First lets take a look at a php code that is vulnerable to LFI:

This is a piece of code that should NEVER be used, because the $page isn’t sanitized and is passed directly to the webpage, but unfortunately (or not ) is very common to be find in the www world.

Ok, now that we know why is it vulnerable let’s start to use this in our advantage. First let’s take a look how this give us the ability to “browse” thru the web server. Let’s imagine theres a file called test.php inside the test directory, if you type victim.com/test/test.php will retrive that file correct? Ok, but if the php code that we examined was in the index.php we could also retrive that file thru victim.com/index.php?page=test/test.php , see what happened there? Now, if the index.php was in victim.com/test/index.php and the test.php in victim.com/test.php you will have to type victim.com/test/index.php?page=../test.php . The ../ is called directory
transversal using that will allow you to go up in the directories.

Now that we can go up and down thru the server let’s use it to access files that we are not supposed to. If this was hosted in a Unix server we can then possibly view the password file of the server, to do this you will have to type something like this (the nr of ../ may vary depending of where the vulnerable file is)

http://www.packetstormsecurity.org/papers/general/lfi-paper.pdf