If a website is vulnerable to Local File Inclusion (LFI), how can you use it to find out the PHP version? Is there any file which says the version of PHP being used. I’m trying to do a PHP sessions LFI to RCE attack, but I don’t know where the session files are stored. I think finding the PHP version will help.
It has to be a file that is already there because there is no way of putting a file on the target (apart from the session file).
Of course, I am not attacking a machine without permission, this is part of a challenge.