$page = $_GET['page']; include('/var/www/html/pages/' . $page); Use code with caution.
Before using a file path, convert it to its canonical form (the absolute path) to resolve all symbolic links and ../ references to ensure it still resides within the intended directory.
: When decoded, the path essentially tells the web server: "Go back several folders and open the file located at /etc/passwd ." 2. Why /etc/passwd ?
in your specific example) represents the forward slash character ( How the Vulnerability Works This attack exploits Local File Inclusion (LFI) -page-....-2F-2F....-2F-2F....-2F-2Fetc-2Fpasswd
: Identification of running daemons and services (e.g., www-data , mysql , postfix ) which helps map the attack surface.
It looks like you’ve provided a pattern resembling a URL-encoded directory traversal or file inclusion attempt (e.g., -page-....-2F-2F....-2F-2F....-2F-2Fetc-2Fpasswd ). This decodes to something like -page-../../../../etc/passwd .
: Decodes to /etc/passwd . This is a critical system configuration file in Unix-like operating systems containing user account information. Mechanics of Path Traversal and LFI $page = $_GET['page']; include('/var/www/html/pages/'
Remove sequences like ../ or ..%2F from user input before processing it.
or obfuscated as you've shown) to "break out" of the intended directory and access sensitive system files like /etc/passwd
If a user requests index.php?page=english.php , the server loads /var/www/html/languages/english.php . However, if an attacker inputs the payload from our keyword, the server evaluates the path as: /var/www/html/languages/../../../../etc/passwd : When decoded, the path essentially tells the
What or framework is your application built on?
A classic, textbook example of this vulnerability is the exploitation attempt using a crafted URL, often seen in server logs as: page=../../../../etc/passwd .