Local File Inclusion is a vulnerability where an application includes or reads a server-side file based on unsanitized user input, letting an attacker access files outside the intended directory. A classic target is ../../../../etc/passwd via path traversal. The LFI generator produces traversal sequences, PHP wrappers, and encoding variants for testing.
PHP stream wrappers turn a read primitive into source disclosure or code execution. Use php://filter/convert.base64-encode/resource=index.php to exfiltrate source without execution, data:// or php://input to deliver a payload, and expect:// to run commands. The generator outputs these wrapper strings so you can probe what the include() actually allows.
If ../ is filtered once, try nested ....// which collapses back to ../ after a naive replace, or URL-encode to %2e%2e%2f and double-encode to %252e. When the app appends an extension like .php, a null byte %00 can truncate it on legacy PHP, and a path-length or wrapper trick can defeat suffix concatenation.
Yes. The LFI generator is free and runs entirely in your browser, so the traversal payloads and target paths you create never leave your device. Use it only for authorized testing such as pentests, bug-bounty programs, and CTFs against applications you have permission to test.