As we saw in the previous recipe, file inclusion vulnerabilities occur when developers use poorly validated input to generate file paths and use those paths to include source code files. Modern versions of server-side languages, such as PHP since 5.2.0, have disabled the ability to include remote files by default, so it has been less common to find an RFI since 2011.
In this recipe, we will first upload a malicious file, namely a webshell (a web page capable of executing system commands in the server), and execute it using LFI.
