Remote File Inclusion (RFI)
Remote File Inclusion (RFI) is a vulnerability that allows an attacker to include remote files in a web application. This can lead to significant security risks, including remote code execution. Hereβs a summary of key points and code examples related to RFI.
π Local vs. Remote File Inclusion
RFI occurs when a vulnerable function allows the inclusion of remote files. This can be exploited to execute malicious scripts hosted by the attacker. The following functions can be vulnerable to RFI:
PHP
include()/include_once()
β
β
β
file_get_contents()
β
β
β
Java
import
β
β
β
.NET
@Html.RemotePartial()
β
β
β
include
β
β
β
Key Differences
RFI allows including remote files, while LFI only allows local files.
RFI may not be possible if the function does not permit remote URLs or if server configurations block it.
β
Verifying RFI Vulnerability
To check if a web application is vulnerable to RFI, we can look for the allow_url_include setting in PHP. This can be done using LFI techniques:
If the output shows allow_url_include = On, we can proceed to test for RFI by attempting to include a local URL:
If the page is included and executed, the application is vulnerable to RFI.
βοΈ Remote Code Execution with RFI
To gain remote code execution, we need to create a malicious script. For example, a simple PHP web shell can be created as follows:
Hosting the Script
Using HTTP
Start a simple HTTP server using Python:
Then, include the shell script via RFI:
Using FTP
Alternatively, host the script using an FTP server:
Include the script using the FTP protocol:
Using SMB
If the target is a Windows server, we can use SMB for RFI:
Include the script using a UNC path:
Important Notes
Ensure that the server is on the same network for SMB to work effectively.
Be cautious of firewalls that may block HTTP or FTP requests.
Last updated