Leveraging phpinfo Exposures for Security Analysis

System Information

Accessing the phpinfo() page allows retrieval of detailed system specifications relevant for planning further interactions. An illustrative example includes operating system and server details beneficial for subsequent action planning.

Directory Settings

The extension_dir property from phpinfo() can reveal paths to PHP extensions. Security measures should evaluate such exposures as they provide insights about file structures potentially subject to exploitation.

Network Properties

Http headers such as HTTP_X_REAL_IP and HTTP_X_FORWARDED_FOR provide client IP data. Misconfigured environments might expose these details, bypassing proxy layers and offering direct identification of client sources.

Temporary File Handling

When uploading files using PHP, temporary file locations can be inferred from phpinfo() output. Exploits sometimes attempt to interactively replace these temporary contents by leveraging timing vulnerabilities inherent in file handling methods, allowing execution of arbitrary payloads.

Example Python snippet:

import requests
import re

payload = {"file": open("payload.txt","rb")}
response = requests.post("http://target-host/phpinfo.php", files=payload)
temp_path = re.search(r"tmp_name] => (\/tmp\/.+)\n", response.text)
if temp_path:
    print("Temporary file path:", temp_path.group(1))

Configuration Parameters Related to Security

allow_url_include

Hosts with allow_url_include enabled are vulnerable to remote include attacks. This can undermine web app integrity by enabling inclusion of malicious remote scripts.

disable_functions

Common restricted functions (exec, system, etc.) should be properly reviewed in phpinfo() to verify adequate locking down of PHP command execution.

Example of bypass attempt:

<?php
proc_open('ls -la', array(array('pipe', 'r'), array('pipe', 'w'), array('pipe', 'w')), $pipes);
?>

Analysis of these parameters provides insights in to potential security hardening or misconfigurations.