Local File Inclusion (LFI)

Local File Inclusion (LFI) is a vulnerability where an application includes local files based on user input, allowing attackers to read sensitive files or potentially execute code by including files containing malicious content.

How It Works

When applications dynamically include files using user-controlled paths (e.g., PHP's include()), attackers can manipulate the path to include unintended local files. Unlike simple path traversal, LFI can execute code if the included file contains executable content.

Vulnerable Code Example

// PHP - vulnerable
$page = $_GET['page'];
include($page . '.php');

// Attack: ?page=../../../etc/passwd%00
// Or: ?page=php://filter/convert.base64-encode/resource=config

Exploitation Techniques

# Read files via PHP wrappers
?page=php://filter/convert.base64-encode/resource=index

# Include log files with injected PHP (Log Poisoning)
?page=../../../var/log/apache2/access.log

# Include uploaded files
?page=../uploads/avatar.php

# Include /proc for information disclosure
?page=/proc/self/environ

PHP Wrappers for LFI

php://filter - Read file contents as base64
php://input - Include POST data as code
data:// - Include inline data
expect:// - Execute commands (if enabled)

Escalation to RCE

Log poisoning (inject PHP into logs, then include log file)
Session file inclusion
Include uploaded files
PHP wrappers with controlled input

Prevention

Avoid user input in file paths: Use a mapping of allowed values instead
Allowlist validation: Only permit known-safe file names
Use basename(): Strip directory components from input
Disable dangerous PHP wrappers: Set allow_url_include=Off
Chroot/jail the application: Limit accessible filesystem

Safe Pattern

// UNSAFE - direct user input
include($_GET['page'] . '.php');

// SAFE - allowlist approach
$allowed = ['home', 'about', 'contact'];
$page = $_GET['page'];
if (in_array($page, $allowed, true )) {
    include($page . '.php');
} else {
    include('404.php');
}