logo
Red team
Local file inclusion: double encoding
  • Green team
  • Blue team
  • Purple team
  • Ty Myrddin
Initializing search
      • IN: Where the falcons and foxes roam
        • Swoop like falcons, silent, precise, and lethally patient
        • Mapping the lay of the land
        • Fox hunting through the digital wilds
        • A canopy of apple-blossom
          • Field notes from the fragrant branches of web app exploitation
          • Portswigger Academy labs: Controlled burn
          • Root-me: Orchard foraging
            • Root-Me Web client challenges
            • Root-Me Web server challenges
              • Insecure code management
              • Directory traversal
              • File upload: null byte
              • PHP assert()
              • PHP Filters
              • PHP Register globals
              • JWT Introduction
              • JWT (not) revoked token
              • JWT weak secret
              • Python: Server-side Template Injection Introduction
              • Command injection: filter bypass
              • Java: Server-side Template Injection (SSTI)
              • Local file inclusion
              • Local file inclusion: double encoding
              • PHP preg_replace
              • PHP type juggling
              • SQL injection: authentication
              • SQL injection: string
              • XSLT code execution
              • PHP path truncation
              • PHP serialisation
              • SQL injection: numeric
              • SQL injection: routed
              • SQL truncation
              • XPath injection: authentication
              • SQL injection: time-based
          • Petals and pentesting priorities
        • Getting a foothold in the top of the world tree
        • Hack the planet? Nah, just hold the door for me
        • Where wild boars plough through endpoints
        • Wolverines do not ask for permissions
        • Riches in the ground
      • THROUGH: Where the raccoons burrow and rummage
      • OUT: Where squirrels swipe the crown jewels

    Local file inclusion: double encodingΒΆ

    root-me challenge: Local File Inclusion - Double encoding: Find the validation password in the source files of the website.

    Using HackTricks File inclusion encoding, PayloadAllTheThings: LFI / RFI using wrappers Wrapper -> php://filter, and cyberchef:

    page=pHp%253A%252F%252FFilTer%252Fconvert%252Ebase64%252Dencode%252Fresource%253Dconf
    Last update: 2025-05-12 14:16
    Back to top
    Previous Local file inclusion
    Next PHP preg_replace
    © Copyright 2025, TyMyrddin.
    Created using Sphinx 7.2.6. and Sphinx-Immaterial

    Made with love in the Unseen University, 2025, with a forest garden fostered by /ut7