Let’s learn WebApp Pentest from basic on DVWA. From setup to hack. Part5. File Inclusion(Low to High).

Hey all. How are you doing?

This is part 5 of the WebApp Pentest from basic on DVWA. If you did not read or don’t know how to set it up then go through part 1. Here is the link: https://rahulmondal666.medium.com/lets-learn-webapp-pentest-from-basic-from-setup-to-hack-part-1-5a7d97843373

In part 2 we have done brute force from low level to high level. Here is the link: https://rahulmondal666.medium.com/lets-learn-webapp-pentest-from-basic-on-dvwa-from-setup-to-hack-part-2-bruteforce-low-to-high-82ba55e27a73

In part 3 we have done command injection from low level to high level. Here is the link: https://rahulmondal666.medium.com/lets-learn-webapp-pentest-from-basic-on-dvwa-f215c4bbc8

In part 4 we have done CSRF from low level to high level. Here is the link: https://rahulmondal666.medium.com/lets-learn-webapp-pentest-from-basic-on-dvwa-from-setup-to-hack-part4-csrf-low-to-high-c4d2c0b6f619

Now open dvwa and click on File Inclusion. We know what is File Inclusion. It is two types. One is Local file inclusion(LFI) and another one is Remote file inclusion(RFI). LFI is checking server files. RFI is checking or downloading or accessing remote files from a victim server. Now we need to do it practically.

First, we will do it at low security.

On the above image, we can clearly see that on the URL there is a parameter which is page. Now if we click on file1.php the parameter shows this

So all of these shows through that parameter. So, let's do the LFI means accessing some internal files of this server.

So let’s type etc/passwd. But our machine is based on windows. So this command will not work. If our machine is in Linux then it will work.

Now Let’s do RFI. We can check if any website is working in this page or not? like google.com and it’s worked.

Let’s do it on a medium level

In view source, we can see that they blacklisted some operators and “http” and “https” words.

So, for “../” we can bypass like use “…/./” so if they remove the ../ part still it will be left with ../

so command will be → …/./…/./…/./…/./…/./…/./…/./…/./etc/passwd

Now for RFI “http” and “https” are blacklisted. So we can use hthttp://tp://

So http:// part will be removed by the code and it will be left with http://

Now, let’s go with high security

Let’s see the view source and we can see that the “file” string has to be there in the URL. Otherwise, it will not work.

So, the “file” string has to be present at first, so we can use the “file” string as a protocol. It means file:///etc/passwd, this should work. The command will work on Linux because etc/passwd is present on Linux.

As per RFI on high security, I could not do it, maybe you all can teach me.

Hope you all understand. We will meet again in the next part.