> For the complete documentation index, see [llms.txt](https://sarpers-organization.gitbook.io/ctftricks/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://sarpers-organization.gitbook.io/ctftricks/_chapter-intro-17/ssrf/file-access/trick-0139.md).

# LFI via SSRF (file://)

***

Abuse an SSRF vulnerability that allows specifying URLs to fetch. If the underlying library or function supports the `file://` URI scheme, you can provide local file paths to read server files. This effectively achieves Local File Inclusion (LFI) through the SSRF vector.

The file path must be correctly formatted, typically starting with `file:///` followed by the absolute path to the target file. This technique can often be chained with other vulnerabilities, such as SQL injection, to inject the `file://` payload into a vulnerable parameter.

```bash
curl "http://10.10.161.179:8000/download?id='+UNION+ALL+SELECT+'file:///etc/passwd'--+-"
```

This vulnerability allows an attacker to provide a `file://` URL to read local files on the server. This can manifest in various endpoints and parameters. For example, an endpoint like `/file` might accept a `url` parameter:

```bash
curl "http://<target_ip>:<port>/file?url=file:///etc/passwd"
```

Similarly, an endpoint like `/models/apply` might be vulnerable by accepting a `model_url` parameter:

```
GET /models/apply?model_url=file:///etc/passwd
```
