How we got (LFI) in private program to easy way

Hello researchers and bug hunters! Recently I explain you interesting attack vector which I would like to share with you. Without losing time, let’s jump into it.

3 min readApr 4, 2021

Let us now learn a little About LFI Vulnerability-

What is a Local File Inclusion (LFI) vulnerability?

Local File Inclusion (LFI) allows an attacker to include files on a server through the web browser. This vulnerability exists when a web application includes a file without correctly sanitizing the input, allowing and attacker to manipulate the input and inject path traversal characters and include other files from the web server.

How common is LFI?

Luckily, LFI is not a very common vulnerability. According to the latest Acunetix Web Application Vulnerability Report, it is present on average in 1% of web applications

How dangerous is LFI?

LFI can be dangerous, especially if combined with other vulnerabilities — for example, if the attacker is able to upload malicious files to the server. Even if the attacker cannot upload files, they can use the LFI vulnerability together with a directory traversal vulnerability to access sensitive information.

How to avoid LFI?

To avoid LFI and many other vulnerabilities, never trust user input. If you need to include local files in your website or web application code, use a whitelist of allowed file names and locations. Make sure that none of these files can be replaced by the attacker using file upload functions.

How to detect LFI?

The most efficient way to detect LFI is by using an automated vulnerability scanner. You can of course detect such vulnerabilities through manual penetration testing but it takes a lot more time and resources.
You can see in the image below —

We got Response 200 (OK), which is good. We hope our payload got executed as planned, so let’s check if it got successfully executed by going to: https://abc.com

We can also find hidden directories with the help of burp-suite tool.