Vladimir Vorontsov (aka d0znpp) has published rather interesting research about features in PHP interaction with Windows. It started as the equivalence between the following methods of file access was noticed:
Let’s consider a real situation to clearly understand the value of this method. Please, try to assume that we have a web application with a lot of holes and flaws like a colander. SQL Injection allows us to get admin password hashes, then we restore the passwords, but here’s bad luck – we are unable to find admin page :(. And there’s Sqli, but we cannot access site file system. And there’s LFI, but we can hook nothing :((. And in this situation said method can help!
We use include:
And continue until we find something useful. Fox example, we find \”useful\” on \”http://site/?file=m<\\<.php". The start to brute force 2nd character:
For this example, \”myAdminPanel\\admin.php\” is a possible result.
Please ensure that this example is just a special case. This PHP feature can be used much wider! I also want to add that this method is applicable for all versions of PHP and on Windows-based systems only.
The origin is available here: http://onsec.ru/onsec.whitepaper-02.eng.pdf