> For the complete documentation index, see [llms.txt](https://sumeru.gitbook.io/sumeru-cyber-security/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://sumeru.gitbook.io/sumeru-cyber-security/common-vulnerabilites/local-file-inclusion.md). # Local File Inclusion ## Introduction Local File Inclusion (LFI) allows an attacker to include files on a server through the web browser. This vulnerability exists when a web application includes a file without correctly sanitising the input, allowing and attacker to manipulate the input and inject path traversal characters and include other files from the web server. ## How to Test Any script that includes a file from a web server is a good candidate for further LFI testing, for example: ``` /script.php?page=index.html ``` Hacker would attempt to exploit this vulnerability by manipulating the file location parameter, such as: ``` /script.php?page=../../../../../../../../etc/passwd ``` The above is an effort to display the contents of the /etc/passwd file on a UNIX / Linux based system. ### Null Byte Technique Null byte injection bypasses application filtering within web applications by adding URL encoded “Null bytes” such as %00. Typically, this bypasses basic web application blacklist filters by adding additional null characters that are then allowed or not processed by the backend web application. #### Some practical examples of null byte injection for LFI: ``` vuln.php?page=/etc/passwd%00 vuln.php?page=/etc/passwd%2500 ``` #### Proc/self/environ If the server is outdated then to exploit it through LFI we can include proc/self/environ file that stores User\_Agent where we will place our PHP code for executing CMD command. ``` http://192.168.x.xxx/dvwa/vulnerabilities/fi/?page=proc/self/environ ``` Add cmd comment \inside user\_Agent and send the request with GET parameter and add cmd=idin the url. ![](/files/-M4ZDk9NOvThiL9BjTjp) ## How to Fix So, the easiest way to prevent Local File inclusion vulnerabilities is to set the value of “allow\_url\_include” to “Off” in PHP configuration file. You can disable allow\_url\_include from php.ini or .htaccess. ### php.ini allow\_url\_include = 'off' ### .htaccess php\_flag allow\_url\_include off * If possible, do not permit file paths to be appended directly. Make them hard-coded or selectable from a limited hard-coded path list via an index variable. * If you definitely need dynamic path concatenation, ensure you only accept required characters such as "a-Z0-9" and do not allow ".." or "/" or "%00" (null byte) or any other similar unexpected characters. * It's important to limit the API to allow inclusion only from a directory and directories below it. This ensures that any potential attack cannot perform a directory traversal attack. ## References 1. [https://www.netsparker.com/blog/web-security/local-file-inclusion-vulnerability/](https://www.netsparker.com/blog/web-security/local-file-inclusion-vulnerability/2\)https://medium.com/@Aptive/local-file-inclusion-lfi-web-application-penetration-testing-cc9dc8dd36013\)https://www.hackingarticles.in/5-ways-exploit-lfi-vulnerability/) 2. [https://medium.com/@Aptive/local-file-inclusion-lfi-web-application-penetration-testing-cc9dc8dd3601](https://www.netsparker.com/blog/web-security/local-file-inclusion-vulnerability/2\)https://medium.com/@Aptive/local-file-inclusion-lfi-web-application-penetration-testing-cc9dc8dd36013\)https://www.hackingarticles.in/5-ways-exploit-lfi-vulnerability/) 3. [https://www.hackingarticles.in/5-ways-exploit-lfi-vulnerability/](https://www.netsparker.com/blog/web-security/local-file-inclusion-vulnerability/2\)https://medium.com/@Aptive/local-file-inclusion-lfi-web-application-penetration-testing-cc9dc8dd36013\)https://www.hackingarticles.in/5-ways-exploit-lfi-vulnerability/) --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://sumeru.gitbook.io/sumeru-cyber-security/common-vulnerabilites/local-file-inclusion.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.