# PHP PHP is a popular general-purpose scripting language that is especially suited to web development. Fast, flexible and pragmatic, PHP powers everything from your blog to the most popular websites in the world. It is often identified as an underlying language for many websites and is susceptible to various vulnerabilities. ## Reconnaissance Identifying if a website is utilizing PHP can be achieved by using the browsers built-in developer mode (`F12`), or by using a number of specialized tools. A couple of examples that have the ability to parse website data to provides a list of underlying technologies are below. They both also have a handy browser plug-in to check technologies on the fly. * [Wappalyzer](https://www.wappalyzer.com/) * [Built With](https://builtwith.com/) ## Exploitation PHP, as stated in the overview, is susceptible to a number of vulnerabilities. ### Local File Inclusion (LFI) LFI allows an attacker to target a specific vulnerability in PHP to access files or run applications not intended to be executed. By injecting path traversal characters into the URL of a vulnerable server. 1. **Survey application:** Identification of the vulnerability can be passively achieved by navigating the target website and looking for an indicator that specifically calls a file or page, such as the example URL below in which the `page=` parameter is calling a file named `contact.php`. ``` https://darkcybe.vuln/?page=contact.php ``` 2. **Attempt variations on input parameters:** Once a vulnerable website and target file reference has been identified, the attack can move into an active phase where variations of different parameters can be attempted. As PHP can run on both Windows Server and Linux operating systems, path traversal strings and target files should be crafted to suit. As this is an active phase, activities may be recorded if the victim server is monitoring web logs. * Windows * `C:/WINDOWS/System32/drivers/etc/hosts` * Linux * `etc/passwd` A more verbose word list containing path traversal strings has been collated by ZSecure for Linux and Windows. There are also automated tools such as [fimap](https://github.com/kurobeats/fimap). 1. **Exploiting LFI:** If input validation was successful in the previous step, LFI can be exploited to access files on the victim host. Another valuable method, however, it does require the victim and attacker hosts to be on the same network, is to leverage leverage the ability for remote pages to be loaded whilst [Responder](https://darkcybe.github.io/posts/Responder/) is running on the attacker machine to gather NTLMv2 credentials from Windows hosts. ### Remote File Inclusion (RFI) RFI allows an attacker to dynamically reference scripts hosted on an external server and execute them locally. ## Sources 1. [Darkcybe - CAPEC 252-PHP LFI](#local-file-inclusion-lfi) 2. [ZSecure - Linux: Path Traversal/LFI Wordlist](https://zsecure.uk/blog/linux-path-traversal-lfi-wordlist/) 3. [ZSecure - Windows: Path Traversal/LFI Wordlist](https://zsecure.uk/blog/windows-path-traversal-lfi-wordlist/) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://darkcybe.gitbook.io/darkcybe/offensive-security-operations/penetration-testing/techniques/technology-focused/web/php.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.