The string you provided, php://filter/read=convert.base64-encode/resource=/root/.aws/credentials , is a common payload used in attacks. It leverages PHP wrappers to extract sensitive configuration files from a server.
The payload uses PHP's wrapper ( php://filter ) to read a local file, specifically targeting the AWS credentials file ( /root/.aws/credentials ). Local File Inclusion (LFI) The string you provided,
Use code with caution. How to Prevent LFI and Credential Leaks Burp Suite – Intruder with payloads for PHP filters
: This is a kind of meta-wrapper designed to permit the application of filters to a stream at the time of opening. This is often used by developers to handle data transformation (like converting characters to uppercase or lowercase) during file reads. Use code with caution
: Use functions like basename() to ensure users cannot navigate through directories using ../ or wrappers.
The server returns the contents of the credential file encoded in base64, which is then decoded to get the plaintext credentials. Key Observations
