TL;DR: tamper with PHP session cookie to include /etc/passwd
https://blog.kleinebu.de/serial-killer.html#serial-killer

Original writeup (https://blog.kleinebu.de/serial-killer.html#serial-killer).