← Back to Lessons

    PHP

  • web security

  • penetration testing

  • LFI

  • ethical-hacking

  • local-file-inclusion

Exploring LFI (Local File Inclusion)

What is LFI?
Recommendations to prevent LFI

In this lesson, we will dive into one of the most common and dangerous vulnerabilities in web applications: Local File Inclusion (LFI). As always, we will approach it from a technical and practical perspective, but without losing the human touch that accompanies every line. Here, we not only learn tools, but also how to think, analyze, and connect the dots.

What is LFI?

Local File Inclusion is a vulnerability that occurs when a web application allows files from the server's file system to be included without proper validation. In other words, if a parameter in a URL is used directly to include a file, and it is not properly filtered or validated, it is possible to include arbitrary files. This can allow an attacker to read sensitive files from the system, such as:

  • /etc/passwd (user list on Linux systems)
  • Application configuration files
  • System logs
  • Files containing credentials or keys

How to identify LFI?

Suspicious parameters that load pages or templates (such as ?page= or ?file=) are possible vectors.

Example of vulnerable code:

1<?php
2$page = $_GET['page'] ?? 'home';
3include("pages/$page.php");
4?>

If we access the URL with something like:

http://example.com/index.php?page=about

The server will include the file pages/about.php. But what happens if we manipulate the value?

http://example.com/index.php?page=../../../../etc/passwd

This could load the /etc/passwd file from the server's system. This is Local File Inclusion.

What does LFI look like in action?

Imagine this file structure on a server:

/var/www/html/
├── index.php
├── pages/
│   ├── home.php
│   └── about.php
├── flag.txt

And a vulnerable application accessed with:

1http://example/index.php?page=../../flag

The flag.txt file could be read if it is within reach of the relative path used.

Common bypasses

In real environments, files may require extensions or have filters. Some methods to evade filters include:

  • Adding comments at the end: ../../flag%00 or ../../flag.txt%00
  • Using encoding: ..%2f..%2f..%2fetc%2fpasswd
  • Adding fake extensions: ../../flag.txt.php Important: not all environments will allow reading arbitrary files. Success depends on server configurations and permissions.

Recommendations to prevent LFI

  • Validate and filter input parameters
  • Use whitelists of allowed files
  • Do not include paths directly from parameters
  • Set appropriate permissions on the file system

Every time you find a vulnerability like this, you are not just seeing a flaw. You are seeing how small decisions, unchecked lines of code, become open doors. You are training your mind to see the invisible, to read what others did not. That is being a pentester. And that is growth.