LFI Detailed Enumeration

There is a great LFI guide here

LFI Guide

LFI Pentesting Methodology

  • 1. Recon & Initial Assessment

    • Identify user-controllable parameters (file=, page=, view= etc.)

    • Check for file upload functionality

    • Look for common endpoints:

      • index.php, include.php, view.php

      • Parameters ending with .php or .inc

  • 2. Basic LFI Testing

    • Test classic directory traversal:

      • ../../../../etc/passwd

      • Observe errors, blank pages, or responses

    • Test local known files:

      • /var/www/html/index.php

      • /var/www/html/config.php

    • Check for automatic suffixes (.php appended)

  • 3. Advanced File Reading

    • Use php://filter to read files safely:

      • php://filter/convert.base64-encode/resource=index.php

      • Base64 decode output to inspect source code

    • Check if php://input, php://temp, php://memory are allowed

    • Try reading uploaded test files (controlled content)

  • 4. File Upload Integration

    • Upload controlled files (text, PHP, images)

    • Confirm ability to read uploaded files via LFI

    • Test for null-byte or bypass issues (file=test.txt%00 on legacy PHP)

  • 5. Exploitation Vectors

    • PHAR Deserialization:

      • Create PHAR files with malicious metadata

      • Trigger via phar://uploads/malicious.phar

      • Requires LFI inclusion + vulnerable PHP classes loaded

    • Command Injection via LFI (rare):

      • Only if included files call system commands with user input

    • File Disclosure:

      • Read sensitive files:

        • /etc/passwd

        • /var/www/html/config.php

        • .env, .htpasswd

  • 6. Confirmation & Post-Exploitation

    • Confirm LFI by:

      • Base64 decoding known files

      • Comparing content to expected source

    • Map accessible files & directories

    • Plan next steps:

      • PHAR for RCE

      • Sensitive data extraction

      • Pivot to other attacks