Include me
Start the machine, hack the system, and find the hidden flags to complete this challenge and earn XP!
User0
user
henriquesena
user
HACKERR
user
luizbraga98
user
Norac
user
thiagoyokoyama
user
miltonjmelo
user
Senpai
user
mr3li0t
user
peter18
user
x0xr00t
user
seneschal
user
wsangay123
user
3mksaad1600
user
CipherWolf
user
Local File Inclusion (LFI) is a web application vulnerability that allows attackers to read files from the server by manipulating file path parameters. It occurs when an application uses user-supplied input to construct file paths without proper validation or sanitization. LFI vulnerabilities are commonly found in PHP applications that dynamically include files based on URL parameters or form inputs.
How Local File Inclusion Works
Web applications often include files dynamically to serve different pages or load configuration data. When developers use functions like include(), require(), or file_get_contents() with user-controllable input, attackers can manipulate the file path to access arbitrary files on the server. A typical LFI attack involves traversing directories using sequences like ../ to escape the intended directory and reach sensitive system files such as /etc/passwd or application configuration files containing credentials.
Why LFI Matters in Web Security
Local File Inclusion vulnerabilities are particularly dangerous because they can serve as a stepping stone to more severe attacks. By reading configuration files, attackers can discover database credentials, API keys, and internal application details. In some cases, LFI can be escalated to Remote Code Execution (RCE) by including log files that contain injected PHP code, or by leveraging PHP wrappers like php://filter to read source code. Understanding LFI is essential for anyone learning web application security, as it remains one of the most frequently discovered vulnerabilities in PHP-based applications.
Common LFI Attack Vectors
Attackers use several techniques to exploit LFI vulnerabilities. Directory traversal sequences allow reading files outside the web root. PHP stream wrappers like php://filter/convert.base64-encode/resource= enable reading PHP source code that would otherwise be executed. Null byte injection (in older PHP versions) can truncate appended file extensions. Defensive measures include input validation, using whitelists for allowed files, disabling dangerous PHP functions, and implementing proper access controls on the filesystem.
What You Will Learn
- Understand how Local File Inclusion (LFI) vulnerabilities arise in PHP applications
- Learn directory traversal techniques to read arbitrary files on a server
- Identify common LFI attack vectors including PHP wrappers and path manipulation
- Practice exploiting LFI in a controlled lab environment
- Recognize the signs of LFI vulnerabilities during web application testing
Prerequisites
Ready to hack this lab?
Create a free account and start practicing cybersecurity hands-on.
Start Your Challenge
Launch your dedicated machine to begin hacking
New here? Here's what to do
Ready to hack this lab?
Create a free account to start your own dedicated server, submit flags, and earn XP on the leaderboard.
Start Hacking Free