Post

Local File Inclusion (LFI) Lab

Problem Statement: Identify and exploit a Local File Inclusion vulnerability in a training app.

Approach:

  1. Recon: Found ?page= parameter vulnerable to include().
  2. Proof of Concept: ?page=../../../../etc/passwd
  3. Remediation: Sanitize input, whitelist files, use realpath().

Tools Used: Browser, Burp Suite, curl, PHP sandbox

Lessons Learned: Never include files from unsanitized user input; validate and run code with least privilege.

This post is licensed under CC BY 4.0 by the author.