Cookie Based PHP Local File Inclusion ( Bug Bounty)

One of the sites I reviewed had a cookie that caught my attention.

lang=langPack/en

I thought about changing that.

lang=langPack/blabla

I started trying for LFI vulnerability.

Tested Payload’s :

../../../../../etc/passwd

./index.php

../../index.php

When I looked at the error again, something caught my attention.

include(“langPack/blabla.php”):

I did not enter a .php file extension in cookies. I noticed that the system automatically adds .php.

I immediately thought of the method I had seen in a repo before.

https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/File%20Inclusion

In my first attempt, I tried to shoot the language file itself.

Then result

• Report Sended. Waiting Bounty. :)