Weird LFI and escalating the impact from High to Critical

3 min readSep 18, 2023


Hey wonderful hackers. I was hacking on a VDP program and after a light recon I picked one subdomain to hunt.

I clicked around and used the website as intended but when I looked at the requests in burp, this request caught my eyes.


So I tested for LFI and tried to get the /etc/passwd file, but the response was empty. I tried all bypasses but no luck.

I tried endpoints from Seclists and I got these files:


That's all. Nothing quite impactful.

Anyway this is an LFI and based on the wrong belief the impact is High, but I personally believe that the impact of LFI must be Critical.

Some examples of High impact LFIs:

They did it on my report too:

I wanted to escalate this to Critical, so I had to find something, and It’s a little difficult by brute-forcing.

I fuzzed internal endpoints with special characters and unicodes and I found something interesting. The * character was returning a file in every directory. (I guess it was the first file. I still don’t know)

I sent this request:


I got Database credentials:

The password was too hard to guess :)

They were valid and I logged into the Database.

Source code disclosure:

Hello white box

Is it still “High” baby?

It’s a VDP, so there is no bounty :)

Story is over here, but I found another thing about that * behavior.

It can be used like this too: /etc/apache2/*SOME-STRING

If that string matches part of the file name in that directory, it returns the file. Like these examples:

I don’t know the reason still. Please tell me if you know. :)


  • The impact of LFI vulnerability is definitely Critical.

Reach me at:



Thanks for reading. Love y’all.