DVWA: File Inclusion Vulnerability (Low Security)

File Inclusion allows attackers to load unintended files on the server when an application dynamically includes files based on user input without proper validation.

There are two types: Local File Inclusion (LFI): Accessing files available on the server. Remote File Inclusion (RFI): Including files from external sources.

Successful exploitation of File Inclusion may lead to Sensitive data disclosure, Credential leakage, Source code exposure, Remote Code Execution etc.

In this blog, I will explain how to identify and exploit the File Inclusion vulnerability in DVWA (Damn Vulnerable Web Application) in Low security level.

If you prefer a visual walkthrough, I've explained the entire challenge in this video, covering each step in detail — https://www.youtube.com/watch?v=xc3EvndU9Is

Login to DVWA and go to challenge

1. LFI — In this, attacker will try to read files on victim machine For example, It is possible to get php version and details using payload — ../../phpinfo.php We can also get the content of sensitive files using LFI attack such as etc/passwd

2. RFI — In this, attacker will try to execute file hosted in outside It is possible to load different website using RFI attack — page=https://google.com We can also load malicious files to perform severe attacks.

To prevent File Inclusion vulnerabilities: Avoid passing direct user input to file functions, use whitelisting, disable remote file inclusion, implement proper input validation such as restricting directory traversal patterns (../), using absolute paths etc.

Thanks for reading..