The payload php://filter/read=convert.base64-encode/resource=/root/.aws/credentials is a Local File Inclusion (LFI) attack designed to steal AWS credentials by reading them in Base64 format. Attackers exploit improper input sanitization in PHP applications to access sensitive configuration files from the server's root directory. To prevent this, inputs must be sanitized, file paths validated, and the principle of least privilege applied to prevent web servers from accessing sensitive directories.
php://filter: This is a type of PHP I/O stream. It is designed to allow developers to apply filters to a data stream when it is being read or written. While useful for legitimate purposes (like converting character sets), it is frequently abused to bypass security restrictions.read=convert.base64-encode: This instructs the filter to read the target file and convert its contents to Base64 encoding. Attackers use this encoding to bypass certain filters that might block specific characters (like < or > found in PHP code) and to ensure the file content is returned as a printable string rather than being executed by the server.resource=/root/.aws/credentials: This specifies the target file. The path /root/.aws/credentials is the default location for AWS CLI credentials on a Linux system. If an application is running with high privileges or in a misconfigured environment, accessing this file could expose sensitive access keys and secret keys.Attackers often double URL-encode this payload ( %252F for / ) to bypass security filters (WAF) that scan for malicious strings. The payload php://filter/read=convert