Remote File Inclusion Questions

Hey, I am just trying to understand a few things about remote file inclusion, so I have scoped out a few vulnerable sites. for testing/learning purposes.

I have a c99 shell, and I am trying to use RFI with my shell to let me view the complete directory of the target site. There are problems with this though. If I type the full path to the shell for inclusion, it usually works, but only shows me the contents of the site the shell is hosted on, not the target's. Somewhere along the way, I learned that you can rename the shell from it's original .php extension to something like a .jpg, then add a question mark (?) at the end of it, which makes the shell work. I have seen this done before in a video and am wondering why when I try it, the only thing I get is the shell with all the code printed out on the page, un-executed.

Can someone please explain to me what exactly I'm doing wrong and what I should be doing and why it works?

okay I'll explain why: php stands for hypertext preprocessor, which means php code is parsed first then the result is popped out to you. Now when you access a .php file it gets executed first then the result is being popped to you. That's why you see the source of your c99 shell. To access it correctly you must stop the server from parsing the code first:

• using .htacees file
• or renaming the file to .txt, .jpg, … now head out learning some php

Right, I understand that, however that doesn't completely answer my question fully.

I save the shell as a .jpg file. Now it stops the code from processing on the server that the shell is on. But how do I get it to process on the target site's server? When I change the file extension from .php to .jpg, it spits out the source code of the shell. How can I make the shell parse on the target's server?

well basically the php file you are including is executing on your own server. So get a host that does not support PHP eg. www.sitesled.com and upload the shell eg. c99.php .Then include it and the php will execute on the server you include it on. Hope this helps

in that case the server might be doing this:

$file = get_file_contents($_GET['page']; echo $file;

instead of doing the standard:

markupinclude $_GET['page'];

if that is the case all you'll be able to do is get html displayed, as it will just "echo" the php and wont execute it.

Well, I've tried uploading the shell to a server that doesn't allow php and including that, but I still get the same thing. It spits out the source and nothing else.

Mr_Cheese, you are probably correct. I think that's all it's doing.