LFI Parameters List16 Feb 2021
LFI (Local File Inclusion)
Local file inclusion (also known as LFI) is the process of including files, that are already locally present on the server, through the exploiting of vulnerable inclusion procedures implemented in the application. This vulnerability occurs, for example, when a page receives, as input, the path to the file that has to be included and this input is not properly sanitized, allowing directory traversal characters (such as dot-dot-slash) to be injected. Although most examples point to vulnerable PHP scripts, we should keep in mind that it is also common in other technologies such as JSP, ASP and others. 
Example of test:
Consider the URL
The parameter file= could be exploited to point it to another file within the server
The expected result is shown below:
root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin alex:x:500:500:alex:/home/alex:/bin/bash margo:x:501:501::/home/margo:/bin/bash ...
There is a list of most common parameters to test for LFI
?cat= ?dir= ?action= ?board= ?date= ?detail= ?file= ?download= ?path= ?folder= ?prefix= ?include= ?page= ?inc= ?locate= ?show= ?doc= ?site= ?type= ?view= ?content= ?document= ?layout= ?mod= ?conf=
You can use Google Hacking and dorks to find vulnerable targets like:
File contain password and directory traversal vulnerability 
Using the same strategy to exploit wordpress and retrieve the wp-config, you could use all those parameters above and create your own Google Hacking Dork to analyze your target.
 OWASP - LFI
Thanks for following!