Before starting this tutorial, I would like to tell you about a piece of code called as  shell. There are many shells available . Lets consider a shell known as c99 shell. First download it from here.
Now signup for a account on any free web hosting site . Say  Now sign into your account,go to Filemanager, upload some files and then upload c99 shell here. Now just log out and visit the URL of  shell you uploaded.
and you would find that you can manage all your directories and files without logging in your account,that is without entering your password anywhere.

Both images are showing the filemanager, In Ist I am accesing by signing into my account and 2nd just by accessing shell without logging into.

I just wanted to show you that Imagine if anybody somehow upload  this kind of shell on your server, how deadly it can be. Here comes the concept of Remote File Inclusion into picture.

Note:Your account might be suspended after uploading such shells.

What is Remote File Inclusion ?

As clear from the name, Remote File inclusion means 'including a remote file' . RFI is a vulneribility found in websites that allow attackers to include a remote file on the webserver. This may lead to remote code execution and complete compromise of system.

How to perform attack ?

Step 1. Upload a shell in text format on your web hosting site. That is just copy the code of shell and save it as text file and upload it. Note down the complete path of your shell.
Step 2. Search for the vulnerable site using google dorks. like
You can use automated tools for the same.
Step3.  Lets say you  got any site like

Replace this URL by

Your shell might have uploaded on server if the victim's site is vulnerable. Now you can do any thing with victim's site or may be even with other sites running on same webserver by simply accessing your shell.

Possible Countermeasures :
1. Strongly validate the user's input.
2. Disable allow_url_fopen and allow_url_include in php.ini .


Post a Comment
  1. u have not given the link to download a shell..

    could u plz give ??
    i googled it..
    but was a little sceptical abt downloading the shell from random websites on the internet..
    could u plz give an authenticated link??

  2. Have given the link now....

  3. can u please tell any site did u hacked by RFI??
    i'm not geting any site which is vulnerable to this attack.

  4. pls dont download that shell.php file it contains torjon...

  5. Astonished!!!! Shell.php is a trojan horse! :D

  6. shell is a trojan horse damn

  7. when i save it as .txt and upload it to mt host it opens as a page and contains the source codeand i cant edit anything!

  8. when i open shell as txt in my site it shows source code and des not work!

  9. yeah i have the same problem

  10. No it's work's !

  11. The people who are posting that it is a tr0jan horse, Thats because it is acting like a virus as it doesn't need password confermation to access the fm, You need to creat the file then edit it and paste the shell code then save the file to upload the shell on a few sites... If using free hosts some may delete the shell upon save.

  12. kay chu log ho tum ya r.woh shell hai & ofcourse it will be detected & MAKKAAR this is Not CALLED AN TUTORIAL....better luck next time..

  13. who the bastard are here...goin to learn the shell whr it is located n how it works...
    firstly learn what is shell and how it works...

  14. I wish I could have a chat with aneesh... Too many questions to ask.

  15. Wow Thanku Admin
    Hacking Website And Upload Shell

Post a Comment