Merge d658aa026a into b245d3cbdd

Mkdocs accessibility and search improvement
Adding `file://` wrapper
2024-05-09 20:06:17 +02:00 · 2024-04-22 15:11:34 +02:00 · 2024-04-15 21:20:02 +02:00 · 2024-02-24 19:52:40 +01:00
2 changed files with 19 additions and 3 deletions
--- a/Inclusion/README.md
+++ b/Inclusion/README.md
@ -151,6 +151,14 @@ When `allow_url_include` and `allow_url_fopen` are set to `Off`. It is still pos

 ## LFI / RFI using wrappers

+### Wrapper file://
+It is possible to use the [`file://`]([url](https://www.php.net/manual/en/wrappers.file.php)) wrapper in order to read file inside allowed paths (if `open_basedir` restriction in effect).
+
+```shell
+http://example.com/index.php?filename=file://localhost/var/www/html/secured_extranet/panel/security.php
+```
+Note that using `localhost` above bypasses `file:///` filtering.
+
 ### Wrapper php://filter

 The part "`php://filter`" is case insensitive
@ -623,4 +631,4 @@ If SSH is active check which user is being used `/proc/self/status` and `/etc/pa
 * [PHP FILTERS CHAIN: WHAT IS IT AND HOW TO USE IT - Rémi Matasse - 18/10/2022](https://www.synacktiv.com/publications/php-filters-chain-what-is-it-and-how-to-use-it.html)
 * [PHP FILTER CHAINS: FILE READ FROM ERROR-BASED ORACLE - Rémi Matasse - 21/03/2023](https://www.synacktiv.com/en/publications/php-filter-chains-file-read-from-error-based-oracle.html)
 * [One Line PHP: From Genesis to Ragnarök - Ginoah, Bookgin](https://hackmd.io/@ginoah/phpInclude#/)
-* [Introducing wrapwrap: using PHP filters to wrap a file with a prefix and suffix - Charles Fol - 11 December, 2023](https://www.ambionics.io/blog/wrapwrap-php-filters-suffix)
+* [Introducing wrapwrap: using PHP filters to wrap a file with a prefix and suffix - Charles Fol - 11 December, 2023](https://www.ambionics.io/blog/wrapwrap-php-filters-suffix)
--- a/mkdocs.yml
+++ b/mkdocs.yml
@ -2,12 +2,17 @@ site_name: Payloads All The Things
 site_description: 'Payloads All The Things, a list of useful payloads and bypasses for Web Application Security'
 site_url: https://swisskyrepo.github.io/PayloadsAllTheThings

+repo_url: https://github.com/swisskyrepo/PayloadsAllTheThings/
+edit_uri: blob/master/
+
 # copyright: © 2016 PATT
 # logo: 'images/site_logo.png'
 # favicon: 'images/favicon.png'

 theme:
  name: material
+  color_mode: auto
+  user_color_mode_toggle: true
  icon:
    repo: fontawesome/brands/github
  palette:
@ -27,8 +32,13 @@ theme:

  features:
    - content.code.copy
+    - content.action.edit
+    - content.action.view
+    - content.tooltips
    - navigation.tracking
    - navigation.top
+    - search.share
+    - search.suggest
    # - toc.integrate
    # - navigation.path

@ -52,8 +62,6 @@ markdown_extensions:
      emoji_index: !!python/name:material.extensions.emoji.twemoji
      emoji_generator: !!python/name:material.extensions.emoji.to_svg

-repo_url: https://github.com/swisskyrepo/PayloadsAllTheThings/
-edit_uri: edit/master/
 plugins:
  - search
  - git-revision-date-localized
Author	SHA1	Message	Date
n3rada	52ee755ff2	Merge `d658aa026a` into `b245d3cbdd`	2024-04-22 15:11:34 +02:00
Swissky	b245d3cbdd	Mkdocs accessibility and search improvement	2024-04-15 21:20:02 +02:00
n3rada	d658aa026a	Adding `file://` wrapper	2024-02-24 19:52:40 +01:00