Remote File Inclusion RFI Attack

Remote File Inclusion RFI attack

Remote File Inclusion RFI Attack

In this session you will learn how you can exploit remote file inclusion RFI vulnerability. so, lets start with basic concepts and introduction.

What Is Remote File Iinclusion ?

RFI stands for Remote File Inclusion that allows the attacker to upload a custom coded/malicious file on a website or server using a script. The vulnerability exploit the poor validation checks in websites and can eventually lead to code execution on server or code execution on website (XSS attack using javascript) *client sided shiZ*.

RFI is a common vulnerability and trust me all website hacking is not exactly about SQL injection. Using RFI you can literally deface *if that’s what you’re looking for ūüėź * the websites, get access to the server and do almost anything. What makes it more dangerous is that you only need to have your common sense and basic knowledge of PHP to execute this one, some BASH might come handy as most of servers today are hosted on Linux.

Read More : Local File Inclusion Attack

Starting with RFI

Lets get it started. The first step is to find vulnerable site, you can easily find them using Google dorks. If you can’t find one, don’t worry you’ll still learn ūüėÄ – Just upload this on any site and save it as index.php in a folder called rfi.

# Infoseczone's RFI Tutorial @ infoseczone
$file = $_GET['file'];
if ($file != null){include($file.".html");}

and save this as a tut.html


then visit

As you can see, this code (index.php) pulls documents from the file parameter, adds .html in the end and “includes” it.
If this isn’t coded properly, the script doesn’t check where the file is coming from and so an inclusion from another site will be accepted and run natively on the server. This means that a text file containing a PHP script can be hosted on another site but still run on the site being targeted. Let’s Try It Out.
Warning: include( failed to open stream: HTTP request failed! HTTP/1.1 404 Not Found in /home/yoursite/public_html/rfi/index.php on line 4

Just like we have the %00 to get rid of the .html part in LFI you got the “?” sign in RFI. If you go to index.php?file= it will include evilscript.txt and not evilscript.txt.php because the ? sign makes .php an GET argument! Which does not affect which file you are requesting on remote servers.

Patching Remote File Inclusion Vulnerability

Method One (Switch Statement)

$file = $_GET['file'];
        case "about":
        case "contact":
        default: # If parameter != contact or about

Method Two (If Statement)

$file = $_GET['file'];
if (isset($file))

Thanks For Reading Keep learning some good stuffs ūüėÄ


Leave a Reply