How to Exploit PHP File Inclusion in Web Apps

File inclusion can allow an attacker to view files on a remote host they shouldn't be able to see, and can even allow us to run code on a target! Today we'll be exploring PHP file inclusion using the Damn Vulnerable Web App to practice on. I will cover how both remote file inclusion and local file inclusion work, with the goal of achieving shell access to the vulnerable host. First, let's talk a little bit about what we're doing. In our first example, we will be looking at a local file inclusion, or LFI. This kind of file inclusion includes files present on the remote host. It can be used to... more