/etc/passwd
by moving back 5 directory levels:wget
may work:%00
or 0x00
in hex) added to the LFI/RFI parameter will stop processing immediately, so that any bytes following it are ignored..php
added to the file request variable $file
:/etc/passwd
in this case will not work because the request becomes passwd.php
resulting in a 404 error. However, if we add a null byte to the passwd file name it will terminate at the end of passwd
and discard the remaining bytes:/proc/self/environ
using LFI, you might be able to get a shell by downloading a remote file with reverse shellcode and run it on the system (e.g. php reverse shell). You'll need to intercept the /proc/self/environ
request and replace HTTP request header User Agent
with the following:/var/www/html
for interesting files, including robots.txt
in the root web folder.