Local File Inclusion (LFI)


Local File Inclusion (LFI) vulnerability allow attacker to execute some program/script available on Local Server.

for eg., http://site.com/?include=register.php

This is implemented in php at server as,

$include = $_GET['include'];
include('pages/' . $include);

This is Unsafe way of implementation as it is not validating user's input.

Then, the attacker may supply any other local file, which will be executed by the server. http://site.com/?include=admin/reset.php

LFI and Path Traversal look similar, but they are not. LFI can execute a file, whereas Path Traversal can only read the content of the file.


  • Sensitive internal information may get compromised.
  • Internal hosts can be accessed.
  • Impact mainly depends on what can attacker access there, it may be limited to some information disclosure, or it may lead to a full compromise of the server.
  • May lead to Remote Code Execution(RCE).


  • Never trust the user, always filter user input and then give it to further function.
  • Instead of using file path in URL, Store it in some database and assigned numeric id to it, and use the ID in URL.
  • Prefer whitelisting files that you want.


  • kadimus: a tool to check if vulnerability and exploit it.
  • Liffy : Local file inclusion exploitation tool