Hey, I am not going to write much about this vulnerability. Its pretty straight forward.
The web developer has provided you the ability to include any file from the local system or even remote system. So you can be creative and include any file you want to own the system.
After watching the video, try this URL just to get the perspective:
http://localhost/dvwa/vulnerabilities/fi/?page=http://google.com/robots.txt
Now, think as devilish as you can and see what else you can do with this hole ;)
Also, take a look at this exploit already present in the Metasploit framework.
http://www.metasploit.com/modules/exploit/unix/webapp/php_include
nice post
ReplyDelete