# Local File Inclusion

## Overview

Local File Inclusion vulnerabilities allows an attacker to view local files on the web server. Files containing sensitive information such as database credentials in ASP.NET web.config, could be compromised and used to access additional sensitive data or gain further access into the application and network. 

Source code files for the application may also be retrieved to gain a better understanding of the source code and potentially find vulnerabilities therein. 

## Example

A very simple example would be a URL parameter that is used in a function to retrieve files. Consider the following NodeJS (with Express) example. 

 The code creates a simple http server. Upon browsing to the URL it accepts a URL parameter *id* and saves it to the id variable in line 5. Line 6 uses the Node module FS function readFile to read files. The variable id is passed as an argument. The function writes the file to the response and returns the response to the user. 

```
var http = require('http');
var fs = require('fs');
http.createServer(function (req, res) {
  //Open a file on the server and return its content:
  var id = req.query.id
  fs.readFile(id, function(err, data) {
    res.writeHead(200, {'Content-Type': 'text/html'});
    res.write(data);
    return res.end();
  });
}).listen(8080);

```

So entering the URL `http://localhost:8080/?id=/etc/passwd` would return the /etc/passwd file (assuming the application process has the necessary rights to view that file), thus illustrating LFI. The source code does not do any input sanitization or allow-list checking for the user input and just passes it directly into the fs.readFile function. 

For further reading start with these links then see further resources: 

{% embed url="<https://portswigger.net/web-security/file-path-traversal>" %}

{% embed url="<https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/11.1-Testing_for_Local_File_Inclusion>" %}

{% embed url="<https://book.hacktricks.xyz/pentesting-web/file-inclusion>" %}

{% embed url="<https://appsecwiki.com/#/serversidesecurity?id=local-file-inclusion>" %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://evanluke.gitbook.io/appsec/lfi/local-file-inclusion-1.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.