PHP wrappers

Refer to my payload list:

PHP comes with many built-in wrappers for various URL-style protocols for use with the filesystem functions such as fopen(), copy() or even include() and require(). This can allow an attacker to read file or execute arbitary commands on the system.

The following covers a few simple techniques using PHP wrappers. Refer to The Hacker Recipe's notes above for more examples.

php://filter

Using the option convert.base64-encode, which simply base64 encodes the output, we can trick the server into returning the contents of a file in base64 format. Eg. The /etc/passwd file.

php://filter/convert.base64-encode/resource=/etc/passwd

Note: the focus is not on the base64 encoding format, but rather on the ability to extract the contents of a file on the server.

data://

The following payload contains a base64 encoded value for <?php phpinfo(); ?>, which will allow us to view the PHP configuration details, potentially leaking sensitive data.

data://text/plain;base64,PD9waHAgcGhwaW5mbygpOyA/Pgo=

Last updated