Local File Inclusion working with example codes for testing

In this blog i will be sharing about working of Local File Inclusion working, impacts and will share three different code scenarios for local file inclusion vulnerability, also in the end i will give dvwa LFI examples.

What is Local File Inclusion?

Local File Inclusion is an attack technique in which attackers trick a web application into either running or exposing files on a web server. It is similar to remote file inclusion but we cannot include file from any other system, except the server on which the application is running.

LFI attacks can expose sensitive information, and in severe cases, they can lead to cross-site scripting (XSS) and remote code execution. LFI is listed as one of the OWASP Top 10 web application vulnerabilities.

reference — https://brightsec.com/blog/local-file-inclusion-lfi/

It is due to one the two reasons :

• The php configuration of “allow url” is disabled. Do not inlude files remotely at all.
• Or a static link is created to include files from a specific IP.

In this cases we will include files locally from the local system.

Configuring PHP on a virtual machine for LFI →

#go to php configuration

#in debain
vim /etc/php/8.2/apache2/php.ini

#in centos
vim /etc/php.ini

#turn off these values …