Skip to main content
The homepageVoxVox logo
The homepageVoxVox logo

Join Vox and double your impact

Your support goes further this holiday season. When you buy an annual membership or give a one-time contribution, we’ll give a membership to someone who can’t afford access. It’s a simple way for you to support Vox’s journalism and share it with someone who needs it

We rely on readers like you to fund our journalism. Will you support our work and become a Vox Member today?

Join now

-include-..-2f..-2f..-2f..-2froot-2f <EXTENDED>

Do not allow user-supplied strings to be passed directly to include(), require(), file_get_contents(), or fopen().

At first glance, the string -include-..-2F..-2F..-2F..-2Froot-2F looks like gibberish. To a security professional, it is a recognizable pattern of URL encoding and directory traversal mixed with application logic. -include-..-2F..-2F..-2F..-2Froot-2F

This payload attempts to perform two actions simultaneously: Do not allow user-supplied strings to be passed

The -2F sequences are URL-encoded representations of the forward slash (/). The .. represents the parent directory. Put together: ..-2F..-2F..-2F..-2Froot-2F decodes to ../../../../root/. The -2F sequences are URL-encoded representations of the

http://vulnerable.site/index.php?include=-include-..-2F..-2F..-2F..-2Froot-2Fetc-2Fpasswd

If successful, the web application reads and returns: /root/etc/passwd (unlikely) or /root/.bashrc or attempts to include a malicious file from /root/uploaded.txt.

The given path seems to involve a mix of URL encoding and path traversal. Path traversal attacks occur when an attacker can manipulate a path variable to access unauthorized files or directories. For example, navigating to ../../../../etc/passwd from a web root could expose sensitive system files.