.aws/credentials via path traversal and LFI in high-severity reports.// Evil example – do not use
$page = $_GET['page'];
include($page . ".php");
An attacker can supply:
?page=php://filter/convert.base64-encode/resource=/root/.aws/credentials
The .php concatenation might break some wrappers, but advanced payloads or null byte injection (%00) can bypass this. Alternatively, if the application uses functions like file_get_contents() or readfile() without suffix addition, the wrapper works directly. Capital One (2019) : An SSRF (similar family
This specific payload targets a Local File Inclusion (LFI) vulnerability. LFI occurs when an application allows user input to control the path of a file that the server attempts to read or include. Vulnerable Code Example // Evil example – do
In a vulnerable PHP application, the code might look something like this: which helps attackers find other vulnerabilities.
<?php
// Vulnerable code example
$file = $_GET['file'];
include($file);
?>
If an attacker passes the php://filter wrapper as the input, the PHP engine processes the wrapper instead of treating it strictly as a file path. This allows the attacker to read the source code of sensitive files on the server, potentially leading to: