Skip to main content

File Inclusion

A File Inclusion vulnerability is a type of vulnerability that most often affects web applications that rely on a scripting runtime.

This problem occurs when an application creates a path to executable code using a variable controlled by the attacker in a way that allows the attacker to control which file is executed at runtime.

We have two possible attacks LFI or RFI

  • Local File Inclusion (LFI) - Allows us to load local files.
  • Remote File Inclusion (RFI) - Allows us to upload files remotely.

If we enter the section we find a list of files.

List of files for inclusion

If we click on them, they are loaded, executing their code.

File loaded

If we look at the url, we see that it is the name of the file that we just clicked on

Url file-inclusion