Bypass Local File Inclusion(LFI) prevention filters



  • I have these two LFI filters and i want to bypass them

            $bad = str_replace('../','',$_GET['bad']);
            while( substr_count($bad, '../', 0)) {
                $bad = str_replace('../', '', $bad);
            };
            include("./".$bad);
    

    I tried various ways and i was not able to bypass them, also the php wrappers are mostly used in php 5.* versions and before and i have php 7.6 version.



  • I don't think you can do it, unless there are insecure and exploitable symlinks that allow bypassing the '../' removal filter and are reachable down from the current directory.

    In other words, I believe that LFI filtering is adequate.



Suggested Topics

  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2