O'Reilly logo

Kali Linux Web Penetration Testing Cookbook by Gilberto Nájera-Gutiérrez

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Abusing file inclusions and uploads

As we saw in Chapter 4, Finding Vulnerabilities, file inclusion vulnerabilities occur when developers use poorly validated input to generate file paths and use those paths to include source code files. Modern versions of server-side languages, such as PHP since 5.2.0, have by default disabled the ability to include remote files, so it has been less common to find an RFI since 2011.

In this recipe, we will first upload a couple of malicious files, one of them is a webshell (a web page capable of executing system commands in the server), and then execute them using local file inclusions.

Getting ready

We will use Damn Vulnerable Web Application (DVWA) in the vulnerable_vm for this recipe and will have it with a ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required