References updated for Dom Clobbering, File Inclusion

2025-12-12 07:40:34 -08:00 · 2024-11-05 17:29:15 +01:00
parent e138308d3d
commit e47391b12b
6 changed files with 73 additions and 67 deletions
--- a/Misconfiguration/README.md
+++ b/Misconfiguration/README.md
@@ -266,7 +266,7 @@ function reqListener() {
 - [Think Outside the Scope: Advanced CORS Exploitation Techniques - Ayoub Safa (Sandh0t) - May 14 2019](https://medium.com/bugbountywriteup/think-outside-the-scope-advanced-cors-exploitation-techniques-dad019c68397)
 - [Exploiting CORS misconfigurations for Bitcoins and bounties - James Kettle - 14 October 2016](https://portswigger.net/blog/exploiting-cors-misconfigurations-for-bitcoins-and-bounties)
- [Exploiting Misconfigured CORS (Cross Origin Resource Sharing) - Geekboy - DECEMBER 16, 2016](https://www.geekboy.ninja/blog/exploiting-misconfigured-cors-cross-origin-resource-sharing/)
+- [Exploiting Misconfigured CORS (Cross Origin Resource Sharing) - Geekboy - December 16, 2016](https://www.geekboy.ninja/blog/exploiting-misconfigured-cors-cross-origin-resource-sharing/)
 - [Advanced CORS Exploitation Techniques - Corben Leo - June 16, 2018](https://web.archive.org/web/20190516052453/https://www.corben.io/advanced-cors-techniques/)
 - [Cross-origin resource sharing (CORS) - PortSwigger Web Security Academy - December 30, 2019](https://portswigger.net/web-security/cors)
 - [CORS Misconfigurations Explained - Detectify Blog - Apr 26, 2018](https://blog.detectify.com/2018/04/26/cors-misconfigurations-explained/)
--- a/Rebinding/README.md
+++ b/Rebinding/README.md
@@ -7,13 +7,18 @@
 * [Tools](#tools)
 * [Exploitation](#exploitation)
 * [Protection Bypasses](#protection-bypasses)
    * [0.0.0.0](#0000)
    * [CNAME](#CNAME)
    * [localhost](#localhost)
 * [References](#references)
 ## Tools
 - [Singularity of Origin](https://github.com/nccgroup/singularity) - is a tool to perform DNS rebinding attacks.
 - [Singularity of Origin Web Client](http://rebind.it/) (manager interface, port scanner and autoattack)
 ## Exploitation
 First, we need to make sure that the targeted service is vulnerable to DNS rebinding.
@@ -34,6 +39,7 @@ Then, if the service is vulnerable, we can abuse DNS rebinding by following thes
 4. Browse to "http://rebinder.your.domain:8080/autoattack.html".
 5. Wait for the attack to finish (it can take few seconds/minutes).
 ## Protection Bypasses
 > Most DNS protections are implemented in the form of blocking DNS responses containing unwanted IP addresses at the perimeter, when DNS responses enter the internal network. The most common form of protection is to block private IP addresses as defined in RFC 1918 (i.e. 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16). Some tools allow to additionally block localhost (127.0.0.0/8), local (internal) networks, or 0.0.0.0/0 network ranges.
@@ -71,6 +77,4 @@ localhost.example.com.            381     IN      CNAME   localhost.
 ## References
- [How Do DNS Rebinding Attacks Work? - nccgroup, 2019](https://github.com/nccgroup/singularity/wiki/How-Do-DNS-Rebinding-Attacks-Work%3F)
+- [How Do DNS Rebinding Attacks Work? - nccgroup - Apr 9, 2019](https://github.com/nccgroup/singularity/wiki/How-Do-DNS-Rebinding-Attacks-Work%3F)
--- a/Confusion/README.md
+++ b/Confusion/README.md
@@ -13,10 +13,12 @@
 * [Confused](https://github.com/visma-prodsec/confused)
 ## Exploit
 Look for `npm`, `pip`, `gem` packages, the methodology is the same : you register a public package with the same name of private one used by the company and then you wait for it to be used.
 ### NPM example
 * List all the packages (ie: package.json, composer.json, ...)
@@ -24,9 +26,10 @@ Look for `npm`, `pip`, `gem` packages, the methodology is the same : you registe
 * Register and create a **public** package with the same name
    * Package example : https://github.com/0xsapra/dependency-confusion-expoit
 ## References
-* [Exploiting Dependency Confusion - 2 Jul 2021 - 0xsapra](https://0xsapra.github.io/website//Exploiting-Dependency-Confusion)
+- [Exploiting Dependency Confusion - Aman Sapra (0xsapra) - 2 Jul 2021](https://0xsapra.github.io/website//Exploiting-Dependency-Confusion)
-* [Dependency Confusion: How I Hacked Into Apple, Microsoft and Dozens of Other Companies - Alex Birsan - 9 Feb 2021](https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610)
+- [Dependency Confusion: How I Hacked Into Apple, Microsoft and Dozens of Other Companies - Alex Birsan - 9 Feb 2021](https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610)
-* [Ways to Mitigate Risk When Using Private Package Feeds - Microsoft - 29/03/2021](https://azure.microsoft.com/en-gb/resources/3-ways-to-mitigate-risk-using-private-package-feeds/)
+- [3 Ways to Mitigate Risk When Using Private Package Feeds - Microsoft - 29/03/2021](https://web.archive.org/web/20210210121930/https://azure.microsoft.com/en-gb/resources/3-ways-to-mitigate-risk-using-private-package-feeds/)
-* [$130,000+ Learn New Hacking Technique in 2021 - Dependency Confusion - Bug Bounty Reports Explained](https://www.youtube.com/watch?v=zFHJwehpBrU )
+- [$130,000+ Learn New Hacking Technique in 2021 - Dependency Confusion - Bug Bounty Reports Explained - 22 févr. 2021](https://www.youtube.com/watch?v=zFHJwehpBrU)
--- a/Traversal/README.md
+++ b/Traversal/README.md
@@ -18,6 +18,7 @@
 * [Path Traversal](#path-traversal)
    * [Interesting Linux files](#interesting-linux-files)
    * [Interesting Windows files](#interesting-windows-files)
 * [Labs](#labs)
 * [References](#references)
 ## Tools
@@ -267,11 +268,11 @@ The following log files are controllable and can be included with an evil payloa
 ## References
-* [Path Traversal Cheat Sheet: Windows](https://gracefulsecurity.com/path-traversal-cheat-sheet-windows/)
+- [Path Traversal Cheat Sheet: Windows - @HollyGraceful - May 17, 2015](https://web.archive.org/web/20170123115404/https://gracefulsecurity.com/path-traversal-cheat-sheet-windows/)
-* [Directory traversal attack - Wikipedia](https://en.wikipedia.org/wiki/Directory_traversal_attack)
+- [Directory traversal attack - Wikipedia - 5 August 2024](https://en.wikipedia.org/wiki/Directory_traversal_attack)
-* [CWE-40: Path Traversal: '\\UNC\share\name\' (Windows UNC Share) - CWE Mitre - December 27, 2018](https://cwe.mitre.org/data/definitions/40.html)
+- [CWE-40: Path Traversal: '\\UNC\share\name\' (Windows UNC Share) - CWE Mitre - December 27, 2018](https://cwe.mitre.org/data/definitions/40.html)
-* [NGINX may be protecting your applications from traversal attacks without you even knowing](https://medium.com/appsflyer/nginx-may-be-protecting-your-applications-from-traversal-attacks-without-you-even-knowing-b08f882fd43d?source=friends_link&sk=e9ddbadd61576f941be97e111e953381)
+- [NGINX may be protecting your applications from traversal attacks without you even knowing - Rotem Bar - September 24, 2020](https://medium.com/appsflyer/nginx-may-be-protecting-your-applications-from-traversal-attacks-without-you-even-knowing-b08f882fd43d?source=friends_link&sk=e9ddbadd61576f941be97e111e953381)
-* [Directory traversal - Portswigger](https://portswigger.net/web-security/file-path-traversal)
+- [Directory traversal - Portswigger - March 30, 2019](https://portswigger.net/web-security/file-path-traversal)
-* [Cookieless ASPNET - Soroush Dalili](https://twitter.com/irsdl/status/1640390106312835072)
+- [Cookieless ASPNET - Soroush Dalili - March 27, 2023](https://twitter.com/irsdl/status/1640390106312835072)
-* [EP 057 | Proc filesystem tricks & locatedb abuse with @_remsio_ & @_bluesheet - TheLaluka - 30 nov. 2023](https://youtu.be/YlZGJ28By8U)
+- [EP 057 | Proc filesystem tricks & locatedb abuse with @_remsio_ & @_bluesheet - TheLaluka - November 30, 2023](https://youtu.be/YlZGJ28By8U)
-* [Understand How the ASP.NET Cookieless Feature Works - Microsoft Documentation - 06/24/2011](https://learn.microsoft.com/en-us/previous-versions/dotnet/articles/aa479315(v=msdn.10))
+- [Understand How the ASP.NET Cookieless Feature Works - Microsoft Documentation - June 24, 2011](https://learn.microsoft.com/en-us/previous-versions/dotnet/articles/aa479315(v=msdn.10))
--- a/Clobbering/README.md
+++ b/Clobbering/README.md
@@ -15,6 +15,7 @@
 * [Lab: Clobbering DOM attributes to bypass HTML filters](https://portswigger.net/web-security/dom-based/dom-clobbering/lab-dom-clobbering-attributes-to-bypass-html-filters)
 * [Lab: DOM clobbering test case protected by CSP](https://portswigger-labs.net/dom-invader/testcases/augmented-dom-script-dom-clobbering-csp/)
 ## Exploit
 Exploitation requires any kind of `HTML injection` in the page.
@@ -125,8 +126,8 @@ Exploitation requires any kind of `HTML injection` in the page.
 ## References
-* [Dom Clobbering - PortSwigger](https://portswigger.net/web-security/dom-based/dom-clobbering)
+- [Bypassing CSP via DOM clobbering - Gareth Heyes - 05 June 2023](https://portswigger.net/research/bypassing-csp-via-dom-clobbering)
-* [Dom Clobbering - HackTricks](https://book.hacktricks.xyz/pentesting-web/xss-cross-site-scripting/dom-clobbering)
+- [DOM Clobbering - HackTricks - January 27, 2023](https://book.hacktricks.xyz/pentesting-web/xss-cross-site-scripting/dom-clobbering)
-* [DOM Clobbering strikes back - @garethheyes - 06 February 2020](https://portswigger.net/research/dom-clobbering-strikes-back)
+- [DOM Clobbering - PortSwigger - September 25, 2020](https://portswigger.net/web-security/dom-based/dom-clobbering)
-* [Hijacking service workers via DOM Clobbering - @garethheyes - 29 November 2022](https://portswigger.net/research/hijacking-service-workers-via-dom-clobbering)
+- [DOM Clobbering strikes back - Gareth Heyes - 06 February 2020](https://portswigger.net/research/dom-clobbering-strikes-back)
-* [Bypassing CSP via DOM clobbering - @garethheyes - 05 June 2023](https://portswigger.net/research/bypassing-csp-via-dom-clobbering)
+- [Hijacking service workers via DOM Clobbering - Gareth Heyes - 29 November 2022](https://portswigger.net/research/hijacking-service-workers-via-dom-clobbering)
--- a/Inclusion/README.md
+++ b/Inclusion/README.md
@@ -6,20 +6,18 @@
 ## Summary
- [File Inclusion](#file-inclusion)
+- [Tools](#tools)
-  - [Summary](#summary)
+- [Local File Inclusion](#local-file-inclusion)
  - [Tools](#tools)
  - [Local File Inclusion](#local-file-inclusion)
    - [Null byte](#null-byte)
    - [Double encoding](#double-encoding)
    - [UTF-8 encoding](#utf-8-encoding)
    - [Path and dot truncation](#path-and-dot-truncation)
    - [Filter bypass tricks](#filter-bypass-tricks)
-  - [Remote File Inclusion](#remote-file-inclusion)
+- [Remote File Inclusion](#remote-file-inclusion)
    - [Null byte](#null-byte-1)
    - [Double encoding](#double-encoding-1)
    - [Bypass allow_url_include](#bypass-allow_url_include)
-  - [LFI / RFI using wrappers](#lfi--rfi-using-wrappers)
+- [LFI / RFI using wrappers](#lfi--rfi-using-wrappers)
    - [Wrapper php://filter](#wrapper-phpfilter)
    - [Wrapper data://](#wrapper-data)
    - [Wrapper expect://](#wrapper-expect)
@@ -29,29 +27,30 @@
      - [PHAR archive structure](#phar-archive-structure)
      - [PHAR deserialization](#phar-deserialization)
    - [Wrapper convert.iconv:// and dechunk://](#wrapper-converticonv-and-dechunk)
-  - [LFI to RCE via /proc/*/fd](#lfi-to-rce-via-procfd)
+- [LFI to RCE via /proc/*/fd](#lfi-to-rce-via-procfd)
-  - [LFI to RCE via /proc/self/environ](#lfi-to-rce-via-procselfenviron)
+- [LFI to RCE via /proc/self/environ](#lfi-to-rce-via-procselfenviron)
-  - [LFI to RCE via iconv](#lfi-to-rce-via-iconv)
+- [LFI to RCE via iconv](#lfi-to-rce-via-iconv)
-  - [LFI to RCE via upload](#lfi-to-rce-via-upload)
+- [LFI to RCE via upload](#lfi-to-rce-via-upload)
-  - [LFI to RCE via upload (race)](#lfi-to-rce-via-upload-race)
+- [LFI to RCE via upload (race)](#lfi-to-rce-via-upload-race)
-  - [LFI to RCE via upload (FindFirstFile)](#lfi-to-rce-via-upload-findfirstfile)
+- [LFI to RCE via upload (FindFirstFile)](#lfi-to-rce-via-upload-findfirstfile)
-  - [LFI to RCE via phpinfo()](#lfi-to-rce-via-phpinfo)
+- [LFI to RCE via phpinfo()](#lfi-to-rce-via-phpinfo)
-  - [LFI to RCE via controlled log file](#lfi-to-rce-via-controlled-log-file)
+- [LFI to RCE via controlled log file](#lfi-to-rce-via-controlled-log-file)
    - [RCE via SSH](#rce-via-ssh)
    - [RCE via Mail](#rce-via-mail)
    - [RCE via Apache logs](#rce-via-apache-logs)
-  - [LFI to RCE via PHP sessions](#lfi-to-rce-via-php-sessions)
+- [LFI to RCE via PHP sessions](#lfi-to-rce-via-php-sessions)
-  - [LFI to RCE via PHP PEARCMD](#lfi-to-rce-via-php-pearcmd)
+- [LFI to RCE via PHP PEARCMD](#lfi-to-rce-via-php-pearcmd)
-  - [LFI to RCE via credentials files](#lfi-to-rce-via-credentials-files)
+- [LFI to RCE via credentials files](#lfi-to-rce-via-credentials-files)
-  - [References](#references)
+- [References](#references)
 ## Tools
-* [Kadimus - https://github.com/P0cL4bs/Kadimus](https://github.com/P0cL4bs/Kadimus)
+* [P0cL4bs/Kadimus](https://github.com/P0cL4bs/Kadimus) (archived on Oct 7, 2020) - kadimus is a tool to check and exploit lfi vulnerability.
-* [LFISuite - https://github.com/D35m0nd142/LFISuite](https://github.com/D35m0nd142/LFISuite)
+* [D35m0nd142/LFISuite](https://github.com/D35m0nd142/LFISuite) - Totally Automatic LFI Exploiter (+ Reverse Shell) and Scanner
-* [fimap - https://github.com/kurobeats/fimap](https://github.com/kurobeats/fimap)
+* [kurobeats/fimap](https://github.com/kurobeats/fimap) - fimap is a little python tool which can find, prepare, audit, exploit and even google automatically for local and remote file inclusion bugs in webapps.
-* [panoptic - https://github.com/lightos/Panoptic](https://github.com/lightos/Panoptic)
+* [lightos/Panoptic](https://github.com/lightos/Panoptic) - Panoptic is an open source penetration testing tool that automates the process of search and retrieval of content for common log and config files through path traversal vulnerabilities.
-* [LFImap - https://github.com/hansmach1ne/LFImap](https://github.com/hansmach1ne/LFImap)
+* [hansmach1ne/LFImap](https://github.com/hansmach1ne/LFImap) - Local File Inclusion discovery and exploitation tool
 ## Local File Inclusion
@@ -664,27 +663,25 @@ If SSH is active check which user is being used `/proc/self/status` and `/etc/pa
 ## References
-* [OWASP LFI](https://www.owasp.org/index.php/Testing_for_Local_File_Inclusion)
+* [Baby^H Master PHP 2017 - Orange Tsai (@orangetw) - Dec 5, 2021](https://github.com/orangetw/My-CTF-Web-Challenges#babyh-master-php-2017)
-* [HighOn.coffee LFI Cheat](https://highon.coffee/blog/lfi-cheat-sheet/)
+* [CVV #1: Local File Inclusion - SI9INT - Jun 20, 2018](https://medium.com/bugbountywriteup/cvv-1-local-file-inclusion-ebc48e0e479a)
-* [Turning LFI to RFI](https://l.avala.mp/?p=241)
+* [Exploiting Blind File Reads / Path Traversal Vulnerabilities on Microsoft Windows Operating Systems - @evisneffos - 19 June 2018](https://web.archive.org/web/20200919055801/http://www.soffensive.com/2018/06/exploiting-blind-file-reads-path.html)
-* [Is PHP vulnerable and under what conditions?](http://0x191unauthorized.blogspot.fr/2015/04/is-php-vulnerable-and-under-what.html)
+* [Exploiting Remote File Inclusion (RFI) in PHP application and bypassing remote URL inclusion restriction - Mannu Linux - 2019-05-12](http://www.mannulinux.org/2019/05/exploiting-rfi-in-php-bypass-remote-url-inclusion-restriction.html)
 * [Upgrade from LFI to RCE via PHP Sessions](https://www.rcesecurity.com/2017/08/from-lfi-to-rce-via-php-sessions/)
 * [Local file inclusion tricks](http://devels-playground.blogspot.fr/2007/08/local-file-inclusion-tricks.html)
 * [CVV #1: Local File Inclusion - SI9INT](https://medium.com/bugbountywriteup/cvv-1-local-file-inclusion-ebc48e0e479a)
 * [Exploiting Blind File Reads / Path Traversal Vulnerabilities on Microsoft Windows Operating Systems - @evisneffos](https://web.archive.org/web/20200919055801/http://www.soffensive.com/2018/06/exploiting-blind-file-reads-path.html)
 * [Baby^H Master PHP 2017 by @orangetw](https://github.com/orangetw/My-CTF-Web-Challenges#babyh-master-php-2017)
 * [Чтение файлов => unserialize !](https://web.archive.org/web/20200809082021/https://rdot.org/forum/showthread.php?t=4379)
 * [New PHP Exploitation Technique - 14 Aug 2018 by Dr. Johannes Dahse](https://blog.ripstech.com/2018/new-php-exploitation-technique/)
 * [It's-A-PHP-Unserialization-Vulnerability-Jim-But-Not-As-We-Know-It, Sam Thomas](https://github.com/s-n-t/presentations/blob/master/us-18-Thomas-It's-A-PHP-Unserialization-Vulnerability-Jim-But-Not-As-We-Know-It.pdf)
 * [CVV #1: Local File Inclusion - @SI9INT - Jun 20, 2018](https://medium.com/bugbountywriteup/cvv-1-local-file-inclusion-ebc48e0e479a)
 * [Exploiting Remote File Inclusion (RFI) in PHP application and bypassing remote URL inclusion restriction](http://www.mannulinux.org/2019/05/exploiting-rfi-in-php-bypass-remote-url-inclusion-restriction.html?m=1)
 * [PHP LFI with Nginx Assistance](https://bierbaumer.net/security/php-lfi-with-nginx-assistance/)
 * [PHP LFI to arbitrary code execution via rfc1867 file upload temporary files (EN) - gynvael.coldwind - 2011-03-18](https://gynvael.coldwind.pl/?id=376)
 * [LFI2RCE via PHP Filters - HackTricks](https://book.hacktricks.xyz/pentesting-web/file-inclusion/lfi2rce-via-php-filters)
 * [Solving "includer's revenge" from hxp ctf 2021 without controlling any files - @loknop](https://gist.github.com/loknop/b27422d355ea1fd0d90d6dbc1e278d4d)
 * [PHP FILTERS CHAIN: WHAT IS IT AND HOW TO USE IT - Rémi Matasse - 18/10/2022](https://www.synacktiv.com/publications/php-filters-chain-what-is-it-and-how-to-use-it.html)
 * [PHP FILTER CHAINS: FILE READ FROM ERROR-BASED ORACLE - Rémi Matasse - 21/03/2023](https://www.synacktiv.com/en/publications/php-filter-chains-file-read-from-error-based-oracle.html)
 * [One Line PHP: From Genesis to Ragnarök - Ginoah, Bookgin](https://hackmd.io/@ginoah/phpInclude#/)
 * [Introducing wrapwrap: using PHP filters to wrap a file with a prefix and suffix - Charles Fol - 11 December, 2023](https://www.ambionics.io/blog/wrapwrap-php-filters-suffix)
 * [Iconv, set the charset to RCE: exploiting the libc to hack the php engine (part 1) - Charles Fol - 27 May, 2024](https://www.ambionics.io/blog/iconv-cve-2024-2961-p1)
-* [OffensiveCon24- Charles Fol- Iconv, Set the Charset to RCE - 14 juin 2024](https://youtu.be/dqKFHjcK9hM)
+* [Introducing wrapwrap: using PHP filters to wrap a file with a prefix and suffix - Charles Fol - 11 December, 2023](https://www.ambionics.io/blog/wrapwrap-php-filters-suffix)
 * [Is PHP vulnerable and under what conditions? - April 13, 2015 - Andreas Venieris](http://0x191unauthorized.blogspot.fr/2015/04/is-php-vulnerable-and-under-what.html)
 * [It's A PHP Unserialization Vulnerability Jim But Not As We Know It - Sam Thomas - Aug 10, 2018](https://github.com/s-n-t/presentations/blob/master/us-18-Thomas-It's-A-PHP-Unserialization-Vulnerability-Jim-But-Not-As-We-Know-It.pdf)
 * [LFI Cheat Sheet - @Arr0way - 24 Apr 2016](https://highon.coffee/blog/lfi-cheat-sheet/)
 * [LFI2RCE via PHP Filters - HackTricks - 19/07/2024](https://book.hacktricks.xyz/pentesting-web/file-inclusion/lfi2rce-via-php-filters)
 * [Local file inclusion tricks - Johan Adriaans - August 4, 2007](http://devels-playground.blogspot.fr/2007/08/local-file-inclusion-tricks.html)
 * [New PHP Exploitation Technique - Dr. Johannes Dahse - 14 Aug 2018](https://web.archive.org/web/20180817103621/https://blog.ripstech.com/2018/new-php-exploitation-technique/)
 * [OffensiveCon24 - Charles Fol- Iconv, Set the Charset to RCE - 14 June 2024](https://youtu.be/dqKFHjcK9hM)
 * [One Line PHP: From Genesis to Ragnarök - Ginoah, Bookgin - Feb 20, 2023](https://hackmd.io/@ginoah/phpInclude#/)
 * [PHP FILTER CHAINS: FILE READ FROM ERROR-BASED ORACLE - Rémi Matasse - March 21, 2023](https://www.synacktiv.com/en/publications/php-filter-chains-file-read-from-error-based-oracle.html)
 * [PHP FILTERS CHAIN: WHAT IS IT AND HOW TO USE IT - Rémi Matasse - 18/10/2022](https://www.synacktiv.com/publications/php-filters-chain-what-is-it-and-how-to-use-it.html)
 * [PHP LFI to arbitrary code execution via rfc1867 file upload temporary files (EN) - Gynvael Coldwind - March 18, 2011](https://gynvael.coldwind.pl/?id=376)
 * [PHP LFI with Nginx Assistance - Bruno Bierbaumer - 26 Dec 2021](https://bierbaumer.net/security/php-lfi-with-nginx-assistance/)
 * [Solving "includer's revenge" from hxp ctf 2021 without controlling any files - @loknop - Dec 30, 2021](https://gist.github.com/loknop/b27422d355ea1fd0d90d6dbc1e278d4d)
 * [Testing for Local File Inclusion - OWASP - 25 June 2017](https://www.owasp.org/index.php/Testing_for_Local_File_Inclusion)
 * [Turning LFI into RFI - Grayson Christopher - 2017-08-14](https://web.archive.org/web/20170815004721/https://l.avala.mp/?p=241)
 * [Upgrade from LFI to RCE via PHP Sessions - Reiners - September 14, 2017](https://web.archive.org/web/20170914211708/https://www.rcesecurity.com/2017/08/from-lfi-to-rce-via-php-sessions/)