Local file inclusion (LFI) is a web vulnerability that lets a malicious hacker access, view, run or expose files on the web server. this may also lead to information disclosure, cross-site scripting (XSS) and remote code execution.

In a web application, many back-ends programming languages often include files from the server using HTTP parameter to display contents on a webpage, LFI occurs when such functionalities are not securely coded, an attacker may manipulate these parameters to display the content of any local file on the hosting server.

Example:

The below url is a link to a web page which filename.php is the file/page the web application is trying to load, a attacker can manipulate the input and include another file or directory

http://example.com/?file=filename.php

An attacker can manipulate these file parameter to access sensitive files

http://example.com/?file=../../../../etc/passwd

In this case, if the web application doesn’t properly validate input, it might include the /etc/passwd file, revealing sensitive information.

File Inclusion vulnerabilities can occur in many of the most popular web servers and development frameworks, like PHP, NodeJs, Java, .Net, and many others. Each of them has a slightly different approach to including local files, but they all share one common thing loading a file from a specified path we will only focus on PHP web applications running on a Linux back-end server.

Local File Inclusion Vulnerabilities are often found in web application functions that handle input without proper validation Such functions include include_once(), require(), require_once(), file_get_contents(), fopen(), and several others as well.