Looking for file inclusions
File inclusion vulnerabilities occur when developers use request parameters, which can be modified by users to dynamically choose what pages to load or to include in the code that the server will execute. Such vulnerabilities may cause a full system compromise if the server executes the included file.
In this recipe, we will test a web application to discover if it is vulnerable to file inclusions.
How to do it...
Log into DVWA and go to File Inclusion.
It says that we should edit the get parameters to test the inclusion. Let's try this with
index.php.
It seems that there is no
index.phpfile in that directory (or it is empty), maybe this means that a local file inclusion (LFI) is possible.To try the LFI, we need to know the name of a file that really exists locally. We know that there is an
index.phpin the root directory of DVWA, so we try a directory traversal together with the file inclusion set../../index.phpto the page variable.
With this we demonstrate that...
