MAMate Agulashviliinnoteshacking.hashnode.dev·Jan 19 · 7 min readLFI → RCE: Abusing Stream Wrappers with Uploaded Microsoft DOCX FilesDuring an engagement, I identified a Local File Inclusion (LFI) vulnerability in a document transfer application written in plain PHP. Although the application enforced strict file upload controls—restricting uploads to .doc, .docx, and .pdf files an...00