Course

Many web applications need to include files for loading classes or sharing templates across multiple pages. "File Include" vulnerabilities occur when user-controlled parameters are used in file inclusion functions like `require`, `require_once`, `include`, or `include_once` without proper filtering. This can allow an attacker to manipulate the function to load and execute arbitrary files.

In this lab, you will explore both Local File Include (LFI) and Remote File Include (RFI) vulnerabilities. By injecting special characters or using directory traversal techniques, you can read and execute files, potentially gaining control over the server. The lab also demonstrates how PHP's configuration option `allow_url_include` can enable remote file inclusion, leading to severe security risks.