# LFI/RFI

**LFI (Local File Inclusion):** is a exploit that allows you to perform directory traversal attacks ie read information from the machine outside of the web host directory such as `/etc/passwd` this can not only be used to read sensitive information but can also be used to spawn a shell via `RFI`

```
http://pizza.com/index.php?page=../../../../../../../../../../etc/passwd
```

**Remote File Inclusion (RFI):** This exploit allows you to load a file from a remote server and have the target execute it. In php this is **disabled** by default (**allow\_url\_include**).