Thursday, 20 December 2012

RFI Tutorial

Remote File Inclusion is the most common vulnerability found in many web servers. If the remote file execution is performed successfully, we can get control over the server and make it execute any command of our wish. So how exactly we can do that?

First we need to know the websites which are vulnerable to this, using the following google dork:


We get number of websites listed of the form:

One by one, in place of anything, type, as shown below:

If the above link opens up the google homepage, then it implies the website is completely vulnerable to Remote File Inclusion.

The next step is to download a shell out of several available on the web, which is nothing but a payload in php. Most common are the c99 or r57. c99 shell can be downloaded from

Upload the shell to a webhosting site such as, etc. Now you get to see the link to this shell as:

or something similar to this depending upon site on which the shell has been hosted.

The successful google homepage was seen in as I mention earlier, right? Now just remove the google part and paste the link to your shell as shown:

Remember, the ‘?’ at the end is an important part, or the shell will not execute. So try this out, you get a complete complete control panel access to the web server. Quite easy and very much interesting.


Post a Comment