A LFI vulnerability is present if an attacker can manipulate the server into serving arbitrary local files, oftentimes those outsite of the web root. This often requires the presence of a directory traversal vulnerability to be useful. Often, where a LFI vulnerability is present, PHP wrappers can also be used to achieve RCE. Also try stealing sensitive files / credentials like SSH private keys, /etc/shadow
, configurations, etc.