Remote File Inclusion For web application Pentesting

Hello in this mini-tutorial i am going to show you how to use PHP shells such as c99 or other shells to hack/recover your website admin account or deface it so its for educational purposes ONLY.

ok lets start.

Step 1 - Grab yourself a C99 shell from Here.

Step 2 - You need to find a free webhost to host it without deleting your account. i prefer since they don't check your accounts Grin

Step 3 - Register on a free hosting site and upload the C99.php ofc if your a PHP programmer i suggest you password protect that using This Script.

Step 4 - Dorks to type in Google are:here

also some pages with certain variables can be vuln too but these are the most common. such can be like inurl:?buy=car.php

Step 5 - For seeing if a site is vulnerable you can try this:

Imagine a link is:

for testing you do:

if Google's index page also loads in that page then its vulnerable

Step 6 - If you find a vulnerable site hat you need to do is replace that link with the C99 shell link you uploaded on your free webhost:

and wham! the C99 page is also loaded! you can now:

    Upload Files
    Delete Files
    Move Files
    Copy Files
    DOS the site
    Deface it
    Bruteforce FTP password
    Lag it
    Redirect visitors
    Install Drive-By's
    Grab Visitor Information and test exploitation on them
    Infect Visitors ( RAT - Keylogger - Stealer )
    Execute SQL commands
    Manage SQL accounts
    Execute PHP commands

End of Tutorial

ok Now how to prevent RFI on your website or server?

RFI is caused by this:

$inc = $_GET['link'];

To prevent that we replace strings on the include link:

$inc = $_GET['link'];
str_replace("http://", "", $inc);
str_replace("https://", "", $inc);
str_replace("www.", "", $inc);
str_replace(".php", "", $inc);
str_replace(".html", "", $inc);
str_replace(".", "", $inc);
str_replace("/", "", $inc);
str_replace("&", "", $inc);
str_replace("'", "", $inc);
str_replace(">", "", $inc);
str_replace(".com", "", $inc);
str_replace(".net", "", $inc);
str_replace(".org", "", $inc);
str_replace(".info", "", $inc);
str_replace("etc", "", $inc);
str_replace("passwd", "", $inc);
str_replace("..", "", $inc);
str_replace("...", "", $inc);

This way not only the include page wont be vuln to RFI but also protected from many more hacking methods

Thank you (zer0w0rm)

Published By : Zer0w0rm ~ Zer0w0rm



  1. Bluehost is definitely one of the best hosting company with plans for all of your hosting needs.

  2. I have been using Kaspersky protection for many years, I would recommend this product to all of you.