File Inclusion
Local File Inclusion (LFI) and Remote File Inclusion (RFI) are web application vulnerabilities where an attacker can manipulate file paths to include files, either from the local system (LFI) or remote servers (RFI), potentially leading to unauthorized access or code execution.
Remote File Inclusion (RFI)
If we find a way to include a remote file, we could try to include php code to execute commands on the host
We could serve a malicious PHP code so that the host interprets it.
If the server were blocking access to external resources, we could attempt to use the data://
wrapper to inject PHP code as base64.
Local File Inclusion (LFI)
Absolute Path
Relative Path Traversal
Null Byte
Encoding
Absolute Path
Truncation
Filtered characters
References
https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/File%20Inclusion https://book.hacktricks.xyz/pentesting-web/file-inclusion
Last updated