LFI) is a type of vulnerability most often found on websites. It allows an attacker to include a local file, usually through a script on the web server. The vulnerability occurs due to the use of user-supplied input without proper validation.
In Simple words LFI Vulnerability allows an attacker to add any local file to Website Server through script. LFI is very dangerous vulnerability can lead to website Defacement, Command Execution, Creating more vulnerabilities, Website Defacement and Complete Database takeover. So let's learn LFI Today.
An attacker can do following things :
- Open Redirects
- Shell Upload
- Website Defacement
- Directory Travesal
- Sensitive Data Leakage
- Database Takeover
- Creating Multiple Vulnerabilities
LFI Vulnerability Exploitation and Website Hacking : As you know guys our all post doesn't teach any kind of Black hat Hacking or Cyber Crime. We Always use Penetration testing lab to teach Pure Ethical Hacking tutorials with Complete Guide. So same we're using DVWA Penetration testing lab for this tutorial. If you don't have Vulnerable Website Always use Penetration testing lab.
Requirements :
- DVWA Pentest Lab [Click to Created]
- Little bit knowledge of HTTP and Networking
Understanding LFI Vulnerability :
- Start DVWA and Click on [File Inclusion] - Security on [Low]Click on Image to Enlarge it
- Mostly in LFI Vulnerabilities URL looks little bit different and if you're experienced hacker, you'll understand that the Website is vulnerable to LFI. So look carefully in URL.
- Okay let's just replace include.php with http://google.com/robots.txt
- As I said LFI vulnerability can include any local file to web-pages,http://127.0.0.1/dvwa/vulnerabilities/fi/?page=http://google.com/robots.txt Enter
- Now you'll see that google Robots.txt file will comes into DVWA Web-page. did you understand? that means the web-page is including any file and that is really very dangerous this can lead to Shell Upload and Command Execution so web server can be Hacked.Click on Image to Enlarge it
- An attacker can do many things with this vulnerability.
- Now as you know if you can include any local file than how about to include some Source file on Web Server like password :D
- Guess some file inclusion commands like : ../../etc/passwd but in DVWA this will work try it in URL ../../../../../etc/passwdClick on Image to Enlarge it
- Now try to include .html file :Click on Image to Enlarge it
- #Cool, I hope you can understand how an attacker can include his own .php, .html or any other file to Hack Website Server.Click on Image to Enlarge it
- Okay! now just look into Source code on Web-Page to know why this vulnerability occurred : [Click on View Source]
Click on Image to Enlarge it
I hope you can understand that coding : Its simply easy - the code is $_GET['Page']without any type of filter or Protection. Simply it will add any type of file on web-pages? Now use some more evil mind : What if we'll create one Shell and include it in Web Server. So simply we can completely Deface Website and Get Database :D. well this is just study of Vulnerability in our upcoming post Part 2 of LFI will contain more advance methods and techniques of LFI Vulnerability exploitation.
0 comments:
Post a Comment