1. Introduction to Local and Remote File Inclusion

LFI - Local File Inclusion

The LFI allows an attacker to include files that are already present on the target server.

Example

Exploiting the vulnerability to see sensitive data on the server.

RFI - Remote File Inclusion

This attack allows an attacker to include a malicious file from an external location. This can lead to arbitrary execution of a code on a server and essentially giving us an easy way in into the server itself.

Usually LFI and RFI can happen because a web application can accept input from an user and using that path to a file without properly validating it.

Example

For example if on a website we can change the language from English to German if the input is not properly sanitized it might allow us to input instead of German something like ../../../.. that will give us access to the root directory of the server and from there to append etc passwd or etc/passwd to include the passwd file. Sometimes "guards" are put in place for this, however if it's not done properly they might be easily bypassed.