Php Filter Chains Oracle Exploit Save

A CLI to exploit parameters vulnerable to PHP filter chain error based oracle.

Project README

PHP filter chains: file read from error-based oracle

A CLI to exploit parameters affected by the file read caused by the the error-based oracle of PHP filter chains. It can be used to leak the content of a local file when passed to vulnerable functions, such as file(), hash_file(), file_get_contents() or copy(), even when the server does not return the file content!

As long as an action is performed on a file content and the full URI is controlled, the function can be affected by the php://filter wrapper, and therefore exploited by this tool. More information in our blogpost:

The trick was first discovered and disclosed as a challenge by @hash_kitten during the DownUnderCTF 2022.


By default, the tool requires the parameters target (targeted URL), file (the local file to leak) and parameter (parameter where you want to inject). Several other options can be defined and are detailed here:

$ python3 --help
usage: [-h] --target TARGET --file FILE --parameter PARAMETER [--data DATA] [--headers HEADERS] [--verb VERB] [--proxy PROXY] [--in_chain IN_CHAIN]
                                       [--time_based_attack TIME_BASED_ATTACK] [--delay DELAY]

        Oracle error based file leaker based on PHP filters.
        Author of the tool : @_remsio_
        Trick firstly discovered by : @hash_kitten
        $ python3 --target --file '/test' --parameter 0   
        [*] The following URL is targeted :
        [*] The following local file is leaked : /test
        [*] Running POST requests
        [+] File /test leak is finished!
        b"Hello from Synacktiv's blogpost!\n"

optional arguments:
  -h, --help            show this help message and exit
  --target TARGET       URL on which you want to run the exploit.
  --file FILE           Path to the file you want to leak.
  --parameter PARAMETER
                        Parameter to exploit.
  --data DATA           Additionnal data that might be required. (ex : {"string":"value"})
  --headers HEADERS     Headers used by the request. (ex : {"Authorization":"Bearer [TOKEN]"})
  --verb VERB           HTTP verb to use POST(default),GET(~ 135 chars by default),PUT,DELETE
  --proxy PROXY         Proxy you would like to use to run the exploit. (ex :
  --in_chain IN_CHAIN   Useful to bypass weak strpos configurations, adds the string in the chain. (ex : KEYWORD)
  --time_based_attack TIME_BASED_ATTACK
                        Exploits the oracle as a time base attack, can be improved. (ex : True)
  --delay DELAY         Set the delay in second between each request. (ex : 1, 0.1)


Other features may be added to the tool, feel free to contribute if you have ideas!

Open Source Agenda is not affiliated with "Php Filter Chains Oracle Exploit" Project. README Source: synacktiv/php_filter_chains_oracle_exploit
Open Issues
Last Commit
6 months ago

Open Source Agenda Badge

Open Source Agenda Rating