You find a Local File Inclusion (LFI) running PHP, you’re able to leverage a PHP wrapper to convert the file to Base64, which you can then decode on your own machine to view the source-code of the page.
In this example, we’ll be using FRIENDZONE on HackTheBox.
Confirming LFI on our example
At the following URL, we found that we have LFI capabilities on the
?pagename parameter. https://administrator1.friendzone.red/dashboard.php?image_id=a.jpg&pagename=login
If we adjust
?pagename to the name of a php page that exists on the box, it will display that page beneath the “Something wen worng” text. For example, let’s view the contents of a php page named timestamp.php.
Using Base64 Encoding to View Source Code
We can specify the following PHP Wrapper to encode a file in Base64.
Let’s inject that into our LFI, and specify the file we want to view the contents of (login.php)
Now, let’s copy that returned Base64 and run the following command within Kali.
echo -n <Base64> | base64 -d
The results show us the source code of login.php! We could also rerun the above command with
> login.php appended to save our own file.
That’s it! Super simple.