PHP wrappers
Refer to my payload list:
PHP comes with many built-in wrappers for various URL-style protocols for use with the filesystem functions such as fopen()
, copy()
or even include()
and require()
. This can allow an attacker to read file or execute arbitary commands on the system.
The following covers a few simple techniques using PHP wrappers. Refer to The Hacker Recipe's notes above for more examples.
php://filter
php://filter
Using the option convert.base64-encode
, which simply base64 encodes the output, we can trick the server into returning the contents of a file in base64 format. Eg. The /etc/passwd
file.
php://filter/convert.base64-encode/resource=/etc/passwd
Note: the focus is not on the base64 encoding format, but rather on the ability to extract the contents of a file on the server.
data://
data://
The following payload contains a base64 encoded value for <?php phpinfo(); ?>
, which will allow us to view the PHP configuration details, potentially leaking sensitive data.
data://text/plain;base64,PD9waHAgcGhwaW5mbygpOyA/Pgo=
Last updated