Overview
PHP is a popular general-purpose scripting language that is especially suited to web development. Fast, flexible and pragmatic, PHP powers everything from your blog to the most popular websites in the world. It is often identified as an underlying language for many websites and is susceptible to various vulnerabilities.
Reconnaissance
Identifying if a website is utilizing PHP can be achieved by using the browsers built-in developer mode (F12
), or by using a number of specialized tools. A couple of examples that have the ability to parse website data to provides a list of underlying technologies are below. They both also have a handy browser plug-in to check technologies on the fly.
Exploitation
PHP, as stated in the overview, is susceptible to a number of vulnerabilities.
Local File Inclusion (LFI) 1
LFI allows an attacker to target a specific vulnerability in PHP to access files or run applications not intended to be executed. By injecting path traversal characters into the URL of a vulnerable server.
Survey application: Identification of the vulnerability can be passively achieved by navigating the target website and looking for an indicator that specifically calls a file or page, such as the example URL below in which the
page=
parameter is calling a file namedcontact.php
.1
https://darkcybe.vuln/?page=contact.php
Attempt variations on input parameters: Once a vulnerable website and target file reference has been identified, the attack can move into an active phase where variations of different parameters can be attempted. As PHP can run on both Windows Server and Linux operating systems, path traversal strings and target files should be crafted to suit. As this is an active phase, activities may be recorded if the victim server is monitoring web logs.
- Windows
C:/WINDOWS/System32/drivers/etc/hosts
- Linux
etc/passwd
- Windows
A more verbose word list containing path traversal strings has been collated by ZSecure for Linux 2 and Windows 3. There are also automated tools such as fimap.
- Exploiting LFI: If input validation was successful in the previous step, LFI can be exploited to access files on the victim host. Another valuable method, however it does require the victim and attacker hosts to be on the same network, is to leverage leverage the ability for remote pages to be loaded whilst Responder is running on the attacker machine to gather NTLMv2 credentials from Windows hosts.
Remote File Inclusion (RFI)
RFI allows an attacker to dynamically reference scripts hosted on an external server and execute them locally.