Local file inclusion

What is it?

Local File Inclusion (LFI) is a vulnerability that allows an attacker to read and sometimes execute files on the victim’s system. This could lead to revealing sensitive information or even remote code execution if handled poorly by the application.

A simple example:

  • A vulnerable web application may have the endpoint /page?file={filename}

  • When a request is made, the application includes the specified file into the current script.

  • If an attacker inserts a path into {filename} such as ../../../etc/passwd, they might get access to the system files.

  • The application then includes this file, and if the file contents are outputted to the response, the attacker can view sensitive system information.

It's important to note that a payload or attack may change depending on the application and the server's file system. LFI can often lead to:

  • Sensitive data exposure

  • Remote code execution

  • Server information disclosure

Other learning resources:

  • PortSwigger: https://portswigger.net/web-security/file-path-traversal

  • PayloadsAllTheThings: https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/File%20Inclusion



Basic file inclusion


Using PHP filter for base64 encoding of the file


Log poisoning


RFI (if allow_url_include is on)


Last updated