PHP wrappers

What are PHP wrappers?

PHP wrappers are used to encode different PHP streams. Whenever you access a webpage the data is sent to you as a stream as opposed to downloading the entire file first before opening it. Utilizing streams is a way for PHP to save on bandwidth, time and memory. A wrapper can be used to tell the stream how to handle specific protocols encoding. So instead outputing the output with its default encoding a wrapper can be used to encode the stream with say base64 encoding instead. This post will focus on using PHPs base64 encode wrapper.

The scenario

Say you have enumerated a website and found a local file inclusion vulnerability. You have enumerated the server version, plugins operating etc and found where the database configuration file is located. However the file is a PHP file so although you can access it via LFI you are unable to read the source code as it is interpreted by the web server.

Example:

 

As you can see accessing the file yields no results as the server is interpreting the PHP file.
This is where a php wrapper comes in handy. Because the wrapper encodes the source code the server does not interpret the file but instead outputs the encoded stream instead. IE: The source code encoded with base64.
Normal LFI
http://192.168.1.50/dvwa/vulnerabilities/fi/?page=C:/inetpub/wwwroot/dvwa/config/config.inc.php
PHP base64 wrapper
http://192.168.1.50/dvwa/vulnerabilities/fi/?page=php://filter/convert.base64-encode/resource=C:/inetpub/wwwroot/dvwa/config/config.inc.php

Note the base64 encoded string at the top of the page.

 

 

The line is too long to read off the page as is so looking at the source code reveals the entire string.

 

Kali comes with an inbuilt base64 encoder/decoder so it is just a matter of echoing the string to console and piping it into the base64 function with the decode switch of -d.