Skip to content

PHP Filters

  • most web apps use PHP and the different PHP frameworks, like Laravel or Symfony.
  • if we id an LFI in PHP web apps, we can use different https://www.php.net/manual/en/wrappers.php.php PHP wrappers to extend the exploit and even get rce.

Input Filters

  • PHP Filters are a type of PHP wrappers, where we can pass different types of input and have it filtered by the filter we specify.
  • PHP Filters are a type of PHP wrappers, where we can pass different types of input and have it filtered by the filter we specify. To use PHP wrapper streams, we can use the php:// scheme in our string, and we can access the PHP filter wrapper with php://filter/.
  • The filter wrapper has several parameters, but the main ones we require for our attack are resource and read. The resource parameter is required for filter wrappers, and with it we can specify the stream we would like to apply the filter on (e.g. a local file), while the read parameter can apply different filters on the input resource, so we can use it to specify which filter we want to apply on our resource.
  • There are four different types of filters available for use, which are String FiltersConversion FiltersCompression Filters, and Encryption Filters. You can read more about each filter on their respective link, but the filter that is useful for LFI attacks is the convert.base64-encode filter, under Conversion Filters.

Fuzzing for PHP files

  • gobuster dir -u http://94.237.60.55:34449/ -w /opt/SecLists/Discovery/Web-Content/directory-list-2.3-small.txt -x php
  • ffuf -w /opt/useful/seclists/Discovery/Web-Content/directory-list-2.3-small.txt:FUZZ -u http://<SERVER_IP>:<PORT>/FUZZ.php
  • This will give us a few files that we can try to access.

Standard PHP inclusion

  • suppose we found a configure.php file from the above fuzzing search
  • We want to access it, but cant using the URL.
    • Also, using the URL, the server will execute the file instead of provide the source code.
  • using LFI as well, ?language=configure.php, the server will execute the file and not provide the contents.
  • This is where the base64 php filter gets useful, as we can use it to base64 encode the php file, and then we would get the encoded source code instead of having it being executed and rendered. This is especially useful for cases where we are dealing with LFI with appended PHP extensions, because we may be restricted to including PHP files only, as discussed in the previous section.

Source Code Disclosure

  • here, we can use the php filters to read and fetch a resource in base64 encoded format.
  • php://filter/read=convert.base64-encode/resource=config