This input appears to be a Local File Inclusion (LFI) payload targeting a web application running on PHP. Specifically, it exploits PHP's php://filter wrapper to read sensitive files from the server.
Breaking Down the URL
Instead of loading a standard page like contact.php, the server processes the filter and dumps the encoded AWS keys directly onto the screen. How to Prevent This Attack This input appears to be a Local File
.aws/credentials..aws/credentials file, they can obtain sensitive AWS credentials, which can be used to compromise AWS resources.convert=base64 encode parameter may seem like an attempt to obfuscate the output, but it's easily reversible. An attacker can simply decode the Base64 output to obtain the sensitive information.Conclusion
| Payload variant | Purpose |
|----------------|---------|
| php://filter/convert.base64-encode/resource=/etc/passwd | Read system users |
| php://filter/convert.base64-encode/resource=/var/www/html/config.php | Read DB passwords |
| php://filter/convert.base64-encode/resource=/proc/self/environ | Read process env vars (may leak API keys) |
| expect://id | Code execution (if expect module loaded) | Arbitrary File Read : The URL allows an