LFI (Local File Inclusion)

This is where you read local files by directly calling it's location.
Vulnerability Name: Local File Inclusion on [Parameter] at [Domain name]
Vulnerability Description: An attacker can use Local File Inclusion (LFI) to trick the web application into exposing or running files on the webserver. Typically, LFI occurs when an application uses the path to a file as input. If the application treats this input as trusted, a local file may be used in the include statement.
[Don't forget to add your vulnerability description, the one given above is a general description]
Payload: [Malicious payload]
Steps to Reproduce: 
1.Go to the [URL].
2.Change the value of [param] to the above payload.
3.Check the response and you will see the content of the mentioned file.
Proof-of-concept: Snapshots or video link attached.
Impact: 
1.An attacker can read any files from the server.
2.An attacker might able to execute system commands.
Attack Scenario: Here due to an unsafe parameter and poor user input validation an attacker can read system files by calling them through the [parameter]. This sometimes may lead to Command injection.
[The above was a basic attack scenario you need to alter it according to the Workflow]
Remediation: To avoid LFI and many other vulnerabilities, never trust user input. If you need to include local files in your website or web application code, use a whitelist of allowed file names and locations. Make sure that none of these files can be replaced by the attacker using file upload functions.
File Inclusion
RFI (Remote File Inclusion)
Last modified 2yr ago