/etc/passwdby moving back 5 directory levels:
0x00in hex) added to the LFI/RFI parameter will stop processing immediately, so that any bytes following it are ignored.
.phpadded to the file request variable
/etc/passwdin this case will not work because the request becomes
passwd.phpresulting in a 404 error. However, if we add a null byte to the passwd file name it will terminate at the end of
passwdand discard the remaining bytes:
/proc/self/environusing LFI, you might be able to get a shell by downloading a remote file with reverse shellcode and run it on the system (e.g. php reverse shell). You'll need to intercept the
/proc/self/environrequest and replace HTTP request header
User Agentwith the following:
/var/www/htmlfor interesting files, including
robots.txtin the root web folder.