Hey people,

Sebastian has another (tricky) challenge for you :)

I found this code in a popular open source software. Afaik, this shouldn't be vulnerable to LFI, but you're here to prove me wrong ;)
If you discover an issue, you'll be credited properly after responsible disclosure.

#The Code

Again, it's PHP and the code looks like this:

```
> cat index.php 
<?php

$class = $_GET['class'];

if(class_exists($class)) {
    echo "Class exists. <br />";
    $foo = new $class($_REQUEST);
} else {
    echo "Class does not exist. <br />";
}


function __autoload($class) {
    $filename = str_replace('_','/', strtolower(basename($class)));

    $filepath = dirname(__FILE__) . "/classes/$filename.php";

    echo "Checking... " . $filepath . "<br />";

    if(file_exists($filepath)) {
        echo "Loading..." . $filepath . "<br />";
        require $filepath;
    }
}
```

```
> cat classes/hacked.php 
<?php

class Hacked {

    function __construct() {
	$this->hack();
    }

    public function hack() {
        echo 'Hacked';
	// do evil stuff ;)
    }
}
?>
```

You can download the code here: 

Demo: http://challenges.internetwache.org/php-lfi.tgz

```
> curl "http://challenges.me/php-2/index.php?class=Hacked"
Checking... /var/www/challenges/php-2/classes/hacked.php<br />
Loading.../var/www/challenges/php-2/classes/hacked.php<br />
Class exists. <br />
Hacked
```

#Your task
- Prove me wrong that this isn't exploitable (e.g. LFI/RCE)

#Hall of Fame/Credits
- Be the first!

#Contact
- Like always via twitter @internetwache

Happy hacking ;)