Practical No. 05 ◀◀◀ Aim: Use of software tools/commands for web servers and web applications hacking and generate analysis report

A) Hack a website by Remote File Inclusion.

Local file inclusion and Remote file inclusion

What is DVWA?

PHP/MySQL web application that is vulnerable.

Main goals:

To be an aid for security professionals to test their skills and tools ina legal environment Help web developers better understand the processes of securingweb applications.

Aid teachers/students to teach/learn web application security in aclass room environment.

Questions:

A website attack named Remote file inclusion is basically a one of the most common vulnerabilities found in web application. This type of vulnerability allows the Hacker or attacker to add a remote file on the web server. If the attacker gets successful in performing the attack, he/she will gain access to the web server and hence can execute any command on it.

Step 1: Install XAMPP and Create Database.

Step 2: Open Shell

mysql –u root

show database

create database dvwa

show database

Step 3: Download DVWA-master.zip

Step 4: Install DVWA in C:\xampp\htdocs

Step 5: Go to C:\xampp\htdocs\DVWA-master\config. Change the file name config.inc.php.dist toconfig.inc.php

Step 6: In the browser, enter http://localhost/dvwa-master/setup.php . Scroll below find:

Step 7: Next, it opens the window below: http://localhost/DVWA-master/login.php

Step 8: Enter default credentials username =admin and password=password We are now logged into DVWA

Step 1: Create a login.php/registration.php for your website. Perform local file inclusion using DVWA

Step 2: On the address bar, set page attribute to http://localhost/sqlinjection/login.php

Step 3: Perform remote file inclusion using DVWA. Display the home page of www.google.com

On the address bar, set page attribute to http://www.google.com

Using Firefox, disguise/emulate as google bot.

Step 1: To determine the user agent of Firefox

• Go to Mozilla: http://www.proxyserverprivacy.com/

• Select detector proxy

• Select advanced proxy detector

Output:

Step 2: To find out the string for google bot.

To change the above user agent to Googlebot

• Go to http://useragentstring.com/

• Locate the string for google bot

• Googlebot/2.1 (+http://www.googlebot.com/bot.html)

Step 3: Configure

Go to Firefox

Type about: config

Type general.useragent.override and assign

Googlebot/2.1(+http://www.googlebot.com/bot.html)

Go to http://www.proxyserverprivacy.com/ to check that the user agent is Googlebot