Abhijeet Kumar, a hacker who describes himself as “your friendly neighbourhood bug bounty hunter,” has shared advanced methodologies for exploiting local file inclusion (LFI) vulnerabilities on the Medium publishing platform.
Kumar says that LFIs occur when an application does not properly validate includes, which enables an attacker to manipulate inputs and gain access to internal files, execute code or pivot to other attacks, and lead to sensitive data leaks, system takeovers and compliance issues.
The full article, available on Medium, provides a four-step methodology for finding and exploiting LFIs, together with contextual technical insights and real-world examples.
Kumar also shares some “advanced tricks” for taking LFI exploitation to the next level, including using LFIs to discover RFI vulnerabilities and exploiting SSRFs in Azure Cosmos DB to execute remote code.