Cookie Based PHP Local File Inclusion ( Bug Bounty)
2 min readAug 3, 2020
One of the sites I reviewed had a cookie that caught my attention.
lang=langPack/en
I thought about changing that.
lang=langPack/blabla
I started trying for LFI vulnerability.
Tested Payload’s :
../../../../../etc/passwd
./index.php
../../index.php
When I looked at the error again, something caught my attention.
include(“langPack/blabla.php”):
I did not enter a .php file extension in cookies. I noticed that the system automatically adds .php.
I immediately thought of the method I had seen in a repo before.
In my first attempt, I tried to shoot the language file itself.
Then result
- Report Sended. Waiting Bounty. :)