Skip to content

245CT

OWASP Includes

245CT

Home
Assessment
Essentials
Essentials
Video Library
Course Materials
Course Materials
- 0x01 Introduction
  0x01 Introduction
  - Introduction
  - Videos
  - Module Overview
  - Coursework overview
  - Materials
    Materials
    
    What is Ethical hacking ?
    
    The Pentest Process
    
    The 3 Pillars of Cyber Security
    
    The CIA Triangle
  - Lab Tasks
    Lab Tasks
    
    Lab Introduction
    
    VM Setup
    
    Challenges
- 0x02 Shells
  0x02 Shells
  - Shells
  - Videos
  - Materials
    Materials
    
    Shells
    
    Remote Shells
    
    SSH
    
    Netcat
    
    RCE
    
    Web Shells
  - Lab Tasks
    Lab Tasks
    
    SSH Lab
    
    Web Shells Lab
- 0x03 Reconnaissance
  0x03 Reconnaissance
  - Reconnaissance
  - Videos
  - Materials
    Materials
    
    Reconnisance
    
    Passive Recon Intro
    
    Search Engines
    
    Simple Searches
    
    Google Hacking
    
    Passive: Infrastructure
    
    Passive: Websites
    
    Active Recon
    
    Port Scanning
    
    NMAP
    
    NSE
- 0x04 Privileges and Permisions
  0x04 Privileges and Permisions
  - Introduction
  - Videos
  - Privilege Escalation
  - Linux Permissions Intro
  - Windows Permissions Intro
  - Linux: ACLs
  - Legitimately Elevating Privileges
    Legitimately Elevating Privileges
    
    Sudo
    
    Sudo Walkthrough
    
    SUID
    
    SUID Walkthrogh
    
    Capabilities
    
    Capabilities Walkthrough
- 0x05 Web Vulnerbilities
  0x05 Web Vulnerbilities
  - Web Vulns
  - Videos
  - Materials
    Materials
    
    Web Threats
    Web Threats
    
    OWASP Top 10
    
    Assessing Risk
    
    HTTP Protocol
    HTTP Protocol
    
    Encoding Data
    
    The HTTP Protocol
    
    HTTP Requests
    
    Request Tools
    
    Sessions
  - Labs
    Labs
    
    Lab Task
    
    Challenges
- 0x06 SQL Injection
  0x06 SQL Injection
  - Injection
  - Videos
  - Materials
    Materials
    
    SQL Basics and Syntax
    
    SQLi Intro
    
    Database Enumeration
    
    NoSQL Injection
- 0x07 XSS
  0x07 XSS
  - Cross Site Scripting
  - Videos
  - Materials
    Materials
    
    What is XSS
    
    Types of XSS
    
    XSS_Payloads
- 0x08 Includes and RCE
  0x08 Includes and RCE
  - Includes and RCE Includes and RCE
    Table of contents
    
    Topics for the Week
    
    Question of the Week
  - Videos
  - Materials
    Materials
    
    File Includes
    
    LFI and Traversal
    
    Remote File Includes
    
    Getting a Shell with LFI
    
    Upload Check Bypass
    
    RCE
    
    Insecure Deserialisation
    
    RCE with Deserialisation
  - Labs
    Labs
    
    Lab
- 0x09 Overflows (For 207SE)
  0x09 Overflows (For 207SE)
Contributors

Topic Introduction

This week we will be looking at Remote Code Execution and File Includes attacks. These are injection like attacks where we are able to "Include" external content in a website by exploiting the sites built in functionality.

For example, we might make use of broken templating to load files from elsewhere in the system onto the live version of the site.

Like the XSS vulnerabilities we looked at last time, these isues allow us to execute code. However, unlike XSS which executes on the client, these will execute on the server, meaning that a full systems exploit may be possible.

We will also look at how RCE can happen through insecure deserialisation.

Topics for the Week

Question of the Week

Discuss

There are lots of interesting include style vulnerbilities in the list of CVE's Use the feed on aula to talk about the most interesting one you have seen