RFI (Remote File Inclusion)

Vulnerability Name: Remote File Inclusion on [Parameter] at [Domain name]
Vulnerability Description:  Using remote file inclusion (RFI), an attacker can cause the web application to include a remote file. This is possible for web applications that dynamically include external files or scripts. Potential web security consequences of a successful RFI attack range from sensitive information disclosure and Cross-site Scripting (XSS) to remote code execution and, as a final result, full system compromise.
[Don't forget to add your vulnerability description, the one given above is a general description]
Payload: [Malicious payload]
Steps to Reproduce: 
1.Go to the [URL].
2.Add the given payload in the Vulnerable [Parameter]
3.Reload the page.
4.As per the payload, you will get the result.
Attack Scenario: Remote file inclusion attacks usually occur when an application receives a path to a file as input for a web page and does not properly sanitize it. This allows an external URL to be supplied to the include function. an attacker could make the following HTTP request to trick the application into executing server-side malicious code, for example, a backdoor or a web shell.
[The above was a basic attack scenario you need to alter it according to the Workflow]
Remediation: To avoid RFI and many other vulnerabilities, never trust user input. If you need to include files in your website or web application code, use a whitelist of allowed file names and locations.
LFI (Local File Inclusion)
Github Recon
Last modified 2yr ago