-include-..-2f..-2f..-2f..-2froot-2f -

Use:

The -2F sequences are URL-encoded representations of the forward slash ( / ). The .. represents the parent directory. Put together: ..-2F..-2F..-2F..-2Froot-2F decodes to ../../../../root/ . -include-..-2F..-2F..-2F..-2Froot-2F

: This represents /root/ , the home directory for the system administrator (root user) on Linux-based systems. Why This Vulnerability Exists Use: The -2F sequences are URL-encoded representations of

: Ensure the web server user doesn't have permission to access the folder in the first place. where this payload was used? -include-..-2F..-2F..-2F..-2Froot-2F

Do not allow user-supplied strings to be passed directly to include() , require() , file_get_contents() , or fopen() .

This payload attempts to perform two actions simultaneously:

Abstract