File Inclusion allows attackers to load unintended files on the server when an application dynamically includes files based on user input without proper validation.

There are two types: Local File Inclusion (LFI): Accessing files available on the server. Remote File Inclusion (RFI): Including files from external sources.

Successful exploitation of File Inclusion may lead to Sensitive data disclosure, Credential leakage, Source code exposure, Remote Code Execution etc.

In this blog, I will explain how to identify and exploit the File Inclusion vulnerability in DVWA (Damn Vulnerable Web Application) in Low security level.

If you prefer a visual walkthrough, I've explained the entire challenge in this video, covering each step in detail — https://www.youtube.com/watch?v=xc3EvndU9Is

Login to DVWA and go to challenge 1. LFI — In this, attacker will try to read files on victim machine For example, It is possible to get php version and details using payload — ../../phpinfo.php We can also get the content of sensitive files using LFI attack such as etc/passwd

2. RFI — In this, attacker will try to execute file hosted in outside It is possible to load different website using RFI attack — page=https://google.com We can also load malicious files to perform severe attacks.

To prevent File Inclusion vulnerabilities: Avoid passing direct user input to file functions, use whitelisting, disable remote file inclusion, implement proper input validation such as restricting directory traversal patterns (../), using absolute paths etc.

Thanks for reading..