Below is a link to my favorite LFI list. This list is a great resource when you finally get "in" and dont just want to settle for etc/passwd.

Check it out:

http://pastie.org/840199

Sweet!  Thanks, Jason!

A nice list there! A few lines of python and that is a handy win/Linux LFI scanner.

@chrisj - LFI is Local File Inclusion - a web app vulnerability that is caused by the developer using local filed within their application. Incorrcectly coded let's an attacker read any file. Although on Linux, this is restricted to the permissions of the server. The format is something like www.ethicalhacker.net/index.php?page=comments.php. A vulnerable fopen function call in php, would allow an attacker to enter   www.ethicalhacker.net/index.php?page=../../etc/passwd to read the file on a Linux server.

There is also RFI which is remote file inclusion and allows remote content (i.e. Another site) to be included. An attacker could include a php shell for example..

n1p

thanks Anquilas,

Correct, any server side code that will read files on the webserver and display them is an LFI.

The list contains the juicy stuff you want to get when you compromise a server this way.

It also serves as just a nice list to get when you pop a box in general =)

You can write a script to take advantage of this list, certainly.   However, several tools, like Paros, Burp, WebScarab, and others have the ability to fuzz requests to a server.   You would use this list to fuzz LFI.

Nice, thanks Jason.