Beginner Guide to File Inclusion Attack (LFI/RFI)

You can insert the content of one PHP file into another PHP file before the server executes it, with the include () function. The function can be used to create functions, headers, footers or element that will be reused on multiple pages.

This will help developers to make it easy to change the layout of a complete website with minimal effort.

If there is any change required then instead of changing thousands of files just change the included file.

Assume we have a standard footer file called “footer.php“, that looks like this

Example 1 

To include the footer file in a page, use the include statement

Example 2

Assume we have a file called “vars.php“, with some variables defined:

 Output: I have red BMW

PHP Require Function

The require statement is also used to include a file into the PHP code.

However, there is one big difference between include and require; when a file is included with the include statement and PHP cannot find it, the script will continue to execute:

Example 3

 Output: I have a Red BMW

If we do the same example using the require statement, the echo statement will not be executed because the script execution dies after the require statement returned a fatal error:

No output result

PHP Required_once Function

 Require_once() using this function we can access the data of another page once when you may need to include the called file more than once, It works the same way. The only difference between require and require_once is that If it is found that the file has already been included, calling script is going to ignore further inclusions.

Example 4


outputs: “Hello”


allow_url_include is disabled by default. If allow_url_fopen is disabled, allow_url_include is also disabled

You can enable allow_url_include from php.ini

File Inclusion Attacks

 It is an attack that allows an attacker to include a file on the web server through a php script. This vulnerability arises when a web application lets the client submit input into files or upload files to the server.

This can lead to the following attacks:

  • Code execution on the web server
  • Cross Site Scripting Attacks (XSS)
  • Denial of service (DOS)
  • Data Manipulation Attacks

Two Types:

  • Local File Inclusion
  • Remote File Inclusion

Local File Inclusion (LFI)

 Local file inclusion vulnerability occurs when a file to which to PHP account has accessed is passed as a parameter to the PHP function “include”, or “require_once”

This vulnerability occurs, for example, when a page receives, as inputs the path to the file that has to be included and this input is not properly sanitized, allowing directory traversal characters (such as dot-dot-slash) to be injected.

Example – Local File Inclusion

Read complete local file inclusion attack tutorial from here

Remote File Inclusion (RFI)

Remote File Inclusion occurs when the URI of a file located on a different server is passed to as a parameter to the PHP function “include”, “include_once”, “require”, or “require_once”. PHP incorporates the content into the pages. If the content happens to be PHP source code, PHP executes the file.

PHP Remote File inclusion allows an attacker to embed his/her own PHP code inside a vulnerable  PHP script, which may lead to disastrous results such as allowing the attacker to execute remote commands on the web server, deface parts of the web or even steal confidential information.


  • Strong Input Validation
  • A whitelist of acceptable inputs
  • Reject any inputs that do not strictly conform to specifications
  • For filenames, use stringent whitelist that limits the character set to be used
  • Exclude directory separators such as “/”
  • Use a whitelist of allowable file extensions
  • Environment Hardening
  • Develop and run your code in the most recent versions of PHP available
  • Configure your PHP applications so that it does not use register_globals
  • Set allow_url_fopen to false, which limits the ability to include files from remote locations
  • Run your code using the lowest privileges
  • Use a vetted library or framework that does not allow this weakness.




Author: Aarti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

1 Comment Beginner Guide to File Inclusion Attack (LFI/RFI)

Leave a Reply

Your email address will not be published. Required fields are marked *