Header Ads

Remote File Inclusion (RFI) Tutorial

Remote File Inclusion (RFI)

Hello Guys! In this article we will learn how to exploit a RFI vulnerability. I hope you have read my previous article on Local File Inclusion, if you haven’t please go and read  that first.

Remote File Inclusion (RFI)

As the name states if the attacker can include a remote file to the victim web app, it is called a Remote File Inclusion Vulnerability (RFI). Take a look at this piece of code:

As you can see in the first line, it extracts the file parameter value from the HTTP request made by the user, while the second line utilities this value to set the file name. If the input is not being sanitized properly it can be used to include malicious file from a remote server. Here’s a vulnerable JSP code,

Again, If the input is not sanitized properly it can be used to include a malicious file from a remote server. RFI is not a common vulnerability at all but it is very dangerous when exploited. Now you must be wondering how to exploit this vulnerability. Hold on, I will demonstrate it with a real life example. We have a URL here,

Lets break things down

  1. www.victim.com is the target website
  2. file.php is a webpage with the parameter view=
  3. For example if the user wants to view a document related to animals, the webpage file.php loads it via the view= parameter.

Take a close look at view= , if it was including local files like view=/files/animals.php we would have test for Local File Inclusion. But as we can see its including files from docs.example.com which is a different website, it means it loads files from other website which means it may include any malicious file too. Enough theory! So here’s the vulnerable parameter 

Now I will try to load an image by submitting its URL like this

See? How easy is that? With a webshell you can take over their website or even the whole server.

Also Read : File Inclusion Attack

No comments