Scripts that takes filenames as parameters without sanitizing the user input is typically good candidates for LFI vulnerabilities.

For example, a PHP script :

An attacker would replace image2.jpg with a directory traversel payload:

Or other sensitive files within the webserver itself. Exposing configuration files or other sensitive informations.

In some cases it´s possible to run system executables and get Command Execution via LFI. E.g. Log Poising or via PHP Wrappers.

PHP Wrappers

PHP Wrapper expect://

PHP Wapper php://input

Here your Payload is sent in the HTTP POST Body.

HTTP POST Body Payload

Hosting a php reverse shell payload from attacker host.

Another PHP Wrapper is filter.


In this example the output is encoded in Base64, enabling you to read files by decoding the outbut.

Log Poisoning and Code Execution

If it´s possible to include a log file e.g apache log files, /proc/self/environ or /proc/self/fd/xx where xx would need to by fuzzed with e.g. FuzzDBs list “LFI-DF-Check.txt”. Then it might be possible to get Code Execution. By sending PHP Code in the User-Agent field or Refferer header or similar. When log file is included it would include the PHP code and provide Code Execution.

Sending following PHP code in our payload would allow us to execute system commands in vulnerable script, e.g. . foo.php?file=../../../../../../../etc/passwd&cmd=id

Note. If PHP functions is disabled as System, it might be able to receive execution via other php functions, e.g. shell_exec


Local File Inclusion (LFI)
Tagged on: