Local and Remote File Inclusion

Local and Remote File Inclusion

How to prevent LFI and RFI attacks

“PHP is used by 82.5% of the websites…”

Taught by: Peter Zsiros

Length: 1.5 hours

78 students

Local and Remote File Inclusion (LFI/RFI) attacks are popular amongst hackers. It mostly affects web applications written in PHP, so a great majority of websites could be exposed to it.

In this minicourse we will examine how this technique works and how to avoid running someone else's malicious code on your server. We will cover the mitigation techniques against this type of attack, and the different backdoor "upload" possibilities as upload forms, through databases, log poisoning, session files and the PUT method.


Other hacking courses from the same trainer, Peter Zsiros.

  • + Recommended for

    It can be very useful for web developers so that they can make more secure websites, and for ethical hackers so that they can make thorough penetration tests. It can also be useful for system administrators and testers.

  • + Prerequisites

    Basic programming knowledge, basic knowledge of HTTP protocol.

  • + Technical requirements

    Minimum 4GB memory

  • + Acquired skills

    You will be able to identify and exploit these kinds of vulnerabilities, and learn how to avoid them by learning the configuration possibilities to reduce attack risk.

Curriculum and videos

Start the course for free! No credit card needed.


Section 1 - Introduction to LFI/RFI

Video 1 - Setting up our test environment
Video 2 - Introduction to LFI and RFI vulnerabilities

First we install our test environment. (For this you can download the virtual machine and the ISO image from http://www.duckademy.com/downloads.) Then we look for a remote and a local file inclusion. With the help of the examples you will understand the reason behind these kinds of vulnerabilities.

Section 2 - Backdoor upload techniques

We examine different possibilities to upload backdoors to be able to call our code through the LFI attack. We will upload backdoors to webpages with different picture testing capabilities and will upload a file when the PUT http method is enabled, and insert a backdoor if we can write to a database. We will also upload a backdoor when there is no dedicated writing possibility (ex. log file poisoning).