I am working on a challenge where I need to exploit a Local File Inclusion vulnerability.
The application expects an id parameter and tries to open a file using the given value and appending .png at the end. However the value is validated using /^[0-9]+$/m and test() function in javascript so it only accepts numerical values.
URL encoding common payloads or using null bytes didn’t work.
I would appreciate any insights or suggestions.