Let’s consider a real situation to clearly understand the value of this method. Please, try to assume that we have a web application with a lot of holes and flaws like a colander. SQL Injection allows us to get admin password hashes, then we restore the passwords, but here’s bad luck – we are unable to find admin page :(. And there’s Sqli, but we cannot access site file system. And there’s LFI, but we can hook nothing :((. And in this situation said method can help!
We use include:
And continue until we find something useful. Fox example, we find "useful" on "http://site/?file=m<\<.php". The start to brute force 2nd character:
... and so on.
For this example, "myAdminPanel\admin.php" is a possible result.
Please ensure that this example is just a special case. This PHP feature can be used much wider! I also want to add that this method is applicable for all versions of PHP and on Windows-based systems only.
The origin is available here: http://onsec.ru/onsec.whitepaper-02.eng.pdf