Welcome to HackeRoyale.

How To Hack websites Using RFI (Remote File Inclusion) attack ?

Remote File Inclusion

Welcome to all hackers & geeks.There are lot more methods to attack a website.for example SQL Injection,Cross site scripting and Remote File Inclusion (RFI).

This article assists you in understanding Remote File Inclusion  and how to perform the attack on Websites.

Remote File inclusion (RFI)

Remote File Include (RFI) is an assault method used to abuse “dynamic record incorporate” systems in web applications.

At the point when web applications take client information and pass them into document incorporate summons, the web application may be deceived into incorporating remote records with noxious code.

All web application structures bolster record consideration.

Document consideration is for the most part utilized for bundling basic code into particular records that are later referenced by fundamental application modules.

At the point when a web application references an incorporate document, the code in this record might be executed verifiably or unequivocally by calling particular systems.

On the off chance that the decision of module to stack depends on components from the HTTP ask for, the web application may be powerless against RFI.

An assailant can utilize RFI for:

  • Running vindictive code on the server: any code in the included malevolent records will be controlled by the server.
  • In the event that the document incorporate is not executed utilizing some wrapper, code in incorporate records is executed with regards to the server client.
  • This could prompt a total framework bargain.
  • Running malevolent code on customers: the aggressor’s vindictive code can control the substance of the reaction sent to the customer.
  • The assailant can insert malevolent code in the reaction that will be controlled by the customer.

It alludes to an incorporation assault wherein an assailant can make the web application incorporate a remote record by misusing a web application that progressively incorporates outside documents or scripts.

The results of an effective RFI assault incorporate Information Disclosure and Cross-site Scripting (XSS) to Remote Code Execution.

RFI normally happens, when an application gets the way to the record that must be incorporated as a contribution without appropriately purifying it.

This would enable an outside URL to be provided to the incorporate explanation.


PHP Program that is powerless against Remote File Inclusion (RFI)


* Get the filename from a GET input 

* Example - http://example.com/?file=filename.php 

*/$file = $_GET['file']; 


* Unsafely incorporate the document 

* Example - filename.php 



In the above illustration, an assailant could make the accompanying solicitation to trap the application into executing a vindictive script, for example, a webshell.


In this illustration, the remote document will be incorporated and keep running with the client benefits the web application is running.

That would enable an assailant to run any code they needed on the web server, including composing documents to pick up constancy on the web server.

How to perform the attack?

1.The initial step is to discover helpless site, you can without much of a stretch discover them utilizing Google dorks.

On the off chance that you don’t have any thought, you might need to peruse about cutting edge secret word hacking utilizing Google dorks or to utilize robotized device to apply Google dorks utilizing Google.

Presently lets expect we have discovered a powerless site


As should be obvious, this site pulls records put away in content arrangement from server and renders them as site pages.

We can discover routes around it as it utilizes PHP incorporate capacity to haul them out. Lets look at it.


I have incorporated a custom script “evilscript” in content configuration from my site, which contains some code.

Presently, if its a helpless site, at that point any of these 3 things can happen

Case 1 – You may have seen that the url comprised of “page=home” had no expansion, yet I have incorporated an augmentation in my url,hence the site may give a blunder like ‘inability to incorporate evilscript.txt.txt’, this may occur as the site might be naturally including the .txt expansion to the pages put away in server.

Case 2 – in the event that, it naturally attaches something in the lines of .php then we need to utilize an invalid byte “%00” keeping in mind the end goal to maintain a strategic distance from mistake.

Presently once you have combat around this one, you might need to realize what to code inside the script.

You may get an exceptionally coded scandalous C99 script or you may code yourself another one.

For this information of PHP may prove to be useful. Here

echo "alert(U 4r3 0wn3d !!);";
echo "Run command: ".htmlspecialchars($_GET['cmd']);


The above code enables you to abuse incorporate capacity and tests if the site if RFI (XSS) powerless by running the ready box code and if effective, you can send custom orders to the linux server in bash.

Thus, on the off chance that you are in fortunes and on the off chance that it worked, lets attempt our hands on some Linux orders.

For instance to locate the present working index of server and after that to list documents, we will be utilizing “pwd” and “ls” summons



What it does is that it sends the summon as cmd we put in our script and starts print the working index and rundown the reports.

Shockingly better you can practically make the page broadcast that you hacked it by utilizing the “reverberate” charge.

cmd=echo U r pwn3d by xero> index.php

It will then re-compose the index.php and render it.In case, its a primitive site which stores pages with .txt expansion, you might need to put it with along the .txt records.

Presently not surprisingly, we are currently the alpha and the omega of the site and we can download, expel, rename, anything! Need to download stuff ? attempt the “wget” work…

Preventing Remote File Inclusion (RFI) vulnerabilities

To prevent possible exploitation of the remote file inclusions vulnerability you should always disable the remote inclusion feature in your programming languages configuration, especially if you do not need it.

In PHP you can set allow_url_include to 0.

You should also validate user input before you pass it to an inclusion function.

The recommended way to do this is with a whitelist of allowed files.


Hope this article helps you

Happy Hacking..



featured posts


Get weekly updates by subscribing to our newsletter.