Chaining LFI and PHP Filter Bypasses to Extract Remote PostgreSQL Credentials

Challenge Overview

The JerseyCTF 6 ‘my-cool-blog’ challenge demonstrates the critical danger of improper input validation in PHP applications. By exploiting a single vulnerable file parameter, attackers can chain directory traversal with PHP filter wrappers to bypass security logic. This specific exploit resulted in the full disclosure of PostgreSQL credentials and a complete database dump.

Why This Matters

While theoretical security models emphasize robust input sanitization, this scenario illustrates the gap between simple string-based filtering and the actual capabilities of the PHP engine. The developer attempted to block sensitive strings like ‘pg_connect’ using a content filter, yet failed to account for the ‘php://filter’ wrapper which processes the file before the security check is applied. This highlights how security-through-obscurity—such as Base64 encoding filter strings—is ineffective against standard technical enumeration.

Furthermore, the exposure of a PostgreSQL port (5432) directly to the public internet on an AWS EC2 instance represents a severe infrastructure misconfiguration. In production environments, database access should be restricted to internal VPC traffic. The combination of local file inclusion (LFI) and a publicly reachable database creates a high-signal attack path that leads to total data compromise with minimal effort.

Key Insights

• Directory Traversal via the file parameter was confirmed by reading /etc/passwd on an Apache 2.4.63 Ubuntu server.
• PHP’s ‘php://filter’ wrapper allows reading source code in Base64 format, bypassing server-side execution and str_contains content filters (JerseyCTF 6, 2026).
• Security-through-obscurity failed when a developer-side Base64 check for ‘pg_connect’ (cGdfY29ubmVjdA==) was bypassed by encoding the entire stream in memory.
• Infrastructure reconnaissance via nmap -sV identified a publicly accessible PostgreSQL DB (version 18.0–18.2) on port 5432.
• PostgreSQL credentials for the ‘blog_web’ user were successfully extracted from an includes/db.inc file using the PHP filter bypass.

Working Examples

Payload used to bypass content filters and extract the Base64-encoded database configuration file.

http://my-cool-blog.aws.jerseyctf.com/view-post.php?file=php://filter/convert.base64-encode/resource=includes/db.inc

Command used to connect to the remote PostgreSQL database once credentials were recovered.

psql -h my-cool-blog.aws.jerseyctf.com -U blog_web -d blog

SQL query executed within the psql environment to retrieve the challenge flag.

SELECT * FROM flag;

Practical Applications

• Use Case: Implementing strict allow-lists for file inclusion in PHP systems to prevent arbitrary directory traversal.
• Pitfall: Relying on keyword blacklists (like pg_connect) to secure source code, which is easily bypassed by PHP stream wrappers.
• Use Case: Configuring AWS Security Groups to restrict database ports (5432) to specific internal IP ranges or security groups.
• Pitfall: Leaving PHP display_errors enabled, which leaks absolute server paths like /opt/server/ to potential attackers.

References:

• https://dev.to/davidonlinearchive/my-cool-blog-jerseyctf6-1985