Pages

10/09/2012

Display Content of PHP Files Via LFI Using php://filter

I read this blog post and found a clever idea to retrieve source code file from a PHP file using an local file inclusion(LFI) vulnerability. Thanks to @brutelogic who seems to be the original creator if this trick.

a LFI vulnerability is where you can input a file name (or part of it) into URL as a parameter and a PHP  from the URL responds by reading the file out to users.

For example:
a PHP file named "testlfi.php" has a content like this
<?php  include($_GET['file']);  ?>
When querying for the testlfi.php, we can query it like this

http://localhost/testphp/testlfi.php?file=input.php

This means, we give "file" parameter with value "input.php". Therefore, "testlfi.php" would execute "include('input.php')" and prints out the content of "input.php" out to the screen.
The result is now like this:


Unfortunately, LFI is available from using "include","require", "require_once" or "include_once" which actually interpret PHP commands inside the PHP file before it displays the content.
So we cannot really see what is the actual PHP content in the PHP file.

But!!! There is a way to by-pass that process.

using php://filter/convert.base64-encode/resource=input.php
So, the full requesting URL is
http://localhost/testphp/testlfi.php?file=php://filter/convert.base64-encode/resource=input.php

And the result is now becomes:

It is encrypted in BASE64 format.
It can easily be decrypted by a simple Ruby script, or you can use online Base64 decrypter online (Google it)
So we can now see the content of the file like this:

I use irb (interactive-ruby-shell) and use the method "unpack" with "m*" as its argument to get content of the base64-encrypted value.

As you can see from the picture,
the file "input.php" does not just contain the word "Hello World", but it contains "secret" which is now revealed.