Add content from: Research Update: Enhanced src/pentesting-web/file-inclusion/...

Author: HackTricks News Bot

src/pentesting-web/file-inclusion/lfi2rce-via-php-filters.md

@@ -33,6 +33,7 @@ The loop to generate arbitrary content is:
 
 - [https://github.com/synacktiv/php_filter_chain_generator](https://github.com/synacktiv/php_filter_chain_generator)
 - [**https://github.com/ambionics/wrapwrap**](https://github.com/ambionics/wrapwrap) **(can add suffixes)**
+- [https://github.com/ambionics/lightyear](https://github.com/ambionics/lightyear) (blind file-dump oracle with digit-set jumps)
 
 ## Full script
 
@@ -257,11 +258,24 @@ function find_vals($init_val) {
 ?>
 ```
 
-## More References
+## Advanced Filter Chains in Practice
 
-- [https://www.synacktiv.com/publications/php-filters-chain-what-is-it-and-how-to-use-it.html](https://www.synacktiv.com/publications/php-filters-chain-what-is-it-and-how-to-use-it.html)
-- [The Art of PHP: CTF‑born exploits and techniques](https://blog.orange.tw/posts/2025-08-the-art-of-php-ch/)
+### Error-based filter oracles (php_filter_chains_oracle_exploit)
 
+- Chain a memory bomb (e.g., a dozen `convert.iconv.UTF8.UCS-4LE` passes) with `dechunk` so the first leaked base64 digit controls the outcome: if it turns hexadecimal the payload collapses silently, otherwise PHP exhausts memory and throws an error, giving you a 1-bit oracle.
+- Query the oracle repeatedly while iconv shuffles (`convert.iconv.UTF16.UTF16BE`, `convert.iconv.UCS-4LE.UCS-4`, etc.) rotate arbitrary base64 digits to the front, letting you read files byte by byte even when nothing is echoed.
+- Synacktiv's `php_filter_chains_oracle_exploit` automates the chain, keeps payloads GET-safe, and documents the PHP file primitives (file_get_contents, finfo, hash_file, getimagesize, ...) that you can abuse to pivot from LFI to credentials or staged RCE.
+
+### Lightyear digit-set jumps & chunk pruning
+
+- Lightyear builds alternative base64 digit sets via sequences like `convert.iconv.IBM1144.HP-ROMAN8|convert.iconv.IBM1122.IBM1026|convert.iconv.8859_1.IBM037`, turning a chosen digit into a newline; prepend one hexadecimal char, run `dechunk`, and you can jump over arbitrary chunks while keeping payloads URL-length compliant.
+- Instead of swapping bytes repeatedly, Lightyear chains several jumps, tracks safe chunk sizes, and closes each leak with a six-query dichotomy tree that halves the candidate digit set, so large files can be dumped via GET parameters without triggering PHP warnings.
+- The release ships ready-to-run Python tooling: once you control `include()`, aim it at `/etc/passwd`, PHP session stores, or config files, dump them, then fall back to the base64-prepend method above to craft RCE payloads inside `php://temp` or other write-less sinks.
+
+## References
+
+- [Synacktiv – PHP filter chains: file read from error-based oracle](https://www.synacktiv.com/en/publications/php-filter-chains-file-read-from-error-based-oracle)
+- [Lexfo – Introducing lightyear, a new way to dump PHP files](https://blog.lexfo.fr/lightyear-file-dump.html)
 
 {{#include ../../banners/hacktricks-training.md}}