Local File Inclusion (LFI) is similar to a Remote File Inclusion vulnerability except instead of including remote files, only local files i.e. files on the current server can be included. The vulnerability is also due to the use of user-supplied input without proper validation.
-
/vulnerable.php?COLOR=/etc/passwd%00
- allows an attacker to read the contents of the passwd file on a UNIX system directory traversal.
Local File Inclusion Via PHP Filter
By using "php://filter/convert.base64-encode/resource=" attacKer can convert the source file on the server to base64, and output the result via LFI Vulnerability .
This video shows how Local File Inclusion Via PHP Filter works .
Video Copyright : Brazil .