PHP - Bypass using filters

PHP filters can sometimes be exploited to read the source code of a PHP file if the server is misconfigured and allows Local File Inclusion or direct access to PHP stream wrappers. This occurs when the allow_url_include and allow_url_fopen parameters are enabled on the php.ini file.

LFI on PHP files usually won’t display the source code, because when included, the PHP interpreter executes the file instead of showing its contents, but using the PHP filters we can have access to the source code instead of executing the file.

Here we found how this can be exploited:

Use payload to retrieve the source code of a PHP file

php://filter/convert.base64-encode/resource=$pathToPHPfile
php://filter/convert.base64-encode/resource=db.php #Example with a default php db

If direct file access via php://filter is blocked, we can use it indirectly in a confirmed LFI point

vulnerable.php?file=php://filter/convert.base64-encode/resource=$pathToPHPfile

PreviousPHP - Abuse PHP Type Juggling NextWordPress - Abuse Theme Configuration on templates

Last updated 4 months ago