Local File Inclusion
An LFI is a Vulnerability which allows the attacker to access local files on a server. It occurs when the attacker can somehow manipulate which file should be loaded by the server. If the attacker can load remote eventually malicious files it would be a Remote File Inclusion.
Example
Imagine a website which is supposed to load the file which name is in the URL Parameter. Like here:
http://example.com/index.php?page=new.htm
If the input is not Sanitized an atacker could modify this URL and read files from the server. Here is an example how it would look like on a Linux server.
http://example.com/index.php?page=../../../etc/passwd
By using the ../ the attacker moves up in the directory hierarchy ‘away’ from the initial directory where the ‘real’ file was located (see Directory Traversal and Linux Hierarchy). Then he accesses the passwd file which contains information about user accounts in system. Of course you can do the same things with a server running on a Windows machine.
Finding interesting paths
For general simple testing and finding directories that lead you to local files I would suggest trying Fimap.py it’s an easy to use tool and can deliver acceptable results.
If you want to just as many directories as possible I would suggest using Wfuzz together with one of the two lists mentioned below. The --hw 0 option will filter results with the length 0 and the -c options simply displays the results with color.
wfuzz -c -w ./LFI.txt --hw 0 http://10.10.10.10/nav.php?page=../../../../../../../FUZZ
These two links have LFI lists to try on both Windows and Linux:
Windows — Here Linux — Here Hacktricks — Here
Additionally you can run Wfuzz with a ‘normal’ wordlist and append an extension to every word like this.
wfuzz -c -w ./wordlist.txt --hw 0 http://10.10.10.10/nav.php?page=FUZZ.php