LFI (Local File Inclusion)

This is where you read local files by directly calling it's location.
Vulnerability Name: Local File Inclusion on [Parameter] at [Domain name]
Vulnerability Description: An attacker can use Local File Inclusion (LFI) to trick the web application into exposing or running files on the webserver. Typically, LFI occurs when an application uses the path to a file as input. If the application treats this input as trusted, a local file may be used in the include statement.

[Don't forget to add your vulnerability description, the one given above is a general description]

Payload: [Malicious payload]
Steps to Reproduce:
  1. 1.
    Go to the [URL].
  2. 2.
    Change the value of [param] to the above payload.
  3. 3.
    Check the response and you will see the content of the mentioned file.
Proof-of-concept: Snapshots or video link attached.
  1. 1.
    An attacker can read any files from the server.
  2. 2.
    An attacker might able to execute system commands.
Attack Scenario: Here due to an unsafe parameter and poor user input validation an attacker can read system files by calling them through the [parameter]. This sometimes may lead to Command injection.

[The above was a basic attack scenario you need to alter it according to the Workflow]

Remediation: To avoid LFI and many other vulnerabilities, never trust user input. If you need to include local files in your website or web application code, use a whitelist of allowed file names and locations. Make sure that none of these files can be replaced by the attacker using file upload functions.
@SecurityBoat Cybersecurity Private Limited