Essentially this is when the webserver, or app isn’t handling file uploads, or file requests properly. As in, the input isn’t being sanitized, or certain permission checks aren’t run on files.
Risk - There isn’t always a risk. There could be no impact depending on the situation. It’s all situational! So… try it. You never know.
In php, the command to fetch a file is file_get_contents - I don’t know a lot of php so this is good lol
If there is a vuln related to php getting file contents, try relative paths too, see what folders exist
Sometimes a developer will only “accept” certain file extensions. Try using a null byte %00 or 0x00 to end a string in php. Should trick a program into doing what we want without adding .php onto our input.
This doesn’t work beyond PHP 5.3.3 at the time of writing
If there is a filter in place for directory transversal, see if you can trick it out. As in, if it is replacing ../ with then try sending ....// as it will only remove ../ leaving you with ../ <- what we want!
Sometimes there is a forced directory, so you could do something like ForcedDir/../../../etc/passwd to get where you want