phpinfo() is a debug functionality that prints out detailed information on both the system and the PHP configuration.

The official PHP documentation makes a recommendation to create a file that calls the phpinfo() function in order to test that the PHP installation was successful; it is a common mistake to forget to remove this file. The information leaked by the phpinfo() function includes physical paths, environment variables, and the full PHP configuration settings.

The phpinfo() is also a debugging tool as it consists of all the information a developer wants to know about a server. If anyone uploads the phpinfo() function to their webroot/index.php file, they can see their server’s configuration settings.

An attacker can obtain information such as:

  • Exact PHP version.
  • Exact OS and its version.
  • Details of the PHP configuration.
  • PHP compilation options
  • PHP extensions
  • Internal IP addresses.
  • Server environment variables.
  • Loaded PHP extensions and their configurations.
  • HTTP headers

This information can help an attacker to gain more information on the system. After gaining detailed information, the attacker can research known vulnerabilities for that system under review. The attacker can also use this information during the exploitation of other vulnerabilities.

Some methods also related to phpinfo

  • phpinfo() Memory Limit
  • phpinfo() Upload Max Filesize
  • phpinfo() PHP Magic Quotes Gpc is On
  • phpinfo() Open Base Directory Is Disabled
  • PHP post_max_size show phpinfo()

Enumeration

Nmap

Using Nmap NSE script (http-enum), we can discover if in root directory there is the presence of execution of phpinfo()

  • nmap -sV –script http-enum -p 30455 192.168.226.147

Nikto

1. Using Nikto we can also verify the existence of phpinfo()

  • nikto -h 192.168.226.147:30455

Contents of PHPInfo

In this case by accessing the exposed phpinfo(), http://192.168.226.147:30455/phpinfo.php, we can gather the following:

1. System info

2. PHP Version

3. Some commands and system directories

4. PHP configuration directories

5. PHP features status

6. Curl information

7. Local server time

8. Json support

9. MySQL

10. OpenSSL

11. XML

12. Environment

13. HTTP details

14. Server Hostname

15. Networking

16. PHP script file location

Remedy

These are recommendations:

  • Disable phpinfo() function on the application’s PHP configuration.
  • Remove all the pages that call phpinfo() function.

Resources

https://www.rapid7.com/db/vulnerabilities/http-php-phpinfo-leak/

https://beaglesecurity.com/blog/vulnerability/revealing-phpinfo.html

https://www.php.net/manual/en/function.phpinfo.php

https://www.invicti.com/web-vulnerability-scanner/vulnerabilities/information-disclosure-phpinfo/