BEGIN:VCALENDAR VERSION:2.0 PRODID:-//pretalx//pretalx.com//hack-lu-2023//speaker//GDCJDQ BEGIN:VTIMEZONE TZID:CET BEGIN:STANDARD DTSTART:20001029T040000 RRULE:FREQ=YEARLY;BYDAY=-1SU;BYMONTH=10 TZNAME:CET TZOFFSETFROM:+0200 TZOFFSETTO:+0100 END:STANDARD BEGIN:DAYLIGHT DTSTART:20000326T030000 RRULE:FREQ=YEARLY;BYDAY=-1SU;BYMONTH=3 TZNAME:CEST TZOFFSETFROM:+0100 TZOFFSETTO:+0200 END:DAYLIGHT END:VTIMEZONE BEGIN:VEVENT UID:pretalx-hack-lu-2023-PL3P7Y@pretalx.com DTSTART;TZID=CET:20231018T164500 DTEND;TZID=CET:20231018T171500 DESCRIPTION:Local file inclusion methods in PHP evolved through time\, ther e are 2 main objectives when exploiting them:\n - Getting a remote code ex ecution by including files containing PHP via include() or require() funct ions.\n - Leak local files such as PHP sources or configuration files via file_get_contents() or file() functions for example.\n \nIn the past\, the following requirements had to be met to exploit a local file inclusion.\n To exploit a remote code execution you could inject information in log fi les and include them\, or control a variable in your PHP session to poison the session file. But in most cases\, you needed to be able to upload a f ile on the system.\n \n To leak local files\, it was required to either fu lly control the path pointing to the file to leak\, or to have a path trav ersal to go up in the file tree. Most importantly\, it was mandatory for t he server to send you back its content in the response.\n \nIn both cases\ , the affected functions support several wrappers\, the most iconic being file:// which is a prefix before a file path. Other wrappers such as php:/ /filter can be passed on these methods and for example it was well known t o allow leaking PHP sources by base64 encoding them (ex : php://filter/con vert.base64-encode/resource=index.php). \n\n In a 2021 CTF write-up by lok nop \, this wrapper was actually proven to be much more useful. Indeed\, i t allows setting the encoding of contents passing through it\, and most im portantly to chain an infinite number of encodings leading to the generati on of arbitrary data at the start of a file. In this presentation\, the fu ll process will be explained with examples allowing\, for instance\, to ge nerate interesting prefixes to a file content\, such as ''\, therefore removing the need to have a file upload when exploitin g include() or require() functions to get remote code execution (if the fu ll path is controlled).\n \nIn 2022\, hash_kitten showed that it was also possible to use PHP filters chain as an error-base oracle when used in man y built-in functions\, such as file_get_contents(). Its method chains enco dings that will make the content size of a file exponential\, triggering a PHP memory_limit exhaustion. By using other filters\, the first character of the file content can also be determined. By using other encodings it i s also possible to rotate the chain order to retrieve characters that are located further away in the content.\n\n Using this error-based oracle\, i t is therefore possible to leak the entire file content without having PHP to serve it in a server response. DTSTAMP:20260421T232032Z LOCATION:Salle Europe SUMMARY:PHP filter chains: How to use it - RĂ©mi Matasse URL:https://pretalx.com/hack-lu-2023/talk/PL3P7Y/ END:VEVENT END:VCALENDAR