Display Content of PHP Files Via LFI Using php://filter

I read this blog post and found a clever idea to retrieve source code file from a PHP file using an local file inclusion(LFI) vulnerability. Thanks to @brutelogic who seems to be the original creator if this trick.

a LFI vulnerability is where you can input a file name (or part of it) into URL as a parameter and a PHP  from the URL responds by reading the file out to users.

For example:
a PHP file named "testlfi.php" has a content like this
<?php  include($_GET['file']);  ?>
When querying for the testlfi.php, we can query it like this


This means, we give "file" parameter with value "input.php". Therefore, "testlfi.php" would execute "include('input.php')" and prints out the content of "input.php" out to the screen.
The result is now like this:

Unfortunately, LFI is available from using "include","require", "require_once" or "include_once" which actually interpret PHP commands inside the PHP file before it displays the content.
So we cannot really see what is the actual PHP content in the PHP file.

But!!! There is a way to by-pass that process.

using php://filter/convert.base64-encode/resource=input.php
So, the full requesting URL is

And the result is now becomes:

It is encrypted in BASE64 format.
It can easily be decrypted by a simple Ruby script, or you can use online Base64 decrypter online (Google it)
So we can now see the content of the file like this:

I use irb (interactive-ruby-shell) and use the method "unpack" with "m*" as its argument to get content of the base64-encrypted value.

As you can see from the picture,
the file "input.php" does not just contain the word "Hello World", but it contains "secret" which is now revealed.


  1. มุข php warpper ต้อง php.ini เซ็ต allow_url_include = On "มั้ง"
    ซึ่ง ค่อนข้างหายากนะ

    1. Great Article IoT Projects for Students

      Deep Learning Projects for Final Year

      JavaScript Training in Chennai

      JavaScript Training in Chennai

      The Angular Training covers a wide range of topics including Components, Angular Directives, Angular Services, Pipes, security fundamentals, Routing, and Angular programmability. The new Angular TRaining will lay the foundation you need to specialise in Single Page Application developer. Angular Training

  2. Great put Good stuff.All the topics were explained quickly understand for me.I am waiting for your next fantastic blog.Thanks for sharing.Any coures related details learn...
    Php course in chennai

  3. Cool Stuff. Kanhasoft is the top-notch PHP web development company India providing offshore services. Get affordable and reliable web solutions with us.

  4. Our staffs are earnest to their work and could assist you with becoming a pioneer in the business you are included keeping your rivals behind with their high learning and imaginative thoughts for creating sites. Top Expert Cakephp Developers

  5. Your article is extremely helpful exceptionally fascinating subject i am looking that sort of post thank for imparting to us keep it up. Viaral content

  6. PHP programming has been used since latest two decades from its introduction in 1995. It is trusted by an enormous number of business destinations owners and fashioners and the summary is creating bit by bit.Why use Laravel

  7. The patent, then again is conceded to the first to apply for it, paying little mind to who the first to imagine it was.

  8. You really touched some highly beneficial information here, for which I really appreciate you. Thank you for taking time to write this post here. Keep sharing. good work
    Ai & Artificial Intelligence Course in Chennai
    PHP Training in Chennai
    Ethical Hacking Course in Chennai Blue Prism Training in Chennai
    UiPath Training in Chennai