Hi, i found a web aplication with a kind of LFI and i tested know ways of exploiting but it only fails
the /self/environ returns blank
if i am wrong, log poisonning is useless because the code doesnt include the local file
tried to view the tomcat users and password file but are commented <!-- bla bla -->
the os is Centos 5.9, apache tomcat 7.0.34 have cpanel

here is the code is a jsp file but i think the server also support php


<%@page import="java.io.FileInputStream"%>
<%@page import="java.io.File"%>
<%@page import="java.io.OutputStream" %>

<%
    String titulo = request.getParameter("T");

    String path = request.getServletContext().getRealPath("")
            + "/WEB-INF/pdf/" + titulo + ".pdf";
    File file = new File(path);

    try {
        FileInputStream fis = new FileInputStream(file);
        byte[] pdf = new byte[(int) file.length()];
        fis.read(pdf, 0, (int) file.length());
        fis.close();

        response.setContentType("application/pdf");
        OutputStream os = response.getOutputStream();
        os.write(pdf);
        os.close();

    } catch (Exception e) {
        response.setContentType("text/html;charset=UTF-8");
        out.print("<h3 style=\"text-align:center;color:#900\">PDF no encontrado</h3>");
        out.close();
    }
%>

the nmap gived this report of services

21/tcp   open  ftp?
|_ftp-anon: ERROR: Script execution failed (use -d to debug)
|_ftp-bounce: no banner
22/tcp   open  ssh?
25/tcp   open  smtp?
|_smtp-commands: Couldn't establish connection on port 25
53/tcp   open  domain?
80/tcp   open  http?
110/tcp  open  pop3?
143/tcp  open  imap?
| imap-capabilities:
|_  ERROR: Failed to connect to server
443/tcp  open  https?
587/tcp  open  submission?
|_smtp-commands: Couldn't establish connection on port 587
993/tcp  open  imaps?
995/tcp  open  pop3s?
8080/tcp open  http-proxy?

What can i do to gain RCE?

PD: sorry for my english