What is Local File Inclusion (LFI)?

Local File Inclusion (LFI) is a common vulnerability found in web applications that allows an attacker to include files on a server through the web browser. This vulnerability occurs when a web application dynamically includes files based on user input, without properly sanitizing or validating that input. Attackers can exploit LFI to disclose sensitive information, execute arbitrary code, or escalate their privileges on the server.

Exploits and Commands

LFI can be exploited using various techniques, including:

• Directory Traversal: Manipulating file paths to navigate to directories outside of the web root.
• Null Byte Injection: Appending a null byte (%00) to terminate file names and bypass security checks.
• Path Truncation: Truncating file paths to access files located in predictable locations.
• PHP Wrappers: Leveraging PHP wrappers like "php://input" or "php://filter" to include remote files or execute PHP code.

Common commands and payloads used in LFI exploitation include:

http://example.com/page.php?file=../../etc/passwd
http://example.com/page.php?file=../../../../etc/passwd%00
http://example.com/page.php?file=../../../../etc/passwd%00.jpg
http://example.com/page.php?file=php://filter/convert.base64-encode/resource=index.php

These commands demonstrate different ways to exploit LFI vulnerabilities by manipulating file paths or leveraging PHP wrappers to include remote files or execute arbitrary code.