Jun 16, 2020

Remote File Inclusion [RFI]

Remote File Inclusion or RFI is a vulnerability occurs in web applications.

We use a Linux distribution called "Web for pen testers". You can download it from hear. Now boot the virtual mashing. You'll see a screen like this.

Yes it is a Debian based OS with lot of examples that demonstrate common vulnerabilities like Command injection, SQL injection , Cross Site Scripting etc. Apache server and MySQL are per-installed on this mashing.

Now use you web browser to browse the IP that we discovered in last step. You can see following web interface. Wow there are many vulnerabilities to explorer.There are more to practice with this VM.

In this tutorial we are going to focus on Remote file inclusion. So let's select example1 of File include category.

In the URL you can see a parameter like following.


Now think what it does? when example1.php is loaded intro.php will be automatically included and what ever in that file will be executed. Now. let's see what actually happens inside the hood.

hear you can see the source code of example1.php

<?php require_once '../header.php'; ?>


        if ($_GET["page"]) {



<?php require_once '../footer.php'; ?>

There are something to notice. Did you see 2  statements called include. and require_once . Both of them are used to insert another php script into current file.

require method give an error when given file is not exist. So current script stops executing.

include method give a warning  and the rest of the script will be continued.

Now in above example1.php they have used include($_GET["page"])); .

In several places I  have explained about  $_GET[]. Do you remember what it does?It will fetch the URL parameter called page and put it on the include function.

Now what if we  can include  a PHP web shell  using this method?  What we have to do is upload the shell to a server and input shell's url as the page parameter. I hope you got a clear idea on RFI. Let's see how we can do this practically.

In above SS I logged into VM and looked for files. Actually this step is not needed. Let's create a dummy php file for testing purpose.

Now I host that file on another VM and give the dummy file's URL as the input. Let's see what happen.

Wow it is working .

Now let's build actual php shell. In a previous tutorial I explained you how to build a quick web shell.

<?php echo '<pre>' . shell_exec($_GET['cmd']) . '</pre>' ; ?>

Hear you can see the final result.


I hope you enjoyed the tutorial. Leave a comment if you need any tutorials on these topics. I'll try my maximum to write a post. :-)

Oct 16
Protostar Stack3 Tutorial

Hello there in this article we are going to see how we can exploit and win protostar stack 3 level.....

Jun 22
Protostar Stack0 walkthrough

Hello there, In this tutorial we are going to learn Linux exploit development. We use protostar....

Mar 21
Assembly system calls

When we talk about computer programs, they do various tasks. Like printing a string to screen,....

Replying to 's comment Cancel reply
Thilan Danushka Dissanayaka

Thilan Dissanayaka

Hi, I'm Thilan from Srilanka. An undergraduate Engineering student of University of Ruhuna. I love to explorer things about CS, Hacking, Reverse engineering etc.