I am trying to bypass this LFI filter for a challenge...
I've tried almost all techniques at hand. Changing GET request to POST. Null byte or ? at the end. URL encoding. Double URL encoding. Base64 encoding. PHP wrappers. Even HTTP parameter pollution to check if I could smuggle in characters through another variable...
The issue is that no special characters or numbers are allowed:
!"#$%&/()=?¡¬\\~`^1234567890.,:;
All disappear when I send the request.
The URL is as follows:
vulnerableSite/vulnerable.php?file=FUZZ
I have no access to the source code. Are there any other techniques that I could try?
