Skip to content

Introduction to Local File Inclusion (LFI)

Local File Inclusion (LFI) is a web security vulnerability that allows an attacker to include files on a server through the web browser. This vulnerability arises when a web application uses user-supplied input to construct a path to a file that is then included or executed by the server.

If an application does not properly sanitize this input, an attacker can manipulate it using directory traversal sequences (../) to access arbitrary files on the server's file system.

Core Cause

The vulnerability typically occurs in PHP applications using functions like include, require, include_once, or require_once with unvalidated user input.

Vulnerable Code Example: 

<?php
    $file = $_GET['page']; // User-controlled input
    include($file);       // The input is directly used in a file inclusion function
?>
An attacker could exploit this with a request like http://example.com/index.php?page=../../../../etc/passwd.

Impact

The impact of LFI is severe and multifaceted, ranging from information disclosure to full remote code execution (RCE).

  • Information Disclosure: Attackers can read sensitive system files (e.g., /etc/passwd), application source code, configuration files containing credentials, or other sensitive documents.
  • Session Hijacking: If an attacker can read session files, they may be able to hijack active user sessions.
  • Remote Code Execution: This is the most critical impact. LFI can be escalated to RCE through various techniques, such as log poisoning, including uploaded files, or abusing PHP wrappers. See the Exploitation and Case Studies for detailed examples.

References

  • OWASP: Local File Inclusion
  • PortSwigger: Local File Inclusion