Bypass file extension on File Inclusion Attack

Question

I read a ethical hacking book and I should pass a exercise. In this exercise there is a php code like this:

<?php
    $page = $_GET['p'];
    include($page.".php");
?>

I must access passwd by appling file inclusion attack. I tried put %00 end of url and I can't.

Answer 1

The simple Null Byte Injection depends on the current server configuation. So maybe it's prevented because magic_quotes_gpc is turned On.

But there are other attack vectors too:

• Maybe your server is vulnerable to Remote File Inclusion, and the code to access passwd is injected by remote script.
• Or some more complex LFI when path truncation hits in - please see first answer on security stackexchange