> For the complete documentation index, see [llms.txt](https://sarpers-organization.gitbook.io/ctftricks/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://sarpers-organization.gitbook.io/ctftricks/_chapter-intro-17/lfi/trick-0068/web-lfi-vulnerability-exploitation.md).

# Vulnerability Exploitation

## LFI Filter Bypass Double Encoding

Bypass Local File Inclusion (LFI) filters that only perform a single pass of URL decoding by double encoding path traversal characters (`../`). This technique works because a filter that only decodes once will see `%252f` and `%252e%252e` as harmless strings, but after the application performs a second decoding pass, they correctly become `%2f` (which decodes to `/`) and `%2e%2e` (which decodes to `..`), allowing the path traversal.

Double encoding occurs when a value that has already been URL encoded is encoded again. For example, the percent character `%` is encoded as `%25`. If a character like `/`, which is `%2f` when URL encoded once, is double encoded, the `%` within `%2f` is encoded to `%25`, resulting in `%252f`. Similarly, `.` (encoded as `%2e`) becomes `%252e` when double-encoded. The path traversal sequence `../` can therefore be represented using double encoding as `..%252f` or `%252e%252e%252f`.

This method is effective against filters or Web Application Firewalls (WAFs) that are configured to perform only a single URL decode before checking for malicious sequences like `../`. When presented with a double-encoded payload such as `..%252f`, the filter decodes it once, resulting in `..%2f`. Since the filter might only look for the final `../` pattern or single-encoded variations like `%2e%2e%2f`, it fails to detect `..%2f` as malicious and allows the input to pass. The application then performs its own URL decoding, or the web server handles the decoding, transforming `..%2f` into `../`, which is then processed by the file inclusion function, leading to the traversal vulnerability.

An example using `curl` to exploit this vulnerability to access `/etc/passwd` might look like this, utilizing the `..%252f` sequence:

```bash
curl "https://broscience.htb/includes/img.php?path=..%252f..%252f..%252f..%252f..%252fetc%252fpasswd" -k
```

The payload structure often involves specifying the double-encoded path traversal sequence within a file parameter, such as:

```
?filename=..%252f..%252f..%252fetc%252fpasswd
```
