LFI short for "Local File Inclusion".
Hello all, this is my second blog on the Topic of LFI (Local File Inclusion). (First one was on CSRF. You can find it here:-) What is it? How to Exploit it? How it can be dangerous? How to prevent it? So, let's get started., What is LFI? LFI is the vulnerability in which attacker includes the local file from the system. Sound's simple. Okay let's see the example to get more.... Suppose your are in http://januapp/demo/files.php?getfile=delete.txt , And the contents of the file is "I am for deleting" Now, for testing the LFI existence you need to change the file name like delete.txt to delet.txt and see the behaviour of the web. Is any error occur like failed to load the inclusion something like Note:- It is not always you see this error. Sometimes developer hide their errors. Now, How do I exploit it? For exploit we need to change the filename to which is in the server. Like etc/passwd file in the linux system, for windows C:\ WINDOW...