Local File Inclusion (LFI) Lab
Problem Statement: Identify and exploit a Local File Inclusion vulnerability in a training app.
Approach:
- Recon: Found
?page=parameter vulnerable toinclude(). - Proof of Concept:
?page=../../../../etc/passwd - Remediation: Sanitize input, whitelist files, use
realpath().
Tools Used: Browser, Burp Suite, curl, PHP sandbox
Lessons Learned: Never include files from unsanitized user input; validate and run code with least privilege.
This post is licensed under CC BY 4.0 by the author.