dsad

vuln-lab/web/www/page.php

@@ -0,0 +1,17 @@
+<?php
+// LFI — path traversal, php:// filter, allow_url_include.
+$page = $_GET['page'] ?? $_GET['file'] ?? $_GET['template'] ?? 'home';
+
+// strip trailing .php if user didn't add it
+$target = $page;
+if (!preg_match('/\.(php|html|txt|log)$/', $target) && strpos($target, '://') === false) {
+    $target .= '.php';
+}
+
+echo "<!DOCTYPE html><html><body>";
+echo "<h1>Pages · $page</h1><hr>";
+
+// No sanitization at all — directly include.
+@include($target);
+
+echo "</body></html>";