Which of the following describes the potential impacts of Local File Inclusion (LFI) and Remote File Inclusion (RFI) vulnerabilities?

LFI and RFI vulnerabilities open doors to attackers by allowing inclusion of files in a way the application does not properly restrict. This can lead to three major impacts: data exfiltration, arbitrary code execution, and the creation of web shells. Data exfiltration happens when an attacker uses the inclusion flaw to read sensitive files on the server—for example, configuration files, credential stores, or log files that may contain secrets. The attacker can pull these files back through the vulnerable parameter, gaining access to information they shouldn’t have. Arbitrary code execution is possible because the server may process the included content as part of the application. In local file inclusion, carefully crafted local files or uploaded payloads can execute if the server interprets them as code. Remote file inclusion is even more direct: the server fetches and runs a script from an attacker-controlled URL, resulting in full code execution on the host. Web shells are a common post-exploitation outcome: the attacker injects or causes the server to include a remote or local script that provides interactive command execution, file management, and persistence. Once a web shell is in place, the attacker can control the server, move laterally, and maintain access. Because these vulnerabilities can produce all three outcomes—data exfiltration, code execution, and web shells—the option that describes multiple, impactful results is the best choice. The other possibilities, suggesting only one effect or no impact, are incomplete and do not reflect the real risk.