LFI → RCE: Abusing Stream Wrappers with Uploaded Microsoft DOCX Files
During an engagement, I identified a Local File Inclusion (LFI) vulnerability in a document transfer application written in plain PHP. Although the application enforced strict file upload controls—restricting uploads to .doc, .docx, and .pdf files an...
noteshacking.hashnode.dev7 min read