I am currently testing a few php shells that I have against a test php site I created, and I thought I would share some of the basics of a RFI ( Remote File Inclusion ). When I need to deal with web apps this is the second thing I will try right after SQL injection.
Here is the wikipedia article for another explanation.
In most cases I would use this to either display the contents of a file or execute another php script like a php based shell. If I am not really sure what I am looking for I will use a php based shell, something like this.
Typically what I will do is crawl the site and look for variables on each page and attempt something like this (borrowed from the wikipedia example).
A very simple and powerful method to attack sites.
Also it can be used for local file traversal, instead of a remote file you can specify a local file.
In these cases the %00 is very important for your success.